Analysis Overview
SHA256
b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13
Threat Level: Known bad
The file b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
SmokeLoader
Raccoon
RedLine
Bazar Loader
Arkei
RedLine Payload
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
Arkei Stealer Payload
Bazar/Team9 Loader payload
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Loads dropped DLL
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-07 20:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-07 20:13
Reported
2021-12-07 20:16
Platform
win10-en-20211014
Max time kernel
151s
Max time network
148s
Command Line
Signatures
Amadey
Arkei
Bazar Loader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\taskmanager.exe\"," | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
Raccoon
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Arkei Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A229.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4BA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E3E8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F484.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\E715 = "\"C:\\Users\\Admin\\AppData\\Roaming\\E715.exe\"" | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4BA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E3E8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2756 set thread context of 3104 | N/A | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe |
| PID 1580 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\9074.exe | C:\Users\Admin\AppData\Local\Temp\9074.exe |
| PID 1852 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\E715.exe | C:\Users\Admin\AppData\Local\Temp\E715.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\4D73.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9074.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A4BA.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E715.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"
C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe
"C:\Users\Admin\AppData\Local\Temp\b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13.exe"
C:\Users\Admin\AppData\Local\Temp\9074.exe
C:\Users\Admin\AppData\Local\Temp\9074.exe
C:\Users\Admin\AppData\Local\Temp\9074.exe
C:\Users\Admin\AppData\Local\Temp\9074.exe
C:\Users\Admin\AppData\Local\Temp\A229.exe
C:\Users\Admin\AppData\Local\Temp\A229.exe
C:\Users\Admin\AppData\Local\Temp\A4BA.exe
C:\Users\Admin\AppData\Local\Temp\A4BA.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DFDF.dll
C:\Users\Admin\AppData\Local\Temp\E3E8.exe
C:\Users\Admin\AppData\Local\Temp\E3E8.exe
C:\Users\Admin\AppData\Local\Temp\E715.exe
C:\Users\Admin\AppData\Local\Temp\E715.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping youtube.com
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" youtube.com
C:\Users\Admin\AppData\Local\Temp\F484.exe
C:\Users\Admin\AppData\Local\Temp\F484.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
C:\Users\Admin\AppData\Local\Temp\F31.exe
C:\Users\Admin\AppData\Local\Temp\F31.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
C:\Users\Admin\AppData\Local\Temp\4D73.exe
C:\Users\Admin\AppData\Local\Temp\4D73.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3904
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3056
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\E715.exe" -Force
C:\Users\Admin\AppData\Local\Temp\E715.exe
C:\Users\Admin\AppData\Local\Temp\E715.exe
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | host-data-coin-11.com | udp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| RU | 185.186.142.166:80 | tcp | |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| NL | 37.0.10.199:80 | host-data-coin-11.com | tcp |
| US | 8.8.8.8:53 | file-coin-data-5.com | udp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| DE | 185.233.81.115:443 | tcp | |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| NL | 37.0.10.199:80 | file-coin-data-5.com | tcp |
