0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93

General
Target

0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe

Filesize

290KB

Completed

24-12-2021 12:34

Score
10/10
MD5

ae61ae9f1f366b30617c7dc04f43b905

SHA1

f0cafe847a308966c9b1cd71054df971f4639bc4

SHA256

0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32
rc4.i32

Extracted

Family redline
Botnet 1
C2

86.107.197.138:38133

Extracted

Family amadey
Version 3.01
C2

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family amadey
Version 2.86
C2

2.56.56.210/notAnoob/index.php

Signatures 40

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Amadey

    Description

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Arkei

    Description

    Arkei is an infostealer written in C++.

  • Detect Neshta Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x000600000001ab80-238.datfamily_neshta
    behavioral1/files/0x000600000001ab80-239.datfamily_neshta
    behavioral1/files/0x000500000001ab84-245.datfamily_neshta
    behavioral1/files/0x000500000001ab84-246.datfamily_neshta
    behavioral1/files/0x000400000000768d-250.datfamily_neshta
    behavioral1/files/0x000a000000015f2b-267.datfamily_neshta
    behavioral1/files/0x0005000000016285-278.datfamily_neshta
    behavioral1/files/0x000800000000760f-279.datfamily_neshta
    behavioral1/files/0x000100000001913c-282.datfamily_neshta
    behavioral1/files/0x000d000000015419-287.datfamily_neshta
    behavioral1/files/0x0007000000015482-286.datfamily_neshta
    behavioral1/files/0x00020000000191e0-289.datfamily_neshta
    behavioral1/files/0x00020000000006b1-288.datfamily_neshta
    behavioral1/files/0x0007000000015482-290.datfamily_neshta
    behavioral1/files/0x0002000000015b98-291.datfamily_neshta
    behavioral1/files/0x000500000001ab84-295.datfamily_neshta
    behavioral1/files/0x000a000000015f23-332.datfamily_neshta
    behavioral1/files/0x000100000001a42f-346.datfamily_neshta
  • Modifies system executable filetype association
    5954_1640339821_5793.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"5954_1640339821_5793.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/3236-126-0x0000000001000000-0x00000000011C6000-memory.dmpfamily_redline
    behavioral1/memory/3236-127-0x0000000001000000-0x00000000011C6000-memory.dmpfamily_redline
    behavioral1/memory/3236-133-0x0000000001000000-0x00000000011C6000-memory.dmpfamily_redline
    behavioral1/memory/3236-132-0x0000000001000000-0x00000000011C6000-memory.dmpfamily_redline
    behavioral1/memory/2144-178-0x0000000000400000-0x0000000000420000-memory.dmpfamily_redline
    behavioral1/memory/2144-179-0x000000000041931A-mapping.dmpfamily_redline
    behavioral1/memory/2144-182-0x0000000000400000-0x0000000000420000-memory.dmpfamily_redline
    behavioral1/memory/2144-183-0x0000000000400000-0x0000000000420000-memory.dmpfamily_redline
    behavioral1/memory/2144-189-0x0000000005380000-0x0000000005986000-memory.dmpfamily_redline
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 408 created 2812408WerFault.exeAB71.exe
  • suricata: ET MALWARE Amadey CnC Check-In

    Description

    suricata: ET MALWARE Amadey CnC Check-In

    Tags

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Description

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Arkei Stealer Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1492-177-0x0000000000400000-0x00000000004CA000-memory.dmpfamily_arkei
  • Downloads MZ/PE file
  • Executes dropped EXE
    9AF4.exe9FC7.exeAB71.exe9AF4.exe12B7.exe17C9.exe17C9.exe71F0.exe7E45.exemjlooy.exe9410.exe9A0D.exe9E44.exe5954_1640339821_5793.exe5954_1640339821_5793.exesvchost.comtkools.exe9A0D.exemjlooy.exesvchost.comtaskhost.exe

    Reported IOCs

    pidprocess
    28369AF4.exe
    32369FC7.exe
    2812AB71.exe
    25409AF4.exe
    149212B7.exe
    171217C9.exe
    214417C9.exe
    400471F0.exe
    38927E45.exe
    2796mjlooy.exe
    24409410.exe
    10369A0D.exe
    16569E44.exe
    20965954_1640339821_5793.exe
    4005954_1640339821_5793.exe
    3080svchost.com
    1712tkools.exe
    16689A0D.exe
    1688mjlooy.exe
    3616svchost.com
    1232taskhost.exe
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

