Malware Analysis Report

2025-06-16 05:30

Sample ID 211207-1ewxysdbbj
Target f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
Tags
amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae

Threat Level: Known bad

The file f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae was found to be: Known bad.

Malicious Activity Summary

amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader spyware stealer suricata trojan

RedLine Payload

Bazar Loader

Amadey

Raccoon

suricata: ET MALWARE Amadey CnC Check-In

RedLine

SmokeLoader

Arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Arkei Stealer Payload

Bazar/Team9 Loader payload

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-07 21:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 21:34

Reported

2021-12-07 21:36

Platform

win10-en-20211104

Max time kernel

152s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"

Signatures

Amadey

trojan amadey

Arkei

stealer arkei

Bazar Loader

loader dropper bazarloader

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

suricata: ET MALWARE Amadey CnC Check-In

suricata

Arkei Stealer Payload

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D14A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\143F.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\iitshhh N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\iitshhh N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\143F.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\143F.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\iitshhh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\3F1A.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8DA8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D14A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 4024 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe
PID 2236 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 2236 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 2236 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 4424 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\143F.exe C:\Users\Admin\AppData\Local\Temp\143F.exe
PID 2236 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B07.exe
PID 2236 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B07.exe
PID 2236 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B07.exe
PID 2236 wrote to memory of 816 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA8.exe
PID 2236 wrote to memory of 816 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA8.exe
PID 2236 wrote to memory of 816 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA8.exe
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 1488 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\iitshhh C:\Users\Admin\AppData\Roaming\iitshhh
PID 2236 wrote to memory of 2732 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2236 wrote to memory of 2732 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2236 wrote to memory of 3596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D14A.exe
PID 2236 wrote to memory of 3596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D14A.exe
PID 2236 wrote to memory of 3596 N/A N/A C:\Users\Admin\AppData\Local\Temp\D14A.exe
PID 2236 wrote to memory of 5112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E214.exe
PID 2236 wrote to memory of 5112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E214.exe
PID 2236 wrote to memory of 5112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E214.exe
PID 5112 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2340 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 2292 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2292 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2292 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5112 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4936 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4936 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 5112 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 5112 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\E214.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe

"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"

C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe

"C:\Users\Admin\AppData\Local\Temp\f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae.exe"

C:\Users\Admin\AppData\Local\Temp\143F.exe

C:\Users\Admin\AppData\Local\Temp\143F.exe

C:\Users\Admin\AppData\Local\Temp\143F.exe

C:\Users\Admin\AppData\Local\Temp\143F.exe

C:\Users\Admin\AppData\Local\Temp\8B07.exe

C:\Users\Admin\AppData\Local\Temp\8B07.exe

C:\Users\Admin\AppData\Local\Temp\8DA8.exe

C:\Users\Admin\AppData\Local\Temp\8DA8.exe

C:\Users\Admin\AppData\Roaming\iitshhh

C:\Users\Admin\AppData\Roaming\iitshhh

C:\Users\Admin\AppData\Roaming\iitshhh

C:\Users\Admin\AppData\Roaming\iitshhh

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CDA0.dll

C:\Users\Admin\AppData\Local\Temp\D14A.exe

C:\Users\Admin\AppData\Local\Temp\D14A.exe

C:\Users\Admin\AppData\Local\Temp\E214.exe

C:\Users\Admin\AppData\Local\Temp\E214.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"

C:\Users\Admin\AppData\Local\Temp\FC15.exe

C:\Users\Admin\AppData\Local\Temp\FC15.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Users\Admin\AppData\Local\Temp\3F1A.exe