| US | 8.8.8.8:53 | privacy-tools-for-you-777.com | udp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | unicupload.top | udp |
| DE | 8.209.106.57:80 | unicupload.top | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| HU | 91.219.236.27:80 | tcp | |
| HU | 91.219.236.27:80 | tcp | |
| NL | 109.234.38.101:25717 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| MD | 94.158.245.167:80 | tcp | |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | infinity-cheats.com | udp |
| HU | 185.163.204.216:80 | 185.163.204.216 | tcp |
| NL | 45.141.159.64:80 | infinity-cheats.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| MD | 94.158.245.147:80 | tcp | |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| DE | 194.85.248.229:30260 | tcp | |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 37.0.10.199:80 | privacy-tools-for-you-777.com | tcp |
| US | 8.8.8.8:53 | file-file-host8.com | udp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 45.141.159.64:80 | infinity-cheats.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| SC | 185.215.113.35:80 | 185.215.113.35 | tcp |
| SC | 185.215.113.35:80 | 185.215.113.35 | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| NL | 37.0.10.199:80 | file-file-host8.com | tcp |
| DE | 194.85.248.229:30260 | tcp | |
| MD | 94.158.245.147:80 | tcp | |
| NL | 195.133.18.126:80 | 195.133.18.126 | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | rigtest123.chickenkiller.com | udp |
| DE | 194.85.248.229:30260 | tcp | |
| NL | 45.144.225.160:25426 | rigtest123.chickenkiller.com | tcp |
| NL | 23.42.193.68:443 | tcp | |
| MD | 94.158.245.147:80 | tcp |
Files
memory/3104-116-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3104-117-0x0000000000402F47-mapping.dmp
memory/2756-118-0x0000000000030000-0x0000000000039000-memory.dmp
memory/3020-119-0x0000000000820000-0x0000000000836000-memory.dmp
memory/1580-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\9074.exe
| MD5 | 44c534a25397b6e564f7a1f1ade5c018 |
| SHA1 | 8e2ae659ed82c0b586566a1aa5e5456931764d51 |
| SHA256 | b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13 |
| SHA512 | f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80 |
C:\Users\Admin\AppData\Local\Temp\9074.exe
| MD5 | 44c534a25397b6e564f7a1f1ade5c018 |
| SHA1 | 8e2ae659ed82c0b586566a1aa5e5456931764d51 |
| SHA256 | b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13 |
| SHA512 | f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80 |
memory/1580-123-0x00000000006F1000-0x0000000000702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9074.exe
| MD5 | 44c534a25397b6e564f7a1f1ade5c018 |
| SHA1 | 8e2ae659ed82c0b586566a1aa5e5456931764d51 |
| SHA256 | b2241fb99698ea3522b5222c80c6ebf5f2ed8f22484f453dc1d9a59d6ab1ca13 |
| SHA512 | f978b21f92ccf860955c11a2d7caf30a597a28fdea32d4e41b8c62970ec86a2583a592a54ec5bd881119dcbed546bda1d4c456ad315cee23c51860887f57fd80 |
memory/3488-125-0x0000000000402F47-mapping.dmp
memory/3680-127-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A229.exe
| MD5 | bce50d5b17bb88f22f0000511026520d |
| SHA1 | 599aaed4ee72ec0e0fc4cada844a1c210e332961 |
| SHA256 | 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455 |
| SHA512 | c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536 |
C:\Users\Admin\AppData\Local\Temp\A229.exe
| MD5 | bce50d5b17bb88f22f0000511026520d |
| SHA1 | 599aaed4ee72ec0e0fc4cada844a1c210e332961 |
| SHA256 | 77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455 |
| SHA512 | c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536 |
memory/4048-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A4BA.exe
| MD5 | 0cefed061e2a2241ecd302d7790a2f80 |
| SHA1 | 5f119195af2db118c5fbac21634bea00f5d5b8da |
| SHA256 | 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983 |
| SHA512 | 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba |
memory/3680-132-0x00000000006D8000-0x0000000000727000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A4BA.exe