    Reported IOCs

    pidprocess
    2720
  • Loads dropped DLL
    12B7.exeregsvr32.exe

    Reported IOCs

    pidprocess
    149212B7.exe
    149212B7.exe
    149212B7.exe
    4080regsvr32.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates connected drives
    explorer.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\D:explorer.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    9FC7.exe

    Reported IOCs

    pidprocess
    32369FC7.exe
  • Suspicious use of SetThreadContext
    0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe9AF4.exe17C9.exe9A0D.exetaskhost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3856 set thread context of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 2836 set thread context of 254028369AF4.exe9AF4.exe
    PID 1712 set thread context of 2144171217C9.exe17C9.exe
    PID 1036 set thread context of 166810369A0D.exe9A0D.exe
    PID 1232 set thread context of 31841232taskhost.execvtres.exe
  • Drops file in Program Files directory
    5954_1640339821_5793.exesvchost.com

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\INTERN~1\ielowutil.exesvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~2\WinMail.exesvchost.com
    File opened for modificationC:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exesvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~2\wabmig.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WI8A19~1\ImagingDevices.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\INTERN~1\ExtExport.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exesvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exesvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\MOZILL~1\MAINTE~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MOZILL~1\UNINST~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exesvchost.com
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exesvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\WINDOW~2\WinMail.exe5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE5954_1640339821_5793.exe
    File opened for modificationC:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exesvchost.com
  • Drops file in Windows directory
    svchost.comexplorer.exe5954_1640339821_5793.exesvchost.com

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comsvchost.com
    File createdC:\Windows\rescache\_merged\2717123927\1253081315.priexplorer.exe
    File opened for modificationC:\Windows\svchost.com5954_1640339821_5793.exe
    File opened for modificationC:\Windows\directx.syssvchost.com
    File opened for modificationC:\Windows\svchost.comsvchost.com
    File opened for modificationC:\Windows\directx.syssvchost.com
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    4082812WerFault.exeAB71.exe
    36403184WerFault.execvtres.exe
    34443660WerFault.execvtres.exe
    41641232WerFault.exetaskhost.exe
  • Checks SCSI registry key(s)
    0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe9AF4.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI9AF4.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI9AF4.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI9AF4.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
  • Checks processor information in registry
    12B7.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\012B7.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString12B7.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2884schtasks.exe
    3364schtasks.exe
  • Delays execution with timeout.exe
    timeout.exetimeout.exe

    Tags

    Reported IOCs

    pidprocess
    3788timeout.exe
    2736timeout.exe
  • Modifies registry class
    explorer.exe5954_1640339821_5793.exe5954_1640339821_5793.exe9410.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"5954_1640339821_5793.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settingsexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings5954_1640339821_5793.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings9410.exe
    Key created\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
  • Suspicious behavior: EnumeratesProcesses
    0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe

    Reported IOCs

    pidprocess
    22400b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    22400b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
    2720
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    2720
  • Suspicious behavior: MapViewOfSection
    0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe9AF4.exe

    Reported IOCs

    pidprocess
    22400b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    25409AF4.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe9FC7.exe17C9.exe17C9.exe9A0D.exe9E44.exe9410.exe9A0D.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeRestorePrivilege408WerFault.exe
    Token: SeBackupPrivilege408WerFault.exe
    Token: SeDebugPrivilege408WerFault.exe
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeDebugPrivilege32369FC7.exe
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeDebugPrivilege171217C9.exe
    Token: SeDebugPrivilege214417C9.exe
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeDebugPrivilege10369A0D.exe
    Token: SeDebugPrivilege16569E44.exe
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeDebugPrivilege24409410.exe
    Token: SeDebugPrivilege16689A0D.exe
    Token: SeDebugPrivilege24409410.exe
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
    Token: SeCreatePagefilePrivilege2720
    Token: SeShutdownPrivilege2720
  • Suspicious use of FindShellTrayWindow
    explorer.exe

    Reported IOCs

    pidprocess
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    2720
  • Suspicious use of SendNotifyMessage
    explorer.exe

