Malware Analysis Report

2025-06-16 05:29

Sample ID 211207-yhyjvafeg7
Target 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
Tags
amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3

Threat Level: Known bad

The file 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 was found to be: Known bad.

Malicious Activity Summary

amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan

Amadey

SmokeLoader

RedLine

Arkei

Raccoon

Modifies WinLogon for persistence

Bazar Loader

RedLine Payload

Arkei Stealer Payload

Nirsoft

Bazar/Team9 Loader payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Checks BIOS information in registry

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-07 19:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 19:47

Reported

2021-12-07 19:50

Platform

win10-en-20211014

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"

Signatures

Amadey

trojan amadey

Arkei

stealer arkei

Bazar Loader

loader dropper bazarloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," C:\Users\Admin\AppData\Local\Temp\DA8.exe N/A

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Arkei Stealer Payload

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\DA8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\DA8.exe\"" C:\Users\Admin\AppData\Local\Temp\DA8.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C5EE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47B3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eaetsdj N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47B3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\47B3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eaetsdj N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\eaetsdj N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7B1B.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C5EE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
PID 3040 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3040 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3040 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3228 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\47B3.exe C:\Users\Admin\AppData\Local\Temp\47B3.exe
PID 3040 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35D.exe
PID 3040 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35D.exe
PID 3040 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\C35D.exe
PID 3040 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5EE.exe
PID 3040 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5EE.exe
PID 3040 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\Temp\C5EE.exe
PID 3040 wrote to memory of 1444 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3040 wrote to memory of 1444 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3040 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\B36.exe
PID 3040 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\B36.exe
PID 3040 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\B36.exe
PID 3040 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe
PID 3040 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe
PID 3004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\DA8.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe
PID 3040 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe
PID 3040 wrote to memory of 2104 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe
PID 2812 wrote to memory of 1532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 2812 wrote to memory of 1532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 2104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1540 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1540 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2104 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 680 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 680 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2104 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 3444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2164 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2164 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2104 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
PID 2104 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\1C30.exe C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe

"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"

C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe

"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"

C:\Users\Admin\AppData\Local\Temp\47B3.exe

C:\Users\Admin\AppData\Local\Temp\47B3.exe

C:\Users\Admin\AppData\Local\Temp\47B3.exe

C:\Users\Admin\AppData\Local\Temp\47B3.exe

C:\Users\Admin\AppData\Local\Temp\C35D.exe

C:\Users\Admin\AppData\Local\Temp\C35D.exe

C:\Users\Admin\AppData\Local\Temp\C5EE.exe

C:\Users\Admin\AppData\Local\Temp\C5EE.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6C1.dll

C:\Users\Admin\AppData\Local\Temp\B36.exe

C:\Users\Admin\AppData\Local\Temp\B36.exe

C:\Users\Admin\AppData\Local\Temp\DA8.exe

C:\Users\Admin\AppData\Local\Temp\DA8.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com

C:\Users\Admin\AppData\Local\Temp\1C30.exe

C:\Users\Admin\AppData\Local\Temp\1C30.exe

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" youtube.com

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Users\Admin\AppData\Local\Temp\3A29.exe

C:\Users\Admin\AppData\Local\Temp\3A29.exe

C:\Users\Admin\AppData\Local\Temp\7B1B.exe

C:\Users\Admin\AppData\Local\Temp\7B1B.exe

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3304

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\DA8.exe" -Force

C:\Users\Admin\AppData\Local\Temp\DA8.exe

C:\Users\Admin\AppData\Local\Temp\DA8.exe

C:\Users\Admin\AppData\Roaming\eaetsdj

C:\Users\Admin\AppData\Roaming\eaetsdj

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Roaming\eaetsdj

C:\Users\Admin\AppData\Roaming\eaetsdj

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 unicupload.top udp
DE 8.209.106.57:80 unicupload.top tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
HU 91.219.236.27:80 tcp
HU 91.219.236.27:80 tcp
NL 109.234.38.101:25717 tcp
MD 94.158.245.167:80 tcp
MD 94.158.245.167:80 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
HU 185.163.204.216:80 185.163.204.216 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
MD 94.158.245.147:80 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 infinity-cheats.com udp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 youtube.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 file-file-host8.com udp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
SC 185.215.113.35:80 185.215.113.35 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 file-file-host8.com tcp
MD 94.158.245.147:80 tcp
NL 195.133.18.126:80 195.133.18.126 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 rigtest123.chickenkiller.com udp
NL 45.144.225.160:25426 rigtest123.chickenkiller.com tcp
DE 194.85.248.229:30260 tcp
MD 94.158.245.147:80 tcp

