Malware Analysis Report

2025-06-16 05:10

Sample ID 220419-eqhzksbagk
Target 1.exezeakapqe
SHA256 3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3
Tags
arkei redline smokeloader @chelnevreya default install test run agilenet backdoor discovery infostealer persistence spyware stealer suricata trojan vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3927d5f26c91ddb637336063ef3a8c744ff1a65bdff6a92b2632e3f2fc2f75e3

Threat Level: Known bad

The file 1.exezeakapqe was found to be: Known bad.

Malicious Activity Summary

arkei redline smokeloader @chelnevreya default install test run agilenet backdoor discovery infostealer persistence spyware stealer suricata trojan vmprotect

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Modifies WinLogon for persistence

RedLine Payload

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

RedLine

Arkei

SmokeLoader

VMProtect packed file

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Views/modifies file attributes

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-19 04:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-19 04:08

Reported

2022-04-19 04:11

Platform

win7-20220414-en

Max time kernel

44s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:80 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp

Files

memory/1564-54-0x0000000000060000-0x00000000000C6000-memory.dmp

memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

memory/1564-56-0x0000000004825000-0x0000000004836000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-19 04:08

Reported

2022-04-19 04:11

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

Arkei

stealer arkei

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\qrbwrwqwx.exe\"," C:\Users\Admin\AppData\Local\Temp\1.exe N/A

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA Environment Variable M4

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

Downloads MZ/PE file

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90DA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\system32\services32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8CA3.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\services32.exe C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
File opened for modification C:\Windows\system32\services32.exe C:\Users\Admin\AppData\Local\Temp\fl.exe N/A
File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe C:\Windows\system32\services32.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8CA3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8CA3.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9540.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 4628 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Local\Temp\1.exe
PID 3032 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe
PID 3032 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe
PID 3032 wrote to memory of 3680 N/A N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe
PID 3032 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe
PID 3032 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe
PID 3032 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe
PID 3680 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3680 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3680 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3680 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3680 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\79A4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 5084 N/A N/A C:\Users\Admin\AppData\Local\Temp\835B.exe
PID 3032 wrote to memory of 5084 N/A N/A C:\Users\Admin\AppData\Local\Temp\835B.exe
PID 3032 wrote to memory of 5084 N/A N/A C:\Users\Admin\AppData\Local\Temp\835B.exe
PID 2904 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2904 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2904 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2904 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2904 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7DDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5084 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\835B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5084 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\835B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5084 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\835B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5084 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\835B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5084 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\835B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CA3.exe
PID 3032 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CA3.exe
PID 3032 wrote to memory of 1896 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CA3.exe
PID 3032 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\90DA.exe
PID 3032 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\90DA.exe
PID 3032 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\90DA.exe
PID 3032 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\9540.exe
PID 3032 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\9540.exe
PID 3032 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\9540.exe
PID 3032 wrote to memory of 4824 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 4824 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 4824 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 4824 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2564 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\90DA.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\90DA.exe C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1776 N/A N/A C:\Windows\explorer.exe
PID 3032 wrote to memory of 1776 N/A N/A C:\Windows\explorer.exe
PID 3032 wrote to memory of 1776 N/A N/A C:\Windows\explorer.exe
PID 4552 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4552 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4552 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 3032 wrote to memory of 5016 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 5016 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 5016 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3032 wrote to memory of 5016 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4552 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4552 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\1.exe

C:\Users\Admin\AppData\Local\Temp\79A4.exe

C:\Users\Admin\AppData\Local\Temp\79A4.exe

C:\Users\Admin\AppData\Local\Temp\7DDC.exe

C:\Users\Admin\AppData\Local\Temp\7DDC.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\835B.exe

C:\Users\Admin\AppData\Local\Temp\835B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

C:\Users\Admin\AppData\Local\Temp\90DA.exe

C:\Users\Admin\AppData\Local\Temp\90DA.exe

C:\Users\Admin\AppData\Local\Temp\9540.exe

C:\Users\Admin\AppData\Local\Temp\9540.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p96837877381925591435828468 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_10.zip -oextracted

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "hire.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\main\hire.exe

