Analysis Overview
SHA256
84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3
Threat Level: Known bad
The file 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 was found to be: Known bad.
Malicious Activity Summary
Amadey
SmokeLoader
RedLine
Arkei
Raccoon
Modifies WinLogon for persistence
Bazar Loader
RedLine Payload
Arkei Stealer Payload
Nirsoft
Bazar/Team9 Loader payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Checks BIOS information in registry
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-07 19:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-07 19:47
Reported
2021-12-07 19:50
Platform
win10-en-20211014
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Amadey
Arkei
Bazar Loader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," | C:\Users\Admin\AppData\Local\Temp\DA8.exe | N/A |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Arkei Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\DA8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\DA8.exe\"" | C:\Users\Admin\AppData\Local\Temp\DA8.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C5EE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B36.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe |
| PID 3228 set thread context of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\47B3.exe | C:\Users\Admin\AppData\Local\Temp\47B3.exe |
| PID 3004 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\DA8.exe | C:\Users\Admin\AppData\Local\Temp\DA8.exe |
| PID 2132 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Roaming\eaetsdj | C:\Users\Admin\AppData\Roaming\eaetsdj |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\47B3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eaetsdj | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\47B3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\47B3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eaetsdj | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\eaetsdj | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7B1B.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47B3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eaetsdj | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DA8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C5EE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DA8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"
C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe
"C:\Users\Admin\AppData\Local\Temp\84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3.exe"
C:\Users\Admin\AppData\Local\Temp\47B3.exe
C:\Users\Admin\AppData\Local\Temp\47B3.exe
C:\Users\Admin\AppData\Local\Temp\47B3.exe
C:\Users\Admin\AppData\Local\Temp\47B3.exe
C:\Users\Admin\AppData\Local\Temp\C35D.exe
C:\Users\Admin\AppData\Local\Temp\C35D.exe
C:\Users\Admin\AppData\Local\Temp\C5EE.exe
C:\Users\Admin\AppData\Local\Temp\C5EE.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6C1.dll
C:\Users\Admin\AppData\Local\Temp\B36.exe
C:\Users\Admin\AppData\Local\Temp\B36.exe
C:\Users\Admin\AppData\Local\Temp\DA8.exe
C:\Users\Admin\AppData\Local\Temp\DA8.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com
C:\Users\Admin\AppData\Local\Temp\1C30.exe
C:\Users\Admin\AppData\Local\Temp\1C30.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" youtube.com
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
C:\Users\Admin\AppData\Local\Temp\3A29.exe
C:\Users\Admin\AppData\Local\Temp\3A29.exe
C:\Users\Admin\AppData\Local\Temp\7B1B.exe
C:\Users\Admin\AppData\Local\Temp\7B1B.exe
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3304
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3764
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\DA8.exe" -Force
C:\Users\Admin\AppData\Local\Temp\DA8.exe
C:\Users\Admin\AppData\Local\Temp\DA8.exe
C:\Users\Admin\AppData\Roaming\eaetsdj
C:\Users\Admin\AppData\Roaming\eaetsdj
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Roaming\eaetsdj
C:\Users\Admin\AppData\Roaming\eaetsdj
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | host-data-coin-11.com | udp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| US | 8.8.8.8:53 | privacy-tools-for-you-777.com | udp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| RU | 185.186.142.166:80 | tcp | |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | file-coin-data-5.com | udp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| DE | 185.233.81.115:443 | tcp | |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | file-coin-data-5.com | udp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | unicupload.top | udp |
| DE | 8.209.106.57:80 | unicupload.top | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| HU | 91.219.236.27:80 | tcp | |
| HU | 91.219.236.27:80 | tcp | |
