Malware Analysis Report

2025-06-16 05:30

Sample ID 211207-3svcdsdffn
Target a4822c960055c8c34fcc130bae6f0d86.exe
SHA256 f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969
Tags
smokeloader backdoor trojan amadey bazarloader bitrat raccoon redline f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 dropper infostealer loader stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969

Threat Level: Known bad

The file a4822c960055c8c34fcc130bae6f0d86.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan amadey bazarloader bitrat raccoon redline f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 dropper infostealer loader stealer suricata

suricata: ET MALWARE Amadey CnC Check-In

BitRAT

BitRAT Payload

RedLine

RedLine Payload

Amadey

Bazar Loader

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Raccoon

SmokeLoader

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

Bazar/Team9 Loader payload

Executes dropped EXE

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-07 23:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 23:47

Reported

2021-12-07 23:49

Platform

win7-en-20211014

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\453A.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1916 set thread context of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1916 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 1276 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\Temp\453A.exe
PID 1276 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\Temp\453A.exe
PID 1276 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\Temp\453A.exe
PID 1276 wrote to memory of 1124 N/A N/A C:\Users\Admin\AppData\Local\Temp\453A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

C:\Users\Admin\AppData\Local\Temp\453A.exe

C:\Users\Admin\AppData\Local\Temp\453A.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp

Files

memory/1916-55-0x0000000000308000-0x0000000000319000-memory.dmp

memory/2040-57-0x0000000000402F47-mapping.dmp

memory/2040-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2040-58-0x0000000075D41000-0x0000000075D43000-memory.dmp

memory/1916-59-0x0000000000020000-0x0000000000029000-memory.dmp

memory/1276-60-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/1124-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\453A.exe

MD5 920c3a4f66ff3fdea72b5d0c0d95167d
SHA1 e302969de3ddeaa3483581cc6ba935df25454b99
SHA256 4d30f8dc90c1f482a0fefe6160c4f4271c211539b14d0a181998969132efce82
SHA512 3b76b17d0328e2707e67d12ac092b510399ee3601ae7ece9c0e1b1366e377fb9bd3bb6fb82a3788e1702839408d44034887b106b82183d0d995de6623eeaefa6

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-07 23:47

Reported

2021-12-07 23:49

Platform

win10-en-20211104

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

Signatures

Amadey

trojan amadey

Bazar Loader

loader dropper bazarloader

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

suricata: ET MALWARE Amadey CnC Check-In

suricata

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

suricata

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\1713683155.pri C:\Windows\System32\fodhelper.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6E56.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6E56.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6E56.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe -wdkill\uf500" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FC15.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2040 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe
PID 2156 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2156 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2156 wrote to memory of 2300 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2300 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\6E56.exe C:\Users\Admin\AppData\Local\Temp\6E56.exe
PID 2156 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BD.exe
PID 2156 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BD.exe
PID 2156 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BD.exe
PID 2156 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\874F.exe
PID 2156 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\874F.exe
PID 2156 wrote to memory of 1432 N/A N/A C:\Users\Admin\AppData\Local\Temp\874F.exe
PID 2156 wrote to memory of 2972 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2156 wrote to memory of 2972 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2156 wrote to memory of 1072 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1E.exe
PID 2156 wrote to memory of 1072 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1E.exe
PID 2156 wrote to memory of 1072 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1E.exe
PID 2156 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe
PID 2156 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe
PID 2156 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe
PID 2160 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2728 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2728 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2160 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 4048 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4048 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4048 wrote to memory of 972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2160 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2328 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2160 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3204 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3204 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2160 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 2160 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 2160 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\DD90.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 3252 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe C:\Windows\SysWOW64\cmd.exe
PID 3252 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe

"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"

C:\Users\Admin\AppData\Local\Temp\6E56.exe

C:\Users\Admin\AppData\Local\Temp\6E56.exe

C:\Users\Admin\AppData\Local\Temp\6E56.exe

C:\Users\Admin\AppData\Local\Temp\6E56.exe

C:\Users\Admin\AppData\Local\Temp\84BD.exe

C:\Users\Admin\AppData\Local\Temp\84BD.exe

C:\Users\Admin\AppData\Local\Temp\874F.exe

C:\Users\Admin\AppData\Local\Temp\874F.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C9B8.dll

C:\Users\Admin\AppData\Local\Temp\CE1E.exe

C:\Users\Admin\AppData\Local\Temp\CE1E.exe

C:\Users\Admin\AppData\Local\Temp\DD90.exe

C:\Users\Admin\AppData\Local\Temp\DD90.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Users\Admin\AppData\Local\Temp\FC15.exe

C:\Users\Admin\AppData\Local\Temp\FC15.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F