"hire.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\fl.exe

"C:\Users\Admin\AppData\Local\Temp\fl.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SYSTEM32\cmd.exe

"cmd" cmd /c "C:\Windows\system32\services32.exe"

C:\Windows\system32\services32.exe

C:\Windows\system32\services32.exe

C:\Windows\system32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

"C:\Users\Admin\AppData\Local\Temp\8CA3.exe"

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Users\Admin\AppData\Local\Temp\9540.exe

"C:\Users\Admin\AppData\Local\Temp\9540.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8CA3.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 20.96.63.25:443 tcp
US 20.96.63.25:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:80 transfer.sh tcp
DE 144.76.136.153:443 transfer.sh tcp
US 20.44.10.122:443 tcp
US 8.8.8.8:53 hydroxychl0roquine.xyz udp
NL 37.0.10.25:80 hydroxychl0roquine.xyz tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 is.gd udp
US 104.25.234.53:443 is.gd tcp
NL 8.248.7.254:80 tcp
NL 212.192.246.121:80 212.192.246.121 tcp
RU 46.8.220.88:65531 tcp
RU 46.8.220.88:65531 tcp
RU 46.8.220.88:65531 tcp
RU 193.150.103.38:40169 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 dl.uploadgram.me udp
DE 176.9.247.226:443 dl.uploadgram.me tcp
FR 2.58.56.219:39064 tcp
RU 92.119.160.244:80 92.119.160.244 tcp

Files

memory/4628-130-0x0000000000F80000-0x0000000000FE6000-memory.dmp

memory/4628-131-0x000000000A360000-0x000000000A904000-memory.dmp

memory/4628-132-0x0000000005970000-0x0000000005A02000-memory.dmp

memory/4628-133-0x0000000005B20000-0x0000000005B2A000-memory.dmp

memory/3876-134-0x0000000000000000-mapping.dmp

memory/3876-135-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3876-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3032-137-0x00000000033D0000-0x00000000033E6000-memory.dmp

memory/3680-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\79A4.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/3680-141-0x0000000000580000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79A4.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/2904-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7DDC.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/3680-144-0x0000000000580000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DDC.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/2904-146-0x0000000000A80000-0x0000000000C46000-memory.dmp

memory/3668-147-0x0000000000000000-mapping.dmp

memory/3668-148-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2904-153-0x0000000000A80000-0x0000000000C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\835B.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/5084-154-0x0000000000000000-mapping.dmp

memory/5084-157-0x0000000000460000-0x0000000000626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\835B.exe

MD5 da31f971f1f97923faf839a21b97c77e
SHA1 605a73437a1ef081a1896f39abb47435b4db55bd
SHA256 36f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512 dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858

memory/3668-158-0x0000000005B00000-0x0000000006118000-memory.dmp

memory/3668-159-0x00000000055A0000-0x00000000055B2000-memory.dmp

memory/4896-160-0x0000000000000000-mapping.dmp

memory/3668-162-0x00000000056D0000-0x00000000057DA000-memory.dmp

memory/2904-168-0x00000000006E3000-0x00000000006E5000-memory.dmp

memory/5084-166-0x0000000000460000-0x0000000000626000-memory.dmp

memory/3668-169-0x0000000005600000-0x000000000563C000-memory.dmp

memory/2236-170-0x0000000000000000-mapping.dmp

memory/1896-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

MD5 bb4ce5daeb417b865c58aee98da5b5b8
SHA1 2c956c78187157cf9b846af318c1f9ee2dca7b2a
SHA256 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2
SHA512 a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

MD5 bb4ce5daeb417b865c58aee98da5b5b8
SHA1 2c956c78187157cf9b846af318c1f9ee2dca7b2a
SHA256 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2
SHA512 a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

memory/1896-179-0x00000000005C0000-0x00000000006A8000-memory.dmp

memory/1896-180-0x00000000050C0000-0x000000000515C000-memory.dmp

memory/2564-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\90DA.exe

MD5 59fe49e18a0d7e34c341039b9e201a1b
SHA1 4dcff49906fc3edc5f56597ad5603de95406bd42
SHA256 2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8
SHA512 0f16da2dc9dee0e4779bcfb6cefb06be083ea1cc0c96ae3faa168d3c403f5ebfc8db116159112c25cc491544e355f4c777ff3d9d328794dfc5402e32e1403de5