| NL | 109.234.38.101:25717 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| HU | 185.163.204.216:80 | 185.163.204.216 | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| MD | 94.158.245.147:80 | tcp | |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | infinity-cheats.com | udp |
| NL | 45.141.159.64:80 | infinity-cheats.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| DE | 194.85.248.229:30260 | tcp | |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | file-file-host8.com | udp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 45.141.159.64:80 | infinity-cheats.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| SC | 185.215.113.35:80 | 185.215.113.35 | tcp |
| SC | 185.215.113.35:80 | 185.215.113.35 | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| DE | 194.85.248.229:30260 | tcp | |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| MD | 94.158.245.147:80 | tcp | |
| NL | 195.133.18.126:80 | 195.133.18.126 | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | rigtest123.chickenkiller.com | udp |
| NL | 45.144.225.160:25426 | rigtest123.chickenkiller.com | tcp |
| DE | 194.85.248.229:30260 | tcp | |
| MD | 94.158.245.147:80 | tcp |
Files
memory/3048-116-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/2744-117-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2744-118-0x0000000000402F47-mapping.dmp
memory/3040-119-0x0000000000940000-0x0000000000956000-memory.dmp
memory/3228-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\47B3.exe
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
C:\Users\Admin\AppData\Local\Temp\47B3.exe
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
memory/3368-125-0x0000000000402F47-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\47B3.exe
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
memory/3040-127-0x00000000027D0000-0x00000000027E6000-memory.dmp
memory/1892-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C35D.exe
| MD5 | bce50d5b17bb88f22f0000511026520d |
| SHA1 | 599aaed4ee72ec0e0fc4cada844a1c210e332961 |
| SHA256 | 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455 |
| SHA512 | c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536 |
C:\Users\Admin\AppData\Local\Temp\C35D.exe
| MD5 | bce50d5b17bb88f22f0000511026520d |
| SHA1 | 599aaed4ee72ec0e0fc4cada844a1c210e332961 |
| SHA256 | 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455 |
| SHA512 | c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536 |
C:\Users\Admin\AppData\Local\Temp\C5EE.exe
| MD5 | 0cefed061e2a2241ecd302d7790a2f80 |
| SHA1 | 5f119195af2db118c5fbac21634bea00f5d5b8da |
| SHA256 | 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983 |
| SHA512 | 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba |
memory/1888-131-0x0000000000000000-mapping.dmp
memory/1892-133-0x0000000000529000-0x0000000000579000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C5EE.exe
| MD5 | 0cefed061e2a2241ecd302d7790a2f80 |
| SHA1 | 5f119195af2db118c5fbac21634bea00f5d5b8da |
| SHA256 | 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983 |
| SHA512 | 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba |
memory/1888-135-0x0000000000C90000-0x0000000000CF9000-memory.dmp
memory/1888-136-0x0000000000050000-0x0000000000051000-memory.dmp
memory/1888-137-0x00000000760B0000-0x0000000076272000-memory.dmp
memory/1888-139-0x0000000002640000-0x0000000002685000-memory.dmp
memory/1892-138-0x00000000020D0000-0x000000000215F000-memory.dmp
memory/1892-140-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1888-141-0x0000000076430000-0x0000000076521000-memory.dmp
memory/1888-142-0x0000000000C90000-0x0000000000C91000-memory.dmp
memory/1888-144-0x0000000071EC0000-0x0000000071F40000-memory.dmp
memory/1888-145-0x0000000005400000-0x0000000005401000-memory.dmp
memory/1888-146-0x0000000002620000-0x0000000002621000-memory.dmp
memory/1888-147-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/1888-148-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/1888-149-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/1888-150-0x0000000075AD0000-0x0000000076054000-memory.dmp
memory/1888-151-0x00000000744E0000-0x0000000075828000-memory.dmp
memory/1888-152-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/1888-153-0x0000000070130000-0x000000007017B000-memory.dmp
memory/1888-154-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1888-155-0x0000000006010000-0x0000000006011000-memory.dmp
memory/1888-156-0x0000000005BD0000-0x0000000005BD1000-memory.dmp
memory/1888-157-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
memory/1888-158-0x0000000005CD0000-0x0000000005CD1000-memory.dmp
memory/1444-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6C1.dll