Files

memory/3048-116-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2744-117-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2744-118-0x0000000000402F47-mapping.dmp

memory/3040-119-0x0000000000940000-0x0000000000956000-memory.dmp

memory/3228-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\47B3.exe

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

C:\Users\Admin\AppData\Local\Temp\47B3.exe

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

memory/3368-125-0x0000000000402F47-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\47B3.exe

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

memory/3040-127-0x00000000027D0000-0x00000000027E6000-memory.dmp

memory/1892-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C35D.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\C35D.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\C5EE.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/1888-131-0x0000000000000000-mapping.dmp

memory/1892-133-0x0000000000529000-0x0000000000579000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5EE.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/1888-135-0x0000000000C90000-0x0000000000CF9000-memory.dmp

memory/1888-136-0x0000000000050000-0x0000000000051000-memory.dmp

memory/1888-137-0x00000000760B0000-0x0000000076272000-memory.dmp

memory/1888-139-0x0000000002640000-0x0000000002685000-memory.dmp

memory/1892-138-0x00000000020D0000-0x000000000215F000-memory.dmp

memory/1892-140-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1888-141-0x0000000076430000-0x0000000076521000-memory.dmp

memory/1888-142-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/1888-144-0x0000000071EC0000-0x0000000071F40000-memory.dmp

memory/1888-145-0x0000000005400000-0x0000000005401000-memory.dmp

memory/1888-146-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1888-147-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/1888-148-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/1888-149-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/1888-150-0x0000000075AD0000-0x0000000076054000-memory.dmp

memory/1888-151-0x00000000744E0000-0x0000000075828000-memory.dmp

memory/1888-152-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

memory/1888-153-0x0000000070130000-0x000000007017B000-memory.dmp

memory/1888-154-0x0000000005010000-0x0000000005011000-memory.dmp

memory/1888-155-0x0000000006010000-0x0000000006011000-memory.dmp

memory/1888-156-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

memory/1888-157-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

memory/1888-158-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

memory/1444-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6C1.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

\Users\Admin\AppData\Local\Temp\6C1.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

memory/2384-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B36.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

C:\Users\Admin\AppData\Local\Temp\B36.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

memory/2384-165-0x0000000000870000-0x0000000000922000-memory.dmp

memory/2384-166-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/2384-167-0x00000000760B0000-0x0000000076272000-memory.dmp

memory/2384-168-0x0000000076430000-0x0000000076521000-memory.dmp

memory/2384-169-0x0000000000870000-0x0000000000871000-memory.dmp

memory/3004-173-0x0000000000000000-mapping.dmp

memory/2384-171-0x0000000071EC0000-0x0000000071F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA8.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

C:\Users\Admin\AppData\Local\Temp\DA8.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

memory/2384-178-0x0000000001250000-0x000000000139A000-memory.dmp

memory/2384-179-0x00000000058A0000-0x00000000058A1000-memory.dmp

memory/3004-181-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2384-183-0x0000000075AD0000-0x0000000076054000-memory.dmp

memory/2384-184-0x00000000744E0000-0x0000000075828000-memory.dmp

memory/2384-186-0x0000000070130000-0x000000007017B000-memory.dmp

memory/3004-187-0x000000001C6F0000-0x000000001C6F2000-memory.dmp

memory/2812-188-0x0000000000000000-mapping.dmp

memory/1888-189-0x00000000067E0000-0x00000000067E1000-memory.dmp

memory/1888-190-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

memory/2812-191-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-192-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-193-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-194-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-195-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-196-0x000002363B260000-0x000002363B261000-memory.dmp

memory/2812-197-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-198-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-199-0x00000236542A0000-0x00000236542A1000-memory.dmp

memory/2812-200-0x0000023653900000-0x0000023653902000-memory.dmp

memory/2812-201-0x0000023653903000-0x0000023653905000-memory.dmp

memory/2104-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1C30.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/1532-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1C30.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/2104-206-0x00000000005E8000-0x0000000000606000-memory.dmp

memory/2104-207-0x0000000001F70000-0x0000000001FA9000-memory.dmp

memory/1540-208-0x0000000000000000-mapping.dmp

memory/2104-209-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3252-210-0x0000000000000000-mapping.dmp

memory/3384-211-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/680-213-0x0000000000000000-mapping.dmp