C:\Users\Admin\AppData\Local\Temp\90DA.exe

MD5 59fe49e18a0d7e34c341039b9e201a1b
SHA1 4dcff49906fc3edc5f56597ad5603de95406bd42
SHA256 2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8
SHA512 0f16da2dc9dee0e4779bcfb6cefb06be083ea1cc0c96ae3faa168d3c403f5ebfc8db116159112c25cc491544e355f4c777ff3d9d328794dfc5402e32e1403de5

memory/1692-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9540.exe

MD5 33064856b502dff3ad77d3efebe3fb7a
SHA1 0431b2ca039455d2858792b42f73f19972f6c3aa
SHA256 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79
SHA512 d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929

C:\Users\Admin\AppData\Local\Temp\9540.exe

MD5 33064856b502dff3ad77d3efebe3fb7a
SHA1 0431b2ca039455d2858792b42f73f19972f6c3aa
SHA256 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79
SHA512 d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929

memory/1692-187-0x0000000000C20000-0x0000000000CD4000-memory.dmp

memory/4824-188-0x0000000000000000-mapping.dmp

memory/4552-189-0x0000000000000000-mapping.dmp

memory/1776-190-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 23310452faa9573058dd95589abe54d5
SHA1 ca087de5446a1b4829f6b8859a60fd3659acab1b
SHA256 0a22af544e8bc2a875a2250aaa7e8e4fa6a80db07ed445a3eae66e139f557e3f
SHA512 d7c69f625e1f67fc44701701b4d42dfb438938070906c24ca696f42c750ef56ff8767d13248c09311a3960f443d8e874e38c1e4895ff16ee2ec6dc50db8dc383

memory/3176-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 7652cbda786d25849465df3a97c7734c
SHA1 c032fa46d521ac3600aecfc0834d5b9e9ee01eb4
SHA256 3a36e2a92498bd67a995494a824530bc21af69f12a2096f3936c1690689c9bcc
SHA512 0231e513358a448a35f6c20ee2e258f548875fdf96d19b6802cdeaa2e063750a1a336a418a0099747fe6bb9edd21ba00f7d7a08afeacc375ac5eaa82ed11b163

memory/2024-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

memory/2832-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

MD5 39310851cf735eb4c44bec45e7b52f56
SHA1 6c252ec2888666fa7291b308b5ca81d671ee8cb2
SHA256 1604e7fef8cc5e57b2bd27f157c109d457abb71f83523be6a5d3d52c328a3e22
SHA512 efa080e1fb5091904b17c9e26dc9f9659166b53dea38e6c014d951a3f3af3554e86b49d3fec7bdca9890831f64b667f70eb740fffe942fa0644de5966dac6476

memory/5016-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/3200-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

MD5 e099eeccef9a744d937027fff0494bf4
SHA1 de556ac552a015dde90391ea36753cd356b9a712
SHA256 918af62ee7bfdf7828788247dbec453d91dbefdc0371e2331870fde23b9c1bdb
SHA512 321197e937f5ec595af2dcc7344ccb8f10299a0f94408d57a9da0c7f0832f6698d70b375a8da3c4a21c27acd988f2e161d1d92c93aec0c9bbc7ecf86b9660467

memory/2096-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

MD5 7886946b4ef0e55bd5cc6fbc39ca3155
SHA1 1a8d82ba47842c038170b8136af62f3591b8ebd9
SHA256 26a8c1b5f0165b32a3b64940123913587c8545c085f1742da7569981de96e2a7
SHA512 8671edfddd4e1a0948c4e04026a2532ae6319d45c1b58e248f0faf41c96bbdfd4442d01be5a6e20711e817c9dfb5f15cc44de27839754f8803336ee1b00512bb