| MD5 | a49d28798147cc039e3ac341044fe612 |
| SHA1 | b950324092db34ad2940560d85f07744dd9e5b0c |
| SHA256 | 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b |
| SHA512 | 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a |
\Users\Admin\AppData\Local\Temp\6C1.dll
| MD5 | a49d28798147cc039e3ac341044fe612 |
| SHA1 | b950324092db34ad2940560d85f07744dd9e5b0c |
| SHA256 | 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b |
| SHA512 | 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a |
memory/2384-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B36.exe
| MD5 | 6beb00521639f19ea32c64a0799c79b4 |
| SHA1 | 2d1993a460759b547655480c6aa1f709ca398f34 |
| SHA256 | 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b |
| SHA512 | 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc |
C:\Users\Admin\AppData\Local\Temp\B36.exe
| MD5 | 6beb00521639f19ea32c64a0799c79b4 |
| SHA1 | 2d1993a460759b547655480c6aa1f709ca398f34 |
| SHA256 | 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b |
| SHA512 | 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc |
memory/2384-165-0x0000000000870000-0x0000000000922000-memory.dmp
memory/2384-166-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/2384-167-0x00000000760B0000-0x0000000076272000-memory.dmp
memory/2384-168-0x0000000076430000-0x0000000076521000-memory.dmp
memory/2384-169-0x0000000000870000-0x0000000000871000-memory.dmp
memory/3004-173-0x0000000000000000-mapping.dmp
memory/2384-171-0x0000000071EC0000-0x0000000071F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA8.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
C:\Users\Admin\AppData\Local\Temp\DA8.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
memory/2384-178-0x0000000001250000-0x000000000139A000-memory.dmp
memory/2384-179-0x00000000058A0000-0x00000000058A1000-memory.dmp
memory/3004-181-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/2384-183-0x0000000075AD0000-0x0000000076054000-memory.dmp
memory/2384-184-0x00000000744E0000-0x0000000075828000-memory.dmp
memory/2384-186-0x0000000070130000-0x000000007017B000-memory.dmp
memory/3004-187-0x000000001C6F0000-0x000000001C6F2000-memory.dmp
memory/2812-188-0x0000000000000000-mapping.dmp
memory/1888-189-0x00000000067E0000-0x00000000067E1000-memory.dmp
memory/1888-190-0x0000000006EE0000-0x0000000006EE1000-memory.dmp
memory/2812-191-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-192-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-193-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-194-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-195-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-196-0x000002363B260000-0x000002363B261000-memory.dmp
memory/2812-197-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-198-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-199-0x00000236542A0000-0x00000236542A1000-memory.dmp
memory/2812-200-0x0000023653900000-0x0000023653902000-memory.dmp
memory/2812-201-0x0000023653903000-0x0000023653905000-memory.dmp
memory/2104-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1C30.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/1532-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1C30.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/2104-206-0x00000000005E8000-0x0000000000606000-memory.dmp
memory/2104-207-0x0000000001F70000-0x0000000001FA9000-memory.dmp
memory/1540-208-0x0000000000000000-mapping.dmp
memory/2104-209-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3252-210-0x0000000000000000-mapping.dmp
memory/3384-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/680-213-0x0000000000000000-mapping.dmp
memory/2596-214-0x0000000000000000-mapping.dmp
memory/2812-215-0x0000023639700000-0x0000023639702000-memory.dmp
memory/2812-216-0x0000023639700000-0x0000023639702000-memory.dmp
memory/3004-217-0x000000001EE80000-0x000000001EF48000-memory.dmp
memory/2164-218-0x0000000000000000-mapping.dmp
memory/2812-219-0x0000023653906000-0x0000023653908000-memory.dmp
memory/3004-220-0x000000001C6F2000-0x000000001C6F4000-memory.dmp
memory/3444-221-0x0000000000000000-mapping.dmp
memory/3372-222-0x0000000000000000-mapping.dmp
memory/3244-223-0x0000000000000000-mapping.dmp
memory/1872-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/1908-226-0x0000000000000000-mapping.dmp
memory/1872-227-0x0000000000808000-0x0000000000826000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3588-229-0x0000000000000000-mapping.dmp
memory/1740-230-0x0000000000000000-mapping.dmp
memory/2140-231-0x0000000000000000-mapping.dmp
memory/1384-232-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3A29.exe
| MD5 | 9e4dba3e11969085a1165f18e84e7ff4 |
| SHA1 | 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104 |