C:\Users\Admin\AppData\Local\Temp\3F1A.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 45.61.188.31:443 tcp
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 unicupload.top udp
DE 8.209.106.57:80 unicupload.top tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
HU 91.219.236.27:80 tcp
NL 109.234.38.101:25717 tcp
HU 91.219.236.27:80 tcp
MD 94.158.245.167:80 tcp
MD 94.158.245.167:80 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
HU 185.163.204.216:80 185.163.204.216 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
MD 94.158.245.147:80 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 infinity-cheats.com udp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
SC 185.215.113.35:80 185.215.113.35 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
MD 94.158.245.147:80 tcp
NL 195.133.18.126:80 195.133.18.126 tcp
MD 94.158.245.147:80 tcp

Files

memory/4024-118-0x0000000000861000-0x0000000000872000-memory.dmp

memory/4024-119-0x0000000000030000-0x0000000000039000-memory.dmp

memory/4336-120-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4336-121-0x0000000000402F47-mapping.dmp

memory/2236-122-0x0000000000D20000-0x0000000000D36000-memory.dmp

memory/4424-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\143F.exe

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

C:\Users\Admin\AppData\Local\Temp\143F.exe

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

memory/4424-126-0x0000000000581000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\143F.exe

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

memory/4584-128-0x0000000000402F47-mapping.dmp

memory/2236-130-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/648-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8B07.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\8B07.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

memory/816-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8DA8.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

C:\Users\Admin\AppData\Local\Temp\8DA8.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/816-137-0x0000000000E50000-0x0000000000EB9000-memory.dmp

memory/816-139-0x0000000002E40000-0x0000000002E85000-memory.dmp

memory/648-140-0x0000000001F80000-0x000000000200F000-memory.dmp

memory/816-141-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/816-142-0x0000000074D30000-0x0000000074EF2000-memory.dmp

memory/816-143-0x0000000074AB0000-0x0000000074BA1000-memory.dmp

memory/816-144-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/816-146-0x0000000073530000-0x00000000735B0000-memory.dmp

memory/816-147-0x0000000006060000-0x0000000006061000-memory.dmp

memory/816-148-0x0000000003740000-0x0000000003741000-memory.dmp

memory/816-149-0x0000000005A50000-0x0000000005A51000-memory.dmp

memory/816-150-0x00000000058D0000-0x00000000058D1000-memory.dmp

memory/816-151-0x0000000075620000-0x0000000075BA4000-memory.dmp

memory/648-153-0x0000000000400000-0x0000000000491000-memory.dmp

memory/816-154-0x0000000005A40000-0x0000000005A41000-memory.dmp

memory/816-152-0x0000000076520000-0x0000000077868000-memory.dmp

memory/816-155-0x0000000005910000-0x0000000005911000-memory.dmp

memory/816-156-0x00000000730D0000-0x000000007311B000-memory.dmp

C:\Users\Admin\AppData\Roaming\iitshhh

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

C:\Users\Admin\AppData\Roaming\iitshhh

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

memory/816-159-0x0000000006B70000-0x0000000006B71000-memory.dmp

memory/816-160-0x0000000005C40000-0x0000000005C41000-memory.dmp

memory/816-161-0x0000000005D60000-0x0000000005D61000-memory.dmp

memory/816-162-0x0000000005D40000-0x0000000005D41000-memory.dmp

memory/816-163-0x0000000006840000-0x0000000006841000-memory.dmp

memory/816-165-0x0000000007340000-0x0000000007341000-memory.dmp

memory/816-166-0x0000000007A40000-0x0000000007A41000-memory.dmp

memory/2460-168-0x0000000000402F47-mapping.dmp

C:\Users\Admin\AppData\Roaming\iitshhh

MD5 0632c821ea5bbadb6d2103a007ee4689
SHA1 8216bc0a376f467bf7b071648a13cbe7003d4569
SHA256 f8992764ad4be6c6c315be9b97796463abd997e534ee18b3446463a2a556b3ae
SHA512 04458d753bd6db1cef4b0536cd2f680555a2e7506e03310799f6fd8914bc7102afb1d55f841e1f9066c5a4028130cb92deeaaf41075a0e7804e3a6b05f48af3c

memory/2732-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CDA0.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