memory/2268-211-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 bbae2a6a6e1d982f12ed3e1b07bb853d
SHA1 ac4a1312148b15f14f987e73dce9a8d51240ee54
SHA256 cc8967c77f6688d5924a4bdf4f6b85a277beabf2d22084eedc10b746475ee816
SHA512 e9014c834541b55284ae58f864ad1e5e723c4cc1022a8462affe46bd3b5a5142e656fa30e93d287d3823712c9b25b625ba86fd4cda1c4f90a78983c291a0660d

memory/4288-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 d0636c61c69dc5105ff387bce4e94664
SHA1 e95ff25907848e380b872defef189670cf887399
SHA256 bfaa59e4f3fe92d28c60360a01edc98b65416d799e1c7fcc1704d656c07ae89b
SHA512 94efc4b118bb6dbb0d19d436ae5621fa1251e920cda7d0c9c43127d96279656e00403f41e268e3d78c87521f28179ecbf7c318f86ddba071fd0a87e265f2779f

memory/2816-219-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/3668-221-0x0000000005930000-0x0000000005996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 0cccbed96119ca7d63ddb52bd30d3237
SHA1 cb16b5288f7798dcb506c5dfe7ac5b5d163a23ca
SHA256 41fb5c18901ea46678070a748bfbd78852ceacc50e8d83f7fcafad5c6a5682f0
SHA512 490eedf17541fc4b5f761e3575644c7cb4461b0fd49482020534ceb54d68c62be4a70f897c288a46c6450d4c4b82467fc39130b79c8a6ea2c825ae226cf3887a

memory/2368-224-0x0000000000000000-mapping.dmp

memory/2508-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 101e6ca25c3c06778d7b6ebd1b08a2f9
SHA1 2721161c15c19a0d95a292b0f1df35a318637619
SHA256 33a661b87c7687d558d9f0eb137ee33f45b1a40d4619631c1338358e9fa1e597
SHA512 6a30d7ce5c476ddf7df2197ffdebb81a36404bcb84b63ec04605243b9893a7349cf885480ccc70a254a1b2d74f1ed7f158cf0c58f7018c32a13f65d762cde817

memory/3512-229-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 f26147e97764126d6e9ba110f95ca85b
SHA1 219f2548f4881a81c4ea68c78f7bf10f025a9034
SHA256 d61fd6fd4576641a58d86fbbc228367b31ba38631a99ba35d8b3a3c45d8c44a5
SHA512 e283e077151d15cd29f198290c423abb4300312134d0057a0b37ea73bc067a6026af01b0d6bbef5c00485d8d4c5c823400ec6ce64047307152a51337a89de80d

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/3192-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 c67927df1f6589561a638767efb6dd72
SHA1 184cf259595c35ff6a45dc834fce589c1496694c
SHA256 7f6445e0c575ef209c4ae787c56fd89806320dc4b0903ea2f1a1c33f6b117f74
SHA512 c20cb8a6ad0ac996cd9711bc7acca235a93f63572d1175518057ad243c392dba55661fea6a6318031d5bc9aa23a7406cbcbb4c6a5bd16cf14567ed1be636aa72

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

memory/4896-238-0x0000000005D40000-0x0000000005DB6000-memory.dmp

memory/4428-237-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 dca60c629952ec7a5a4d36965f5b20c6
SHA1 9d612cca5ba683bf9c8515eab264a38b03403870
SHA256 bef44d7d8f627d2ff2e829614b3439cc71be4d18a1760b076f61fd9d2366f3b7
SHA512 41a3ef66b0b62ea5678a358628890e9f127181ee6a8ac7895325d305997e3b6c41a1ebef493d895a47e2b60c3b4434d3f22b467c25b8efb444adc0b27f9ab996

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 c21255332a07477b3878619d85ae1504
SHA1 72310b5ef8dce97aa730b95bd8ad1d717720d262
SHA256 b48fbb856072b5fe578adc21a99e2d07ee631506e8aa0af7e08a468e50d53701
SHA512 6b4b02ee1a8dab23d61ddbc443dcfc66b1e4169bc5a0f9f1bdb617ea56f40473671629cf9229923ae55551f85a84552640af692890f5262133ab6c0aa4424582