memory/2596-214-0x0000000000000000-mapping.dmp

memory/2812-215-0x0000023639700000-0x0000023639702000-memory.dmp

memory/2812-216-0x0000023639700000-0x0000023639702000-memory.dmp

memory/3004-217-0x000000001EE80000-0x000000001EF48000-memory.dmp

memory/2164-218-0x0000000000000000-mapping.dmp

memory/2812-219-0x0000023653906000-0x0000023653908000-memory.dmp

memory/3004-220-0x000000001C6F2000-0x000000001C6F4000-memory.dmp

memory/3444-221-0x0000000000000000-mapping.dmp

memory/3372-222-0x0000000000000000-mapping.dmp

memory/3244-223-0x0000000000000000-mapping.dmp

memory/1872-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/1908-226-0x0000000000000000-mapping.dmp

memory/1872-227-0x0000000000808000-0x0000000000826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3588-229-0x0000000000000000-mapping.dmp

memory/1740-230-0x0000000000000000-mapping.dmp

memory/2140-231-0x0000000000000000-mapping.dmp

memory/1384-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3A29.exe

MD5 9e4dba3e11969085a1165f18e84e7ff4
SHA1 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104
SHA256 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777
SHA512 c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d

C:\Users\Admin\AppData\Local\Temp\3A29.exe

MD5 9e4dba3e11969085a1165f18e84e7ff4
SHA1 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104
SHA256 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777
SHA512 c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d

memory/1872-235-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/1872-236-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1384-237-0x00000000008C1000-0x0000000000910000-memory.dmp

memory/1384-238-0x0000000000520000-0x000000000066A000-memory.dmp

memory/1384-239-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1444-241-0x0000000001500000-0x0000000001502000-memory.dmp

memory/1444-240-0x0000000001500000-0x0000000001502000-memory.dmp

memory/1444-242-0x0000000003280000-0x00000000032C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B1B.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

memory/3556-243-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7B1B.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

memory/3556-246-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-247-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-248-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-249-0x0000000002CB0000-0x0000000002CF6000-memory.dmp

memory/3556-250-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/3556-251-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-253-0x00000000760B0000-0x0000000076272000-memory.dmp

memory/3556-252-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-254-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-255-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-260-0x0000000000EE0000-0x00000000012AB000-memory.dmp

memory/3556-259-0x00000000778C0000-0x0000000077A4E000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3304-265-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/2204-268-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3764-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/1500-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3512-274-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 b49a31b6e3a6771dbfa29b309842ef4f
SHA1 6b837a896a3008be212e7a3e297859b06b1d22af
SHA256 066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81
SHA512 804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7e961c790ac4cfd820f8fc0100c1c4c
SHA1 99b18bd510dcc61ed2555efdf7761b82a56f64fa
SHA256 9423b788584fa34959e19a651e027ca3a235c978d779d290f029b5684fa83c90
SHA512 4f80927a898be7c53d421552c2fa64420c087e7dbfdd4bcad07ef78fc1caa331f8645b66fe271fa1477d845cd3a56d5808e2289eb388484e0c8ce2da20cb0e82

memory/1064-287-0x0000000140000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DA8.exe.log

MD5 8bdb3d1170d108853676265cb5793aa3
SHA1 84182d42c6ec440dd0d4fb1cab08c518e3ed0338
SHA256 828c382385d362c9c4420db3f89a0a7a8c14d2db929ab3957be44d993ac4d01f
SHA512 fd8448692c00d52805274d27dd526dcb887a5ba8a02133f26a19dd0d30a683b12715de804062b673f32caf42cdde21e03d2b7dc6005093d8672ebbe529c32f99

memory/3512-290-0x00000218B12F0000-0x00000218B12F2000-memory.dmp

memory/3512-291-0x00000218B12F3000-0x00000218B12F5000-memory.dmp

memory/3004-292-0x000000001C6F4000-0x000000001C6F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA8.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

memory/1064-300-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\eaetsdj

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

C:\Users\Admin\AppData\Roaming\eaetsdj

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2140-310-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2944-313-0x0000000000402F47-mapping.dmp

C:\Users\Admin\AppData\Roaming\eaetsdj

MD5 a0a201f098c95d71c7e2b64c6be9bc46
SHA1 f317aa454ce83479ef95ebdecf767d11ea64e948
SHA256 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
SHA512 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0

memory/3512-325-0x00000218B12F8000-0x00000218B12F9000-memory.dmp

memory/3512-324-0x00000218B12F6000-0x00000218B12F8000-memory.dmp

memory/3040-326-0x00000000046C0000-0x00000000046D6000-memory.dmp