C:\Users\Admin\AppData\Local\Temp\13F4.exe

C:\Users\Admin\AppData\Local\Temp\13F4.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" -wdkill

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 unicupload.top udp
DE 8.209.106.57:80 unicupload.top tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
HU 91.219.236.27:80 tcp
NL 109.234.38.101:25717 tcp
HU 91.219.236.27:80 tcp
MD 94.158.245.167:80 tcp
MD 94.158.245.167:80 tcp
HU 185.163.204.216:80 185.163.204.216 tcp
MD 94.158.245.147:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 infinity-cheats.com udp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 109.234.38.101:25717 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
SC 185.215.113.35:80 185.215.113.35 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 j11975253.myjino.ru udp
RU 81.177.165.51:443 j11975253.myjino.ru tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
DE 194.85.248.229:30260 tcp
MD 94.158.245.147:80 tcp
NL 109.234.38.101:25717 tcp
DE 194.85.248.229:30260 tcp
GB 185.237.99.19:1482 tcp
NL 109.234.38.101:25717 tcp
MD 94.158.245.147:80 tcp

Files

memory/2040-118-0x00000000007E1000-0x00000000007F2000-memory.dmp

memory/3916-120-0x0000000000402F47-mapping.dmp

memory/3916-119-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2040-121-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2156-122-0x0000000001120000-0x0000000001136000-memory.dmp

memory/2300-123-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6E56.exe

MD5 920c3a4f66ff3fdea72b5d0c0d95167d
SHA1 e302969de3ddeaa3483581cc6ba935df25454b99
SHA256 4d30f8dc90c1f482a0fefe6160c4f4271c211539b14d0a181998969132efce82
SHA512 3b76b17d0328e2707e67d12ac092b510399ee3601ae7ece9c0e1b1366e377fb9bd3bb6fb82a3788e1702839408d44034887b106b82183d0d995de6623eeaefa6

C:\Users\Admin\AppData\Local\Temp\6E56.exe

MD5 920c3a4f66ff3fdea72b5d0c0d95167d
SHA1 e302969de3ddeaa3483581cc6ba935df25454b99
SHA256 4d30f8dc90c1f482a0fefe6160c4f4271c211539b14d0a181998969132efce82
SHA512 3b76b17d0328e2707e67d12ac092b510399ee3601ae7ece9c0e1b1366e377fb9bd3bb6fb82a3788e1702839408d44034887b106b82183d0d995de6623eeaefa6

memory/2788-128-0x0000000000402F47-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6E56.exe

MD5 920c3a4f66ff3fdea72b5d0c0d95167d
SHA1 e302969de3ddeaa3483581cc6ba935df25454b99
SHA256 4d30f8dc90c1f482a0fefe6160c4f4271c211539b14d0a181998969132efce82
SHA512 3b76b17d0328e2707e67d12ac092b510399ee3601ae7ece9c0e1b1366e377fb9bd3bb6fb82a3788e1702839408d44034887b106b82183d0d995de6623eeaefa6

memory/2584-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\84BD.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\84BD.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

memory/1432-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\874F.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

C:\Users\Admin\AppData\Local\Temp\874F.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/1432-137-0x0000000000310000-0x0000000000379000-memory.dmp

memory/1432-138-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1432-139-0x00000000770D0000-0x0000000077292000-memory.dmp

memory/1432-140-0x0000000002640000-0x0000000002685000-memory.dmp

memory/2584-141-0x0000000002160000-0x00000000021EF000-memory.dmp

memory/2584-142-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1432-143-0x0000000074510000-0x0000000074601000-memory.dmp

memory/1432-144-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1432-146-0x00000000736B0000-0x0000000073730000-memory.dmp

memory/1432-147-0x0000000005580000-0x0000000005581000-memory.dmp

memory/1432-148-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/1432-149-0x0000000005080000-0x0000000005081000-memory.dmp

memory/1432-150-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/1432-151-0x00000000746F0000-0x0000000074C74000-memory.dmp

memory/1432-152-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/1432-153-0x0000000074CF0000-0x0000000076038000-memory.dmp

memory/1432-154-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/1432-155-0x0000000073250000-0x000000007329B000-memory.dmp

memory/2156-156-0x0000000002F90000-0x0000000002FA6000-memory.dmp

memory/2972-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C9B8.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

\Users\Admin\AppData\Local\Temp\C9B8.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

memory/1072-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CE1E.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