| MD5 | 0cefed061e2a2241ecd302d7790a2f80 |
| SHA1 | 5f119195af2db118c5fbac21634bea00f5d5b8da |
| SHA256 | 014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983 |
| SHA512 | 7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba |
memory/4048-134-0x0000000003010000-0x0000000003055000-memory.dmp
memory/3680-135-0x0000000002060000-0x00000000020EF000-memory.dmp
memory/4048-136-0x00000000011F0000-0x0000000001259000-memory.dmp
memory/4048-137-0x0000000001350000-0x0000000001351000-memory.dmp
memory/4048-138-0x0000000077110000-0x00000000772D2000-memory.dmp
memory/4048-139-0x0000000074B00000-0x0000000074BF1000-memory.dmp
memory/4048-140-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/3680-142-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4048-143-0x00000000718E0000-0x0000000071960000-memory.dmp
memory/4048-144-0x0000000006060000-0x0000000006061000-memory.dmp
memory/4048-145-0x0000000005A70000-0x0000000005A71000-memory.dmp
memory/4048-146-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
memory/4048-147-0x0000000003920000-0x0000000003921000-memory.dmp
memory/4048-148-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
memory/4048-149-0x0000000074C00000-0x0000000075184000-memory.dmp
memory/4048-150-0x00000000754D0000-0x0000000076818000-memory.dmp
memory/4048-151-0x0000000005B10000-0x0000000005B11000-memory.dmp
memory/4048-153-0x000000006FB50000-0x000000006FB9B000-memory.dmp
memory/3020-152-0x0000000002A10000-0x0000000002A26000-memory.dmp
memory/4048-154-0x0000000006B70000-0x0000000006B71000-memory.dmp
memory/4048-155-0x0000000005E20000-0x0000000005E21000-memory.dmp
memory/4048-156-0x0000000005F40000-0x0000000005F41000-memory.dmp
memory/4048-157-0x0000000005EA0000-0x0000000005EA1000-memory.dmp
memory/4048-158-0x0000000006A40000-0x0000000006A41000-memory.dmp
memory/4048-159-0x0000000007540000-0x0000000007541000-memory.dmp
memory/4048-160-0x0000000007C40000-0x0000000007C41000-memory.dmp
memory/1292-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DFDF.dll
| MD5 | a49d28798147cc039e3ac341044fe612 |
| SHA1 | b950324092db34ad2940560d85f07744dd9e5b0c |
| SHA256 | 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b |
| SHA512 | 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a |
\Users\Admin\AppData\Local\Temp\DFDF.dll
| MD5 | a49d28798147cc039e3ac341044fe612 |
| SHA1 | b950324092db34ad2940560d85f07744dd9e5b0c |
| SHA256 | 17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b |
| SHA512 | 6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a |
memory/1488-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E3E8.exe
| MD5 | 6beb00521639f19ea32c64a0799c79b4 |
| SHA1 | 2d1993a460759b547655480c6aa1f709ca398f34 |
| SHA256 | 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b |
| SHA512 | 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc |
C:\Users\Admin\AppData\Local\Temp\E3E8.exe
| MD5 | 6beb00521639f19ea32c64a0799c79b4 |
| SHA1 | 2d1993a460759b547655480c6aa1f709ca398f34 |
| SHA256 | 7ee5247dc27418f26e7efe0e84b82e0962d3989851fbae2954f62468e8c7e96b |
| SHA512 | 6a59f050fe30ec2c2d7bb427b315b737c56a8143b23f340799e95ba3c8057a813b442f8eb88d03048cc36bba7d0b4cdf15306c896959fefe264ed874267f99cc |
memory/1488-167-0x0000000000C50000-0x0000000000D02000-memory.dmp
memory/1488-168-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1488-169-0x0000000077110000-0x00000000772D2000-memory.dmp
memory/1488-170-0x00000000027E0000-0x0000000002825000-memory.dmp
memory/1488-171-0x0000000074B00000-0x0000000074BF1000-memory.dmp
memory/1488-172-0x0000000000C50000-0x0000000000C51000-memory.dmp
memory/1488-174-0x0000000073AF0000-0x0000000073B70000-memory.dmp
memory/1852-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E715.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
C:\Users\Admin\AppData\Local\Temp\E715.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
memory/1852-182-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1488-184-0x0000000074C00000-0x0000000075184000-memory.dmp