| SHA256 | 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777 |
| SHA512 | c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d |
C:\Users\Admin\AppData\Local\Temp\3A29.exe
| MD5 | 9e4dba3e11969085a1165f18e84e7ff4 |
| SHA1 | 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104 |
| SHA256 | 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777 |
| SHA512 | c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d |
memory/1872-235-0x0000000000460000-0x00000000005AA000-memory.dmp
memory/1872-236-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1384-237-0x00000000008C1000-0x0000000000910000-memory.dmp
memory/1384-238-0x0000000000520000-0x000000000066A000-memory.dmp
memory/1384-239-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1444-241-0x0000000001500000-0x0000000001502000-memory.dmp
memory/1444-240-0x0000000001500000-0x0000000001502000-memory.dmp
memory/1444-242-0x0000000003280000-0x00000000032C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7B1B.exe
| MD5 | dae9362b118838d3781ed2521e9a4b08 |
| SHA1 | cc5cb0931066b81ce1c07291262e95826bd1b515 |
| SHA256 | bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d |
| SHA512 | d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2 |
memory/3556-243-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7B1B.exe
| MD5 | dae9362b118838d3781ed2521e9a4b08 |
| SHA1 | cc5cb0931066b81ce1c07291262e95826bd1b515 |
| SHA256 | bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d |
| SHA512 | d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2 |
memory/3556-246-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-247-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-248-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-249-0x0000000002CB0000-0x0000000002CF6000-memory.dmp
memory/3556-250-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3556-251-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-253-0x00000000760B0000-0x0000000076272000-memory.dmp
memory/3556-252-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-254-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-255-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-260-0x0000000000EE0000-0x00000000012AB000-memory.dmp
memory/3556-259-0x00000000778C0000-0x0000000077A4E000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3304-265-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/2204-268-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3764-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/1500-272-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3512-274-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | b49a31b6e3a6771dbfa29b309842ef4f |
| SHA1 | 6b837a896a3008be212e7a3e297859b06b1d22af |
| SHA256 | 066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81 |
| SHA512 | 804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b7e961c790ac4cfd820f8fc0100c1c4c |
| SHA1 | 99b18bd510dcc61ed2555efdf7761b82a56f64fa |
| SHA256 | 9423b788584fa34959e19a651e027ca3a235c978d779d290f029b5684fa83c90 |
| SHA512 | 4f80927a898be7c53d421552c2fa64420c087e7dbfdd4bcad07ef78fc1caa331f8645b66fe271fa1477d845cd3a56d5808e2289eb388484e0c8ce2da20cb0e82 |
memory/1064-287-0x0000000140000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DA8.exe.log
| MD5 | 8bdb3d1170d108853676265cb5793aa3 |
| SHA1 | 84182d42c6ec440dd0d4fb1cab08c518e3ed0338 |
| SHA256 | 828c382385d362c9c4420db3f89a0a7a8c14d2db929ab3957be44d993ac4d01f |
| SHA512 | fd8448692c00d52805274d27dd526dcb887a5ba8a02133f26a19dd0d30a683b12715de804062b673f32caf42cdde21e03d2b7dc6005093d8672ebbe529c32f99 |
memory/3512-290-0x00000218B12F0000-0x00000218B12F2000-memory.dmp
memory/3512-291-0x00000218B12F3000-0x00000218B12F5000-memory.dmp
memory/3004-292-0x000000001C6F4000-0x000000001C6F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA8.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
memory/1064-300-0x0000000000EA0000-0x0000000000EA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\eaetsdj
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
C:\Users\Admin\AppData\Roaming\eaetsdj
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2140-310-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2944-313-0x0000000000402F47-mapping.dmp
C:\Users\Admin\AppData\Roaming\eaetsdj
| MD5 | a0a201f098c95d71c7e2b64c6be9bc46 |
| SHA1 | f317aa454ce83479ef95ebdecf767d11ea64e948 |
| SHA256 | 84e74384360d6d439ed3ed16141ae2d93355d4f0916c41f1a3226202850795e3 |
| SHA512 | 2c86329c8e7996bf33c22aab972635e18db4e173f590fa9edce7f3636c0b60bc1585f3c129f14832d3cf736886dcd68b930e76b084f6240cfe1ad0624963e3d0 |
memory/3512-325-0x00000218B12F8000-0x00000218B12F9000-memory.dmp
memory/3512-324-0x00000218B12F6000-0x00000218B12F8000-memory.dmp
memory/3040-326-0x00000000046C0000-0x00000000046D6000-memory.dmp