Malware Analysis Report

2025-06-16 05:30

Sample ID 211207-yzw3cafga6
Target b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
SHA256 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
Tags
amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13

Threat Level: Known bad

The file b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13 was found to be: Known bad.

Malicious Activity Summary

amadey arkei bazarloader raccoon redline smokeloader default f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan

Modifies WinLogon for persistence

SmokeLoader

Raccoon

RedLine

Bazar Loader

Arkei

RedLine Payload

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Nirsoft

Arkei Stealer Payload

Bazar/Team9 Loader payload

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-07 20:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-07 20:13

Reported

2021-12-07 20:16

Platform

win10-en-20211014

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"

Signatures

Amadey

trojan amadey

Arkei

stealer arkei

Bazar Loader

loader dropper bazarloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," C:\Users\Admin\AppData\Local\Temp\E715.exe N/A

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Arkei Stealer Payload

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\E715 = "\"C:\\Users\\Admin\\AppData\\Roaming\\E715.exe\"" C:\Users\Admin\AppData\Local\Temp\E715.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A4BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E3E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9074.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9074.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9074.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\4D73.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A4BA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E715.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E715.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 2756 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
PID 3020 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 3020 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 3020 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 1580 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\9074.exe C:\Users\Admin\AppData\Local\Temp\9074.exe
PID 3020 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\A229.exe
PID 3020 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\A229.exe
PID 3020 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\A229.exe
PID 3020 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4BA.exe
PID 3020 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4BA.exe
PID 3020 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4BA.exe
PID 3020 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3020 wrote to memory of 1292 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3020 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3E8.exe
PID 3020 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3E8.exe
PID 3020 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3E8.exe
PID 3020 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E715.exe
PID 3020 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\Temp\E715.exe
PID 1852 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\E715.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\E715.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3980 wrote to memory of 1936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 3980 wrote to memory of 1936 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\PING.EXE
PID 3020 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F484.exe
PID 3020 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F484.exe
PID 3020 wrote to memory of 4032 N/A N/A C:\Users\Admin\AppData\Local\Temp\F484.exe
PID 4032 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3128 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3128 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3616 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3616 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3040 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3040 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4032 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\F484.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\F31.exe
PID 3020 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\F31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe

"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"

C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe

"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"

C:\Users\Admin\AppData\Local\Temp\9074.exe

C:\Users\Admin\AppData\Local\Temp\9074.exe

C:\Users\Admin\AppData\Local\Temp\9074.exe

C:\Users\Admin\AppData\Local\Temp\9074.exe

C:\Users\Admin\AppData\Local\Temp\A229.exe

C:\Users\Admin\AppData\Local\Temp\A229.exe

C:\Users\Admin\AppData\Local\Temp\A4BA.exe

C:\Users\Admin\AppData\Local\Temp\A4BA.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DFDF.dll

C:\Users\Admin\AppData\Local\Temp\E3E8.exe

C:\Users\Admin\AppData\Local\Temp\E3E8.exe

C:\Users\Admin\AppData\Local\Temp\E715.exe

C:\Users\Admin\AppData\Local\Temp\E715.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com

C:\Windows\system32\PING.EXE

"C:\Windows\system32\PING.EXE" youtube.com

C:\Users\Admin\AppData\Local\Temp\F484.exe

C:\Users\Admin\AppData\Local\Temp\F484.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"

C:\Users\Admin\AppData\Local\Temp\F31.exe

C:\Users\Admin\AppData\Local\Temp\F31.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\

C:\Users\Admin\AppData\Local\Temp\4D73.exe

C:\Users\Admin\AppData\Local\Temp\4D73.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3904