\Users\Admin\AppData\Local\Temp\CDA0.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

memory/2236-173-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

memory/3596-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D14A.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

C:\Users\Admin\AppData\Local\Temp\D14A.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

memory/3596-177-0x0000000000300000-0x00000000003B2000-memory.dmp

memory/3596-178-0x0000000000400000-0x0000000000401000-memory.dmp

memory/3596-179-0x0000000074D30000-0x0000000074EF2000-memory.dmp

memory/3596-180-0x0000000074AB0000-0x0000000074BA1000-memory.dmp

memory/3596-181-0x0000000000300000-0x0000000000301000-memory.dmp

memory/3596-183-0x0000000002720000-0x0000000002765000-memory.dmp

memory/3596-184-0x0000000074390000-0x0000000074410000-memory.dmp

memory/3596-189-0x0000000075620000-0x0000000075BA4000-memory.dmp

memory/3596-190-0x0000000076520000-0x0000000077868000-memory.dmp

memory/3596-191-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3596-192-0x0000000073720000-0x000000007376B000-memory.dmp

memory/3596-193-0x0000000005170000-0x0000000005171000-memory.dmp

memory/5112-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E214.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\E214.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2340-198-0x0000000000000000-mapping.dmp

memory/5112-199-0x0000000002070000-0x00000000020A9000-memory.dmp

memory/5112-200-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1492-202-0x0000000000000000-mapping.dmp

memory/5084-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2292-209-0x0000000000000000-mapping.dmp

memory/4744-210-0x0000000000000000-mapping.dmp

memory/4936-211-0x0000000000000000-mapping.dmp

memory/3540-213-0x0000000000000000-mapping.dmp

memory/3560-212-0x0000000000000000-mapping.dmp

memory/3596-216-0x00000000067F0000-0x00000000067F1000-memory.dmp

memory/396-217-0x0000000000000000-mapping.dmp

memory/720-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\FC15.exe

MD5 17d7d479f8344ca0f015eb789155334c
SHA1 ab3075bae5babff2f0c513479a9a7dee2c5244dd
SHA256 dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec
SHA512 cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

C:\Users\Admin\AppData\Local\Temp\FC15.exe

MD5 17d7d479f8344ca0f015eb789155334c
SHA1 ab3075bae5babff2f0c513479a9a7dee2c5244dd
SHA256 dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec
SHA512 cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

memory/720-223-0x0000000000628000-0x0000000000646000-memory.dmp

memory/2988-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\88340284281526874389

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4852-225-0x0000000000000000-mapping.dmp

memory/1348-226-0x0000000000000000-mapping.dmp

memory/940-227-0x0000000000000000-mapping.dmp

memory/720-228-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1584-229-0x0000000000000000-mapping.dmp

memory/2988-231-0x0000000000600000-0x000000000074A000-memory.dmp

memory/2988-232-0x0000000000400000-0x0000000000515000-memory.dmp

memory/2732-234-0x00000000022D0000-0x00000000022D2000-memory.dmp

memory/2732-233-0x00000000022D0000-0x00000000022D2000-memory.dmp

memory/2072-235-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3F1A.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

C:\Users\Admin\AppData\Local\Temp\3F1A.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

memory/2732-238-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/2072-239-0x0000000001420000-0x000000000156A000-memory.dmp

memory/2072-240-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-241-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-242-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-243-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/2072-244-0x0000000074D30000-0x0000000074EF2000-memory.dmp

memory/2072-245-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-246-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-247-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-248-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-249-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-250-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-252-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2072-251-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

memory/2072-253-0x0000000000BB0000-0x0000000000F7B000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/3956-258-0x000000000063E000-0x000000000065C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88340284281526874389

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3956-260-0x00000000004B0000-0x00000000005FA000-memory.dmp

memory/3956-261-0x0000000000400000-0x000000000045E000-memory.dmp