C:\Users\Admin\AppData\Local\Temp\CE1E.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

memory/1072-163-0x0000000000E90000-0x0000000000F42000-memory.dmp

memory/1072-164-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1072-165-0x00000000770D0000-0x0000000077292000-memory.dmp

memory/1072-166-0x0000000074510000-0x0000000074601000-memory.dmp

memory/1072-167-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/1072-168-0x0000000002A00000-0x0000000002A45000-memory.dmp

memory/1072-170-0x00000000736B0000-0x0000000073730000-memory.dmp

memory/1072-175-0x00000000746F0000-0x0000000074C74000-memory.dmp

memory/1072-176-0x0000000074CF0000-0x0000000076038000-memory.dmp

memory/1072-178-0x0000000073250000-0x000000007329B000-memory.dmp

memory/1072-179-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

memory/2160-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DD90.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\DD90.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2160-183-0x00000000006D8000-0x00000000006F6000-memory.dmp

memory/2728-184-0x0000000000000000-mapping.dmp

memory/3128-185-0x0000000000000000-mapping.dmp

memory/2160-187-0x0000000001F60000-0x0000000001F99000-memory.dmp

memory/3532-186-0x0000000000000000-mapping.dmp

memory/2160-188-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/4048-190-0x0000000000000000-mapping.dmp

memory/972-191-0x0000000000000000-mapping.dmp

memory/2328-192-0x0000000000000000-mapping.dmp

memory/2392-194-0x0000000000000000-mapping.dmp

memory/2892-193-0x0000000000000000-mapping.dmp

memory/3204-195-0x0000000000000000-mapping.dmp

memory/3252-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/3160-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\88340284281526874389

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1208-201-0x0000000000000000-mapping.dmp

memory/3808-202-0x0000000000000000-mapping.dmp

memory/2344-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FC15.exe

MD5 8c010d565f0ae6ae084bdeb35fba7ff1
SHA1 95485abfab63edbd848f3f3ec2821f50aba0b74d
SHA256 9b7a42def14129b70c89d87853845f8c21fe04c6787757d3e59d6bd1ee21234d
SHA512 73fa980b534c6ad3af0752b5eb775652d5cada3ed66fabdeceec74d6cfe9de01db9f7f7788612d77c9ad3270ed3c8b6c16131ccffe0207b8b7f8714d0f725215

C:\Users\Admin\AppData\Local\Temp\FC15.exe

MD5 8c010d565f0ae6ae084bdeb35fba7ff1
SHA1 95485abfab63edbd848f3f3ec2821f50aba0b74d
SHA256 9b7a42def14129b70c89d87853845f8c21fe04c6787757d3e59d6bd1ee21234d
SHA512 73fa980b534c6ad3af0752b5eb775652d5cada3ed66fabdeceec74d6cfe9de01db9f7f7788612d77c9ad3270ed3c8b6c16131ccffe0207b8b7f8714d0f725215

memory/3252-206-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2344-208-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/3096-207-0x0000000000000000-mapping.dmp

memory/2344-210-0x0000000001400000-0x000000000140D000-memory.dmp

memory/2344-211-0x0000000001420000-0x0000000001422000-memory.dmp

memory/2472-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\13F4.exe

MD5 17d7d479f8344ca0f015eb789155334c
SHA1 ab3075bae5babff2f0c513479a9a7dee2c5244dd
SHA256 dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec
SHA512 cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

C:\Users\Admin\AppData\Local\Temp\13F4.exe

MD5 17d7d479f8344ca0f015eb789155334c
SHA1 ab3075bae5babff2f0c513479a9a7dee2c5244dd
SHA256 dcf88ad773f7a6b5a16e382d74b99a05bdba5eb282568436b32a6457720216ec
SHA512 cf0d9f539db508cb0c559bb251d1f6a1a8adea3c19812c1c6508e72d61f5c5c2dfe77c6c763cc71ac470d9cfa42adb660820f54e69028a211dca2743505082bf

memory/2972-215-0x0000000002790000-0x0000000002792000-memory.dmp

memory/2972-216-0x0000000002790000-0x0000000002792000-memory.dmp

memory/2972-217-0x0000000002240000-0x0000000002280000-memory.dmp

memory/2472-219-0x00000000007B0000-0x000000000083F000-memory.dmp

memory/2472-220-0x0000000000400000-0x0000000000515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/1872-222-0x000000000067E000-0x000000000069C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88340284281526874389

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1872-224-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2344-225-0x000000001C420000-0x000000001C7E8000-memory.dmp

memory/2344-226-0x000000001D740000-0x000000001D741000-memory.dmp

memory/2344-227-0x000000001DA20000-0x000000001DDE6000-memory.dmp

memory/2344-228-0x00000000031D0000-0x00000000031D1000-memory.dmp

memory/3168-229-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3168-230-0x000000000068A488-mapping.dmp

memory/3168-231-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3168-232-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2172-233-0x0000000000000000-mapping.dmp

memory/3256-234-0x0000000000000000-mapping.dmp

memory/3256-235-0x0000000000740000-0x0000000000741000-memory.dmp