memory/1488-185-0x00000000754D0000-0x0000000076818000-memory.dmp
memory/1488-186-0x00000000054E0000-0x00000000054E1000-memory.dmp
memory/1488-187-0x0000000005460000-0x0000000005461000-memory.dmp
memory/1852-188-0x000000001BEF0000-0x000000001BEF2000-memory.dmp
memory/1488-189-0x000000006FD20000-0x000000006FD6B000-memory.dmp
memory/3980-190-0x0000000000000000-mapping.dmp
memory/3980-191-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-192-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-193-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-194-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-195-0x0000025770F50000-0x0000025770F52000-memory.dmp
memory/3980-196-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-198-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-197-0x0000025770F53000-0x0000025770F55000-memory.dmp
memory/3980-199-0x0000025770E60000-0x0000025770E61000-memory.dmp
memory/3980-200-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-201-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-202-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-203-0x0000025773B80000-0x0000025773B81000-memory.dmp
memory/1936-204-0x0000000000000000-mapping.dmp
memory/4032-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F484.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
C:\Users\Admin\AppData\Local\Temp\F484.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/4032-209-0x0000000001F80000-0x0000000001FB9000-memory.dmp
memory/4032-210-0x0000000000400000-0x000000000045E000-memory.dmp
memory/3128-211-0x0000000000000000-mapping.dmp
memory/3696-212-0x0000000000000000-mapping.dmp
memory/2660-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
memory/3616-215-0x0000000000000000-mapping.dmp
memory/2436-216-0x0000000000000000-mapping.dmp
memory/3980-217-0x0000025757060000-0x0000025757062000-memory.dmp
memory/3980-218-0x0000025770F56000-0x0000025770F58000-memory.dmp
memory/1852-219-0x000000001E7E0000-0x000000001E8A8000-memory.dmp
memory/3040-220-0x0000000000000000-mapping.dmp
memory/1580-221-0x0000000000000000-mapping.dmp
memory/2828-222-0x0000000000000000-mapping.dmp
memory/1852-223-0x000000001BEF2000-0x000000001BEF4000-memory.dmp
memory/1208-224-0x0000000000000000-mapping.dmp
memory/3016-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
C:\Users\Admin\AppData\Local\Temp\F31.exe
| MD5 | 9e4dba3e11969085a1165f18e84e7ff4 |
| SHA1 | 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104 |
| SHA256 | 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777 |
| SHA512 | c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d |
C:\Users\Admin\AppData\Local\Temp\F31.exe
| MD5 | 9e4dba3e11969085a1165f18e84e7ff4 |
| SHA1 | 464b907fc67e2bc4979b5f09b45e8aa2d9b5e104 |
| SHA256 | 459a8cb0d9f38838862fa7a90acdb8a4fb5a86940bcd3a5e9c8a1809725bb777 |
| SHA512 | c8aa6dc2343e6bbc72db8bb4e8acd35503d402b95cf7f66c267c9a404f18657c6f5852607759866563f30e90f0f1474d9a7b0d366de612da51c10ebbd9b3ca4d |
memory/3544-226-0x0000000000000000-mapping.dmp
memory/3544-230-0x0000000000508000-0x0000000000526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1636-233-0x0000000000000000-mapping.dmp
memory/1708-232-0x0000000000000000-mapping.dmp
memory/2540-234-0x0000000000000000-mapping.dmp
memory/3544-235-0x0000000000460000-0x000000000050E000-memory.dmp
memory/3544-236-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2976-237-0x0000000000000000-mapping.dmp
memory/3016-239-0x0000000000520000-0x00000000005AF000-memory.dmp
memory/3016-240-0x0000000000400000-0x0000000000515000-memory.dmp
memory/1292-242-0x00000000011D0000-0x00000000011D2000-memory.dmp
memory/1292-241-0x00000000011D0000-0x00000000011D2000-memory.dmp
memory/1292-243-0x0000000000E80000-0x0000000000EC0000-memory.dmp
memory/2476-244-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4D73.exe
| MD5 | dae9362b118838d3781ed2521e9a4b08 |
| SHA1 | cc5cb0931066b81ce1c07291262e95826bd1b515 |