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\E715.exe" -Force

C:\Users\Admin\AppData\Local\Temp\E715.exe

C:\Users\Admin\AppData\Local\Temp\E715.exe

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 host-data-coin-11.com udp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
RU 185.186.142.166:80 tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
NL 37.0.10.199:80 host-data-coin-11.com tcp
US 8.8.8.8:53 file-coin-data-5.com udp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
DE 185.233.81.115:443 tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
NL 37.0.10.199:80 file-coin-data-5.com tcp
US 8.8.8.8:53 privacy-tools-for-you-777.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 unicupload.top udp
DE 8.209.106.57:80 unicupload.top tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
HU 91.219.236.27:80 tcp
HU 91.219.236.27:80 tcp
NL 109.234.38.101:25717 tcp
MD 94.158.245.167:80 tcp
MD 94.158.245.167:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 infinity-cheats.com udp
HU 185.163.204.216:80 185.163.204.216 tcp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
MD 94.158.245.147:80 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
DE 194.85.248.229:30260 tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 youtube.com udp
NL 37.0.10.199:80 privacy-tools-for-you-777.com tcp
US 8.8.8.8:53 file-file-host8.com udp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 45.141.159.64:80 infinity-cheats.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
SC 185.215.113.35:80 185.215.113.35 tcp
SC 185.215.113.35:80 185.215.113.35 tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
NL 37.0.10.199:80 file-file-host8.com tcp
DE 194.85.248.229:30260 tcp
MD 94.158.245.147:80 tcp
NL 195.133.18.126:80 195.133.18.126 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 rigtest123.chickenkiller.com udp
DE 194.85.248.229:30260 tcp
NL 45.144.225.160:25426 rigtest123.chickenkiller.com tcp
NL 23.42.193.68:443 tcp
MD 94.158.245.147:80 tcp

Files

memory/3104-116-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3104-117-0x0000000000402F47-mapping.dmp

memory/2756-118-0x0000000000030000-0x0000000000039000-memory.dmp

memory/3020-119-0x0000000000820000-0x0000000000836000-memory.dmp

memory/1580-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9074.exe

MD5 44c534a25397b6e564f7a1f1ade5c018
SHA1 8e2ae659ed82c0b586566a1aa5e5456931764d51
SHA256 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
SHA512 f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80

C:\Users\Admin\AppData\Local\Temp\9074.exe

MD5 44c534a25397b6e564f7a1f1ade5c018
SHA1 8e2ae659ed82c0b586566a1aa5e5456931764d51
SHA256 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
SHA512 f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80

memory/1580-123-0x00000000006F1000-0x0000000000702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9074.exe

MD5 44c534a25397b6e564f7a1f1ade5c018
SHA1 8e2ae659ed82c0b586566a1aa5e5456931764d51
SHA256 b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
SHA512 f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80

memory/3488-125-0x0000000000402F47-mapping.dmp

memory/3680-127-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A229.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

C:\Users\Admin\AppData\Local\Temp\A229.exe

MD5 bce50d5b17bb88f22f0000511026520d
SHA1 599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA256 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512 c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

memory/4048-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A4BA.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/3680-132-0x00000000006D8000-0x0000000000727000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4BA.exe

MD5 0cefed061e2a2241ecd302d7790a2f80
SHA1 5f119195af2db118c5fbac21634bea00f5d5b8da
SHA256 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983
SHA512 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

memory/4048-134-0x0000000003010000-0x0000000003055000-memory.dmp

memory/3680-135-0x0000000002060000-0x00000000020EF000-memory.dmp

memory/4048-136-0x00000000011F0000-0x0000000001259000-memory.dmp

memory/4048-137-0x0000000001350000-0x0000000001351000-memory.dmp

memory/4048-138-0x0000000077110000-0x00000000772D2000-memory.dmp

memory/4048-139-0x0000000074B00000-0x0000000074BF1000-memory.dmp

memory/4048-140-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/3680-142-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4048-143-0x00000000718E0000-0x0000000071960000-memory.dmp

memory/4048-144-0x0000000006060000-0x0000000006061000-memory.dmp

memory/4048-145-0x0000000005A70000-0x0000000005A71000-memory.dmp

memory/4048-146-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

memory/4048-147-0x0000000003920000-0x0000000003921000-memory.dmp

memory/4048-148-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

memory/4048-149-0x0000000074C00000-0x0000000075184000-memory.dmp

memory/4048-150-0x00000000754D0000-0x0000000076818000-memory.dmp

memory/4048-151-0x0000000005B10000-0x0000000005B11000-memory.dmp

memory/4048-153-0x000000006FB50000-0x000000006FB9B000-memory.dmp

memory/3020-152-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/4048-154-0x0000000006B70000-0x0000000006B71000-memory.dmp