C:\Users\Admin\AppData\Local\Temp\main\extracted\hire.exe

MD5 996fdc6ba853d25224d6f608ea28cc15
SHA1 0a6cdd4c1450ceafd82644b7fbb9aafb845033e4
SHA256 cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2
SHA512 0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2

memory/4896-244-0x0000000006130000-0x000000000614E000-memory.dmp

memory/2084-245-0x0000000000000000-mapping.dmp

memory/2808-246-0x0000000000000000-mapping.dmp

memory/2764-247-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\main\hire.exe

MD5 996fdc6ba853d25224d6f608ea28cc15
SHA1 0a6cdd4c1450ceafd82644b7fbb9aafb845033e4
SHA256 cddb3040a3feb3dd11945f4bb2e5ec21754d0f1ac8eb47644f5aaada8136a7d2
SHA512 0c720655d076f193d927c54467ce3b4c4942ef705a09fe97055cbc20cf11464437b6a51427ec4872c458096bdb84a82f7e67c8338953a5b27ce7bc779a50b0a2

memory/2764-249-0x0000000000540000-0x000000000055C000-memory.dmp

memory/2060-250-0x0000000000000000-mapping.dmp

memory/4052-251-0x0000000000000000-mapping.dmp

memory/2764-252-0x00000000067D0000-0x0000000006820000-memory.dmp

memory/4828-253-0x0000000000000000-mapping.dmp

memory/2236-254-0x0000000007B50000-0x0000000007D12000-memory.dmp

memory/2236-255-0x0000000008250000-0x000000000877C000-memory.dmp

memory/4480-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 0f83894121cb6a3d365b95a503e80ed9
SHA1 cd740a5b7125eb905de5fad818b199e1a3109aa1
SHA256 20055507b28f40d276c9b720848c5a29b2a7adc8128941cd5e344a7c71b7e273
SHA512 1e56c49c3f0173954421a9adebd1cb1d18dc1bcf7381f1f3e5bf487f9639cdffdb0a9be34354b0ec229369a351ba52efc96f3566b7d64ddea8462e5e67932651

memory/4628-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5 931d0b427c55a43c305981874d5f988e
SHA1 fcee465b79be88818308f6f5adf93767b475919e
SHA256 ccb8766fcff473f20faaf8b7896e5fbfd2ee96372d1a5fd9e0f32d3f6f83a021
SHA512 b6bb7ca8b6edcd49de5626dbfdc5796e328edaacca19b3963975717f942b1306c852435f29d8849be3f02ef67977c773efcb5a1560cb8ab82833eb5a669a3d95

C:\Users\Admin\AppData\Local\Temp\fl.exe

MD5 931d0b427c55a43c305981874d5f988e
SHA1 fcee465b79be88818308f6f5adf93767b475919e
SHA256 ccb8766fcff473f20faaf8b7896e5fbfd2ee96372d1a5fd9e0f32d3f6f83a021
SHA512 b6bb7ca8b6edcd49de5626dbfdc5796e328edaacca19b3963975717f942b1306c852435f29d8849be3f02ef67977c773efcb5a1560cb8ab82833eb5a669a3d95

memory/4628-261-0x0000000000750000-0x0000000000F6A000-memory.dmp

memory/4628-262-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/4628-265-0x0000000001DD0000-0x0000000001DE2000-memory.dmp

memory/3828-266-0x0000000000000000-mapping.dmp

memory/3836-267-0x0000000000000000-mapping.dmp

memory/3836-268-0x0000025BE04C0000-0x0000025BE04E2000-memory.dmp

memory/4152-269-0x0000000000000000-mapping.dmp

memory/4116-270-0x0000000000000000-mapping.dmp

memory/3836-271-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/3740-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

memory/3740-275-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/4836-276-0x0000000000000000-mapping.dmp