    Reported IOCs

    pidprocess
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
    3984explorer.exe
  • Suspicious use of WriteProcessMemory
    0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe9AF4.exe17C9.exe12B7.execmd.exe7E45.exemjlooy.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 3856 wrote to memory of 224038560b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    PID 2720 wrote to memory of 283627209AF4.exe
    PID 2720 wrote to memory of 283627209AF4.exe
    PID 2720 wrote to memory of 283627209AF4.exe
    PID 2720 wrote to memory of 323627209FC7.exe
    PID 2720 wrote to memory of 323627209FC7.exe
    PID 2720 wrote to memory of 323627209FC7.exe
    PID 2720 wrote to memory of 28122720AB71.exe
    PID 2720 wrote to memory of 28122720AB71.exe
    PID 2720 wrote to memory of 28122720AB71.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2836 wrote to memory of 254028369AF4.exe9AF4.exe
    PID 2720 wrote to memory of 1492272012B7.exe
    PID 2720 wrote to memory of 1492272012B7.exe
    PID 2720 wrote to memory of 1492272012B7.exe
    PID 2720 wrote to memory of 1712272017C9.exe
    PID 2720 wrote to memory of 1712272017C9.exe
    PID 2720 wrote to memory of 1712272017C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1712 wrote to memory of 2144171217C9.exe17C9.exe
    PID 1492 wrote to memory of 788149212B7.execmd.exe
    PID 1492 wrote to memory of 788149212B7.execmd.exe
    PID 1492 wrote to memory of 788149212B7.execmd.exe
    PID 788 wrote to memory of 3788788cmd.exetimeout.exe
    PID 788 wrote to memory of 3788788cmd.exetimeout.exe
    PID 788 wrote to memory of 3788788cmd.exetimeout.exe
    PID 2720 wrote to memory of 4004272071F0.exe
    PID 2720 wrote to memory of 4004272071F0.exe
    PID 2720 wrote to memory of 4004272071F0.exe
    PID 2720 wrote to memory of 389227207E45.exe
    PID 2720 wrote to memory of 389227207E45.exe
    PID 2720 wrote to memory of 389227207E45.exe
    PID 3892 wrote to memory of 279638927E45.exemjlooy.exe
    PID 3892 wrote to memory of 279638927E45.exemjlooy.exe
    PID 3892 wrote to memory of 279638927E45.exemjlooy.exe
    PID 2796 wrote to memory of 40482796mjlooy.execmd.exe
    PID 2796 wrote to memory of 40482796mjlooy.execmd.exe
    PID 2796 wrote to memory of 40482796mjlooy.execmd.exe
    PID 2796 wrote to memory of 28842796mjlooy.exeschtasks.exe
    PID 2796 wrote to memory of 28842796mjlooy.exeschtasks.exe
    PID 2796 wrote to memory of 28842796mjlooy.exeschtasks.exe
    PID 4048 wrote to memory of 19044048cmd.exereg.exe
    PID 4048 wrote to memory of 19044048cmd.exereg.exe
    PID 4048 wrote to memory of 19044048cmd.exereg.exe
    PID 2720 wrote to memory of 244027209410.exe
    PID 2720 wrote to memory of 244027209410.exe
    PID 2720 wrote to memory of 244027209410.exe
    PID 2720 wrote to memory of 103627209A0D.exe
    PID 2720 wrote to memory of 103627209A0D.exe
Processes 45
  • C:\Users\Admin\AppData\Local\Temp\0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
    "C:\Users\Admin\AppData\Local\Temp\0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Users\Admin\AppData\Local\Temp\0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe
      "C:\Users\Admin\AppData\Local\Temp\0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93.exe"
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2240
  • C:\Users\Admin\AppData\Local\Temp\9AF4.exe
    C:\Users\Admin\AppData\Local\Temp\9AF4.exe
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Local\Temp\9AF4.exe
      C:\Users\Admin\AppData\Local\Temp\9AF4.exe
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2540
  • C:\Users\Admin\AppData\Local\Temp\9FC7.exe
    C:\Users\Admin\AppData\Local\Temp\9FC7.exe
    Executes dropped EXE
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Suspicious use of AdjustPrivilegeToken
    PID:3236
  • C:\Users\Admin\AppData\Local\Temp\AB71.exe
    C:\Users\Admin\AppData\Local\Temp\AB71.exe
    Executes dropped EXE
    PID:2812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 480
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:408
  • C:\Users\Admin\AppData\Local\Temp\12B7.exe
    C:\Users\Admin\AppData\Local\Temp\12B7.exe
    Executes dropped EXE
    Loads dropped DLL
    Checks processor information in registry
    Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\12B7.exe" & exit
      Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        Delays execution with timeout.exe
        PID:3788
  • C:\Users\Admin\AppData\Local\Temp\17C9.exe
    C:\Users\Admin\AppData\Local\Temp\17C9.exe
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\17C9.exe
      C:\Users\Admin\AppData\Local\Temp\17C9.exe
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2144
  • C:\Users\Admin\AppData\Local\Temp\71F0.exe
    C:\Users\Admin\AppData\Local\Temp\71F0.exe
    Executes dropped EXE
    PID:4004
  • C:\Users\Admin\AppData\Local\Temp\7E45.exe
    C:\Users\Admin\AppData\Local\Temp\7E45