memory/4048-155-0x0000000005E20000-0x0000000005E21000-memory.dmp

memory/4048-156-0x0000000005F40000-0x0000000005F41000-memory.dmp

memory/4048-157-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

memory/4048-158-0x0000000006A40000-0x0000000006A41000-memory.dmp

memory/4048-159-0x0000000007540000-0x0000000007541000-memory.dmp

memory/4048-160-0x0000000007C40000-0x0000000007C41000-memory.dmp

memory/1292-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DFDF.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

\Users\Admin\AppData\Local\Temp\DFDF.dll

MD5 a49d28798147cc039e3ac341044fe612
SHA1 b950324092db34ad2940560d85f07744dd9e5b0c
SHA256 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b
SHA512 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

memory/1488-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E3E8.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

C:\Users\Admin\AppData\Local\Temp\E3E8.exe

MD5 6beb00521639f19ea32c64a0799c79b4
SHA1 2d1993a460759b547655480c6aa1f709ca398f34
SHA256 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b
SHA512 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc

memory/1488-167-0x0000000000C50000-0x0000000000D02000-memory.dmp

memory/1488-168-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/1488-169-0x0000000077110000-0x00000000772D2000-memory.dmp

memory/1488-170-0x00000000027E0000-0x0000000002825000-memory.dmp

memory/1488-171-0x0000000074B00000-0x0000000074BF1000-memory.dmp

memory/1488-172-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/1488-174-0x0000000073AF0000-0x0000000073B70000-memory.dmp

memory/1852-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E715.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

C:\Users\Admin\AppData\Local\Temp\E715.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

memory/1852-182-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1488-184-0x0000000074C00000-0x0000000075184000-memory.dmp

memory/1488-185-0x00000000754D0000-0x0000000076818000-memory.dmp

memory/1488-186-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/1488-187-0x0000000005460000-0x0000000005461000-memory.dmp

memory/1852-188-0x000000001BEF0000-0x000000001BEF2000-memory.dmp

memory/1488-189-0x000000006FD20000-0x000000006FD6B000-memory.dmp

memory/3980-190-0x0000000000000000-mapping.dmp

memory/3980-191-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-192-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-193-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-194-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-195-0x0000025770F50000-0x0000025770F52000-memory.dmp

memory/3980-196-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-198-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-197-0x0000025770F53000-0x0000025770F55000-memory.dmp

memory/3980-199-0x0000025770E60000-0x0000025770E61000-memory.dmp

memory/3980-200-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-201-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-202-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-203-0x0000025773B80000-0x0000025773B81000-memory.dmp

memory/1936-204-0x0000000000000000-mapping.dmp

memory/4032-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F484.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\F484.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/4032-209-0x0000000001F80000-0x0000000001FB9000-memory.dmp

memory/4032-210-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3128-211-0x0000000000000000-mapping.dmp

memory/3696-212-0x0000000000000000-mapping.dmp

memory/2660-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

memory/3616-215-0x0000000000000000-mapping.dmp

memory/2436-216-0x0000000000000000-mapping.dmp

memory/3980-217-0x0000025757060000-0x0000025757062000-memory.dmp

memory/3980-218-0x0000025770F56000-0x0000025770F58000-memory.dmp

memory/1852-219-0x000000001E7E0000-0x000000001E8A8000-memory.dmp

memory/3040-220-0x0000000000000000-mapping.dmp

memory/1580-221-0x0000000000000000-mapping.dmp

memory/2828-222-0x0000000000000000-mapping.dmp

memory/1852-223-0x000000001BEF2000-0x000000001BEF4000-memory.dmp

memory/1208-224-0x0000000000000000-mapping.dmp

memory/3016-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\F31.exe

MD5 9e4dba3e11969085a1165f18e84e7ff4
SHA1 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104
SHA256 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777
SHA512 c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d