| SHA256 | bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d |
| SHA512 | d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2 |
C:\Users\Admin\AppData\Local\Temp\4D73.exe
| MD5 | dae9362b118838d3781ed2521e9a4b08 |
| SHA1 | cc5cb0931066b81ce1c07291262e95826bd1b515 |
| SHA256 | bc5b78247fad9bece339750bd83fe5bc84c6f0d72bfa05be543e0116d9f6ac1d |
| SHA512 | d576cba6bdf98b5a7ded33adc6d161639c43b02a4bd206c3b13cf3632391a958d1697e00746bc2a1e243fe77d906ee8587d16f0d8ee267c5326902377b9c4fb2 |
memory/2476-247-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-248-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-250-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-251-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-249-0x0000000000900000-0x00000000009AE000-memory.dmp
memory/2476-253-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/2476-252-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-254-0x0000000077110000-0x00000000772D2000-memory.dmp
memory/2476-255-0x00000000011E0000-0x00000000015AB000-memory.dmp
memory/2476-256-0x00000000011E0000-0x00000000015AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
| MD5 | 2a03cd34f26826a94fde4103644c4223 |
| SHA1 | b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21 |
| SHA256 | bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd |
| SHA512 | 7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe |
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2476-264-0x00000000772E0000-0x000000007746E000-memory.dmp
memory/3776-263-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2476-265-0x00000000011E0000-0x00000000015AB000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3904-270-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/816-273-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3056-275-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/2652-277-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
| MD5 | 17fc12902f4769af3a9271eb4e2dacce |
| SHA1 | 9a4a1581cc3971579574f837e110f3bd6d529dab |
| SHA256 | 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b |
| SHA512 | 036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a |
memory/3416-279-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | b49a31b6e3a6771dbfa29b309842ef4f |
| SHA1 | 6b837a896a3008be212e7a3e297859b06b1d22af |
| SHA256 | 066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81 |
| SHA512 | 804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c151dd23d5eb723af7fcc4883bec332 |
| SHA1 | ce52f5782158957a951b2139a3c38bb7564bf248 |
| SHA256 | 2759da416e94e32a97364e9936bc7482b0252e4983e847eb1180a4a2f30d1513 |
| SHA512 | a2492b434edef9187772a32f58891bf9364d1a7146a4896ab9b42864adcb35284fba8e74d487bebd962ce8199db79c23344a6acce5f549d072d3b3d01ba0c7f5 |
memory/3416-294-0x00000238F4A90000-0x00000238F4A92000-memory.dmp
memory/3416-295-0x00000238F4A93000-0x00000238F4A95000-memory.dmp
memory/1992-299-0x0000000140000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E715.exe
| MD5 | 5b2c1d9e7a4bd7d9bccdf7564550ed96 |
| SHA1 | 2f9c432bdaeaa0465cd4b34dc83e1272180e5a68 |
| SHA256 | c5064496d5667e5849a36c5205d28bb0a973fbcac1d320ca13f814e9c82c8ce6 |
| SHA512 | a1a2c91d02e787b9b16bb285f0f7a73295462d341792dd8304f03a9221b3660a62f1bfb5d1e6e6f1e6bcacfed26f4b74c9341ce7ceccefca6662daf7fd5d86ea |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\E715.exe.log
| MD5 | 8bdb3d1170d108853676265cb5793aa3 |
| SHA1 | 84182d42c6ec440dd0d4fb1cab08c518e3ed0338 |
| SHA256 | 828c382385d362c9c4420db3f89a0a7a8c14d2db929ab3957be44d993ac4d01f |
| SHA512 | fd8448692c00d52805274d27dd526dcb887a5ba8a02133f26a19dd0d30a683b12715de804062b673f32caf42cdde21e03d2b7dc6005093d8672ebbe529c32f99 |
memory/1992-309-0x000000001C810000-0x000000001C812000-memory.dmp
memory/1852-308-0x000000001BEF4000-0x000000001BEF5000-memory.dmp
memory/3416-324-0x00000238F4A98000-0x00000238F4A99000-memory.dmp
memory/3416-323-0x00000238F4A96000-0x00000238F4A98000-memory.dmp