C:\Windows\System32\services32.exe

MD5 931d0b427c55a43c305981874d5f988e
SHA1 fcee465b79be88818308f6f5adf93767b475919e
SHA256 ccb8766fcff473f20faaf8b7896e5fbfd2ee96372d1a5fd9e0f32d3f6f83a021
SHA512 b6bb7ca8b6edcd49de5626dbfdc5796e328edaacca19b3963975717f942b1306c852435f29d8849be3f02ef67977c773efcb5a1560cb8ab82833eb5a669a3d95

memory/2260-277-0x0000000000000000-mapping.dmp

C:\Windows\system32\services32.exe

MD5 931d0b427c55a43c305981874d5f988e
SHA1 fcee465b79be88818308f6f5adf93767b475919e
SHA256 ccb8766fcff473f20faaf8b7896e5fbfd2ee96372d1a5fd9e0f32d3f6f83a021
SHA512 b6bb7ca8b6edcd49de5626dbfdc5796e328edaacca19b3963975717f942b1306c852435f29d8849be3f02ef67977c773efcb5a1560cb8ab82833eb5a669a3d95

memory/2260-280-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/1876-283-0x0000000000000000-mapping.dmp

memory/5060-284-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

memory/5060-286-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/3756-287-0x0000000000000000-mapping.dmp

memory/3756-288-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2380-289-0x0000000000000000-mapping.dmp

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

MD5 bd21473d17003fa64e3443fda975ee31
SHA1 b4fd94112e248ba1d12cdfdd03c3ff2544216031
SHA256 02101055d10972173cd1247a298473a4b104a6e4acd2179d3feedc19dd9d599a
SHA512 5b6810cd4a2e67b7b66d0a4ce257a957876d546d685d7d866c0ceb93bda99264c50a2b0c28e0de90c57940c169b90e39aa4d5a667801c2a0dacff56f2531d61a

memory/2380-295-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

memory/3756-294-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

MD5 bd21473d17003fa64e3443fda975ee31
SHA1 b4fd94112e248ba1d12cdfdd03c3ff2544216031
SHA256 02101055d10972173cd1247a298473a4b104a6e4acd2179d3feedc19dd9d599a
SHA512 5b6810cd4a2e67b7b66d0a4ce257a957876d546d685d7d866c0ceb93bda99264c50a2b0c28e0de90c57940c169b90e39aa4d5a667801c2a0dacff56f2531d61a

C:\Users\Admin\AppData\Local\Temp\8CA3.exe

MD5 bb4ce5daeb417b865c58aee98da5b5b8
SHA1 2c956c78187157cf9b846af318c1f9ee2dca7b2a
SHA256 185016d4e5de1f766803ab7c5a5d05475ea38484551f3d500f6074883823d2b2
SHA512 a8c2563875c71f644a453bbf860e8d2ee9778de3c45e664c43fb2a77ff56934f153e5a39bf08d02f8a5a1b4a7594d75a75ab795fd1e49402f8b9b8ed0c77a58a

memory/3756-297-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2380-296-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

memory/4456-298-0x0000000000000000-mapping.dmp

memory/3352-299-0x0000000000000000-mapping.dmp

memory/3352-300-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9540.exe

MD5 33064856b502dff3ad77d3efebe3fb7a
SHA1 0431b2ca039455d2858792b42f73f19972f6c3aa
SHA256 84520a2aae782df51d6217b686dabfdde03fca8b0df25099c68cc2c80d7d7f79
SHA512 d2b840e571a94aaa1f2908d9b9920c7ea261fc5702cc297dc464b69098667229d7f8e043b2aec2f8e0c063a09462cffec3cbb5112336ead639d3558a82389929

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a4825f4f95c5d3d72911c6e7eb902ca
SHA1 4c22133f24e77211313beb0831980029a53e7dde
SHA256 59eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0
SHA512 8e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386

memory/4456-303-0x00007FFE58110000-0x00007FFE58BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9540.exe.log

MD5 d95b93a855f3e54144996d8161bf8d24
SHA1 2ffa482f6b897d8b52218b7f16fd9ece35592ef9
SHA256 4f7982843d7a822ce15cf5fe8fd3cb39fdcce3660f2bba0cda1e61dc9356cd3b
SHA512 967d6643c1ad4e6d266e8c711febbb3dd6123d1c62d8317327c96f71f2cc288dcb4bc812cbfdb6ef4e5aaaaa042666c429815eb759629e0e542b213dec27f233

memory/3756-305-0x0000000060900000-0x0000000060992000-memory.dmp

memory/2040-324-0x0000000000000000-mapping.dmp

memory/2248-325-0x0000000000000000-mapping.dmp