Malware Analysis Report

2025-01-02 09:58

Sample ID 210919-1g9ltsfbfj
Target 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b
SHA256 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b
Tags
raccoon redline smokeloader new777 udp backdoor discovery evasion infostealer spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b

Threat Level: Known bad

The file 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader new777 udp backdoor discovery evasion infostealer spyware stealer themida trojan

RedLine Payload

Raccoon

SmokeLoader

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Checks BIOS information in registry

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-19 21:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-19 21:38

Reported

2021-09-19 21:41

Platform

win10v20210408

Max time kernel

151s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8103.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8103.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8103.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egdaffa N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egdaffa N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egdaffa N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egdaffa N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77EA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3628 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe
PID 3024 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\77EA.exe
PID 3024 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\77EA.exe
PID 3024 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\77EA.exe
PID 3024 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3024 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3024 wrote to memory of 3612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8103.exe
PID 3024 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\873E.exe
PID 3024 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\873E.exe
PID 3024 wrote to memory of 904 N/A N/A C:\Users\Admin\AppData\Local\Temp\873E.exe
PID 3024 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 3024 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 3024 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 3024 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe
PID 3024 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe
PID 1048 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9896.exe
PID 3024 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9896.exe
PID 3024 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9896.exe
PID 3024 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe
PID 3024 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe
PID 3024 wrote to memory of 3940 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D99.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\873E.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\873E.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\873E.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1772 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1772 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1844 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 1844 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 1844 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 1844 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1844 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\test.exe
PID 1844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
PID 1844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
PID 1844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\93D3.exe C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 1048 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8A6B.exe C:\Users\Admin\AppData\Local\Temp\8A6B.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 4076 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe
PID 940 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Roaming\8473803.scr
PID 940 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Roaming\8473803.scr
PID 940 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Users\Admin\AppData\Roaming\8473803.scr
PID 4304 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\egdaffa C:\Users\Admin\AppData\Roaming\egdaffa
PID 4304 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Roaming\egdaffa C:\Users\Admin\AppData\Roaming\egdaffa

Processes

C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe

"C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe"

C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe

"C:\Users\Admin\AppData\Local\Temp\3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b.exe"

C:\Users\Admin\AppData\Local\Temp\77EA.exe

C:\Users\Admin\AppData\Local\Temp\77EA.exe

C:\Users\Admin\AppData\Local\Temp\8103.exe

C:\Users\Admin\AppData\Local\Temp\8103.exe

C:\Users\Admin\AppData\Local\Temp\873E.exe

C:\Users\Admin\AppData\Local\Temp\873E.exe

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

C:\Users\Admin\AppData\Local\Temp\93D3.exe

C:\Users\Admin\AppData\Local\Temp\93D3.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\9896.exe

C:\Users\Admin\AppData\Local\Temp\9896.exe

C:\Users\Admin\AppData\Local\Temp\9D99.exe

C:\Users\Admin\AppData\Local\Temp\9D99.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\873E.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

"C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe"

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 924

C:\Users\Admin\AppData\Roaming\8473803.scr

"C:\Users\Admin\AppData\Roaming\8473803.scr" /S

C:\Users\Admin\AppData\Roaming\egdaffa

C:\Users\Admin\AppData\Roaming\egdaffa

C:\Users\Admin\AppData\Roaming\egdaffa

C:\Users\Admin\AppData\Roaming\egdaffa

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
RU 45.144.67.29:80 kevonahira2.top tcp
DE 195.201.225.248:443 telete.in tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
NL 190.2.145.156:80 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 185.206.215.216:80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
DE 74.119.192.122:80 74.119.192.122 tcp
US 172.67.75.172:443 api.ip.sb tcp
NL 45.67.231.145:10991 tcp
US 8.8.8.8:53 dependstar.bar udp
US 172.67.160.135:443 dependstar.bar tcp
SC 185.215.113.104:18754 tcp
US 8.8.8.8:53 iplogger.org udp
DE 88.99.66.31:443 iplogger.org tcp
DE 88.99.66.31:443 iplogger.org tcp
RU 91.142.77.155:5469 tcp
US 8.8.8.8:53 product-review-now.bar udp
US 104.21.1.222:443 product-review-now.bar tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp

Files

memory/4032-114-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4032-115-0x0000000000402DCE-mapping.dmp

memory/3628-116-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3024-117-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/2220-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\77EA.exe

MD5 b78f6c53f3234366738a08ff7764526e
SHA1 414d3059abee67337ad9f48812e6fbfff9ca9e63
SHA256 0af8fcf7aaa6e4db1b669afdcb3802574a14f03f7572e05c660c8ed2562dd6fe
SHA512 ff5382567af99120ef094887271a75c69e5d3c4fb3c55d3331c1a6bbf92da5c92355b545d7562f0effb159f960f704a25b7175a29b42a91f01186b8f20981876

C:\Users\Admin\AppData\Local\Temp\77EA.exe

MD5 b78f6c53f3234366738a08ff7764526e
SHA1 414d3059abee67337ad9f48812e6fbfff9ca9e63
SHA256 0af8fcf7aaa6e4db1b669afdcb3802574a14f03f7572e05c660c8ed2562dd6fe
SHA512 ff5382567af99120ef094887271a75c69e5d3c4fb3c55d3331c1a6bbf92da5c92355b545d7562f0effb159f960f704a25b7175a29b42a91f01186b8f20981876

memory/3612-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8103.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

C:\Users\Admin\AppData\Local\Temp\8103.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

memory/2220-124-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/2220-125-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2220-126-0x00000000009B0000-0x00000000009CF000-memory.dmp

memory/2220-127-0x0000000004C20000-0x0000000004C21000-memory.dmp

memory/3612-129-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2220-131-0x0000000002420000-0x000000000243E000-memory.dmp

memory/2220-133-0x0000000004C12000-0x0000000004C13000-memory.dmp

memory/3612-136-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3612-134-0x0000000005820000-0x0000000005821000-memory.dmp

memory/2220-137-0x0000000004C13000-0x0000000004C14000-memory.dmp

memory/2220-132-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/904-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\873E.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

C:\Users\Admin\AppData\Local\Temp\873E.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

memory/2220-141-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2220-143-0x0000000005730000-0x0000000005731000-memory.dmp

memory/1048-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/3612-148-0x0000000005200000-0x0000000005201000-memory.dmp

memory/904-152-0x0000000002200000-0x00000000022D2000-memory.dmp

memory/2220-150-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1048-149-0x0000000000800000-0x0000000000801000-memory.dmp

memory/2220-154-0x0000000004C14000-0x0000000004C16000-memory.dmp

memory/1048-156-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/3612-157-0x0000000005210000-0x0000000005211000-memory.dmp

memory/1048-159-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/904-161-0x0000000000400000-0x0000000000563000-memory.dmp

memory/1048-160-0x0000000005020000-0x000000000551E000-memory.dmp

memory/1844-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\93D3.exe

MD5 c8d4b455187ceb42f74d7786911a37ea
SHA1 350fc1dbface497fe660ecde0194d8b5b34dfcf5
SHA256 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f
SHA512 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd

C:\Users\Admin\AppData\Local\Temp\93D3.exe

MD5 c8d4b455187ceb42f74d7786911a37ea
SHA1 350fc1dbface497fe660ecde0194d8b5b34dfcf5
SHA256 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f
SHA512 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd

memory/1844-165-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2376-167-0x0000000000000000-mapping.dmp

memory/2376-170-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2376-171-0x0000000007860000-0x0000000007861000-memory.dmp

memory/2376-172-0x0000000003450000-0x0000000003451000-memory.dmp

memory/2376-173-0x0000000003452000-0x0000000003453000-memory.dmp

memory/3520-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9896.exe

MD5 2723f3941d8342b04d5af94079c3bdb2
SHA1 2aacb90f59204876509d290f5af6a34f6532c71b
SHA256 c1545e4cff8b74630cf80b0631d197dacedbd3b65725153913c9ebc83e8b9420
SHA512 70b08a8eca907d051f75d6bfdd8a63d2a0cf74277422b1303aae992afac6309268a2548ea29e9dda34c11d9f1bab16bc1547e4b367b63d447cecd82c0df057f9