C:\Users\Admin\AppData\Local\Temp\F31.exe

MD5 9e4dba3e11969085a1165f18e84e7ff4
SHA1 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104
SHA256 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777
SHA512 c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d

memory/3544-226-0x0000000000000000-mapping.dmp

memory/3544-230-0x0000000000508000-0x0000000000526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1636-233-0x0000000000000000-mapping.dmp

memory/1708-232-0x0000000000000000-mapping.dmp

memory/2540-234-0x0000000000000000-mapping.dmp

memory/3544-235-0x0000000000460000-0x000000000050E000-memory.dmp

memory/3544-236-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2976-237-0x0000000000000000-mapping.dmp

memory/3016-239-0x0000000000520000-0x00000000005AF000-memory.dmp

memory/3016-240-0x0000000000400000-0x0000000000515000-memory.dmp

memory/1292-242-0x00000000011D0000-0x00000000011D2000-memory.dmp

memory/1292-241-0x00000000011D0000-0x00000000011D2000-memory.dmp

memory/1292-243-0x0000000000E80000-0x0000000000EC0000-memory.dmp

memory/2476-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4D73.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

C:\Users\Admin\AppData\Local\Temp\4D73.exe

MD5 dae9362b118838d3781ed2521e9a4b08
SHA1 cc5cb0931066b81ce1c07291262e95826bd1b515
SHA256 bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d
SHA512 d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2

memory/2476-247-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-248-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-250-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-251-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-249-0x0000000000900000-0x00000000009AE000-memory.dmp

memory/2476-253-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/2476-252-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-254-0x0000000077110000-0x00000000772D2000-memory.dmp

memory/2476-255-0x00000000011E0000-0x00000000015AB000-memory.dmp

memory/2476-256-0x00000000011E0000-0x00000000015AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe

MD5 2a03cd34f26826a94fde4103644c4223
SHA1 b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21
SHA256 bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd
SHA512 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

C:\Users\Admin\AppData\Local\Temp\03795181499162622812

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2476-264-0x00000000772E0000-0x000000007746E000-memory.dmp

memory/3776-263-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2476-265-0x00000000011E0000-0x00000000015AB000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3904-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/816-273-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3056-275-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/2652-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5 17fc12902f4769af3a9271eb4e2dacce
SHA1 9a4a1581cc3971579574f837e110f3bd6d529dab
SHA256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

memory/3416-279-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 b49a31b6e3a6771dbfa29b309842ef4f
SHA1 6b837a896a3008be212e7a3e297859b06b1d22af
SHA256 066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81
SHA512 804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c151dd23d5eb723af7fcc4883bec332
SHA1 ce52f5782158957a951b2139a3c38bb7564bf248
SHA256 2759da416e94e32a97364e9936bc7482b0252e4983e847eb1180a4a2f30d1513
SHA512 a2492b434edef9187772a32f58891bf9364d1a7146a4896ab9b42864adcb35284fba8e74d487bebd962ce8199db79c23344a6acce5f549d072d3b3d01ba0c7f5

memory/3416-294-0x00000238F4A90000-0x00000238F4A92000-memory.dmp

memory/3416-295-0x00000238F4A93000-0x00000238F4A95000-memory.dmp

memory/1992-299-0x0000000140000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E715.exe

MD5 5b2c1d9e7a4bd7d9bccdf7564550ed96
SHA1 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68
SHA256 c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6
SHA512 a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\E715.exe.log

MD5 8bdb3d1170d108853676265cb5793aa3
SHA1 84182d42c6ec440dd0d4fb1cab08c518e3ed0338
SHA256 828c382385d362c9c4420db3f89a0a7a8c14d2db929ab3957be44d993ac4d01f
SHA512 fd8448692c00d52805274d27dd526dcb887a5ba8a02133f26a19dd0d30a683b12715de804062b673f32caf42cdde21e03d2b7dc6005093d8672ebbe529c32f99

memory/1992-309-0x000000001C810000-0x000000001C812000-memory.dmp

memory/1852-308-0x000000001BEF4000-0x000000001BEF5000-memory.dmp

memory/3416-324-0x00000238F4A98000-0x00000238F4A99000-memory.dmp

memory/3416-323-0x00000238F4A96000-0x00000238F4A98000-memory.dmp