C:\Users\Admin\AppData\Local\Temp\9896.exe

MD5 2723f3941d8342b04d5af94079c3bdb2
SHA1 2aacb90f59204876509d290f5af6a34f6532c71b
SHA256 c1545e4cff8b74630cf80b0631d197dacedbd3b65725153913c9ebc83e8b9420
SHA512 70b08a8eca907d051f75d6bfdd8a63d2a0cf74277422b1303aae992afac6309268a2548ea29e9dda34c11d9f1bab16bc1547e4b367b63d447cecd82c0df057f9

memory/2376-177-0x0000000007550000-0x0000000007551000-memory.dmp

memory/2376-178-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/2376-179-0x0000000007760000-0x0000000007761000-memory.dmp

memory/2376-180-0x0000000007F40000-0x0000000007F41000-memory.dmp

memory/2376-182-0x0000000007840000-0x0000000007841000-memory.dmp

memory/3940-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9D99.exe

MD5 e6b03d1d3edeb8ff9d866ec1f5e7efaf
SHA1 1e9e521497a9a4737ff2a29704e3df286266c788
SHA256 b20a530aa39deacb44faa18bd36f91d6c1cc5b16ebb35464e9922bf0f59a899e
SHA512 68c0476faa68a7b28a08a521efa2d41ebae472ea5693365a03b530f3cf4ce76b760dff766bd6317e4845de9f6a5d379c7aefc978076d6bf7804bfba01fdf4766

C:\Users\Admin\AppData\Local\Temp\9D99.exe

MD5 e6b03d1d3edeb8ff9d866ec1f5e7efaf
SHA1 1e9e521497a9a4737ff2a29704e3df286266c788
SHA256 b20a530aa39deacb44faa18bd36f91d6c1cc5b16ebb35464e9922bf0f59a899e
SHA512 68c0476faa68a7b28a08a521efa2d41ebae472ea5693365a03b530f3cf4ce76b760dff766bd6317e4845de9f6a5d379c7aefc978076d6bf7804bfba01fdf4766

memory/2376-186-0x00000000085D0000-0x00000000085D1000-memory.dmp

memory/3940-187-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/3520-194-0x00000000009F0000-0x0000000000A80000-memory.dmp

memory/3520-195-0x0000000000400000-0x0000000000493000-memory.dmp

memory/3940-196-0x00000000054C0000-0x0000000005AC6000-memory.dmp

memory/2376-201-0x0000000009D60000-0x0000000009D61000-memory.dmp

memory/2376-202-0x0000000009320000-0x0000000009321000-memory.dmp

memory/2220-203-0x00000000067F0000-0x00000000067F1000-memory.dmp

memory/2220-204-0x00000000069C0000-0x00000000069C1000-memory.dmp

memory/2220-208-0x0000000007620000-0x0000000007621000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/3940-217-0x0000000008F80000-0x0000000008F81000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1772-222-0x0000000000000000-mapping.dmp

memory/764-223-0x0000000000000000-mapping.dmp

memory/4076-224-0x0000000000000000-mapping.dmp

memory/940-227-0x0000000000000000-mapping.dmp

memory/4076-228-0x0000000000810000-0x0000000000811000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 bdea822c8b1b29b67a9df071ebac5064
SHA1 507a60469e99c73f4941d2cb1d827ccfcb6fe013
SHA256 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd
SHA512 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5

memory/1988-235-0x0000000000000000-mapping.dmp

memory/4076-240-0x0000000005240000-0x0000000005241000-memory.dmp

memory/1048-239-0x0000000006AD0000-0x0000000006AE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

MD5 9dfcf7fcbab5aa6c1fdecb718f7840ea
SHA1 c6e6043f50475555268124cda0c120f0911c1c38
SHA256 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d
SHA512 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595

memory/940-236-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1048-234-0x0000000006A90000-0x0000000006AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 bdea822c8b1b29b67a9df071ebac5064
SHA1 507a60469e99c73f4941d2cb1d827ccfcb6fe013
SHA256 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd
SHA512 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/2732-241-0x0000000000400000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/2732-242-0x000000000041C5E2-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8A6B.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/2376-245-0x0000000003453000-0x0000000003454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

MD5 9dfcf7fcbab5aa6c1fdecb718f7840ea
SHA1 c6e6043f50475555268124cda0c120f0911c1c38
SHA256 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d
SHA512 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8A6B.exe.log

MD5 9e7845217df4a635ec4341c3d52ed685
SHA1 d65cb39d37392975b038ce503a585adadb805da5
SHA256 d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

memory/4076-248-0x0000000005050000-0x000000000554E000-memory.dmp

memory/940-249-0x000000001B210000-0x000000001B212000-memory.dmp

memory/2432-254-0x000000000041C5DA-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/2732-266-0x0000000004EF0000-0x00000000054F6000-memory.dmp

memory/2432-270-0x0000000005060000-0x0000000005666000-memory.dmp

memory/1988-271-0x00000000006D0000-0x0000000000700000-memory.dmp

memory/1988-272-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1988-274-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/1856-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\8473803.scr

MD5 87ab55c2316e05567d9c45f77028da15
SHA1 8a159e4b3afda505bb1b4665b2be856d5804cfea
SHA256 fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20
SHA512 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16

C:\Users\Admin\AppData\Roaming\8473803.scr

MD5 87ab55c2316e05567d9c45f77028da15
SHA1 8a159e4b3afda505bb1b4665b2be856d5804cfea
SHA256 fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20
SHA512 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16

memory/1988-289-0x0000000004A42000-0x0000000004A43000-memory.dmp

memory/1988-291-0x0000000004A43000-0x0000000004A44000-memory.dmp

memory/1988-292-0x0000000004A44000-0x0000000004A46000-memory.dmp

memory/1856-295-0x0000000004950000-0x0000000004951000-memory.dmp

C:\Users\Admin\AppData\Roaming\egdaffa

MD5 ac5c726ffb5cf33db2c098e3a13cc0f6
SHA1 39dfec9b71a86ca5f181b34994057de8246305c3
SHA256 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b
SHA512 26e2cbc0e5f8bad4006297fe901934d31e6cdf6110dab9098c1fc295228b7c706c0900353a5f2a66ce41e440d6b36981ea0d8b5754242ac73f41a094b884ba88

C:\Users\Admin\AppData\Roaming\egdaffa

MD5 ac5c726ffb5cf33db2c098e3a13cc0f6
SHA1 39dfec9b71a86ca5f181b34994057de8246305c3
SHA256 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b
SHA512 26e2cbc0e5f8bad4006297fe901934d31e6cdf6110dab9098c1fc295228b7c706c0900353a5f2a66ce41e440d6b36981ea0d8b5754242ac73f41a094b884ba88

memory/4336-327-0x0000000000402DCE-mapping.dmp

C:\Users\Admin\AppData\Roaming\egdaffa

MD5 ac5c726ffb5cf33db2c098e3a13cc0f6
SHA1 39dfec9b71a86ca5f181b34994057de8246305c3
SHA256 3a8d2d0602abd2eaac85cfbfe946ae302bd939a4df7358222b40ec3490ad5d8b
SHA512 26e2cbc0e5f8bad4006297fe901934d31e6cdf6110dab9098c1fc295228b7c706c0900353a5f2a66ce41e440d6b36981ea0d8b5754242ac73f41a094b884ba88

memory/3024-329-0x0000000000DA0000-0x0000000000DB5000-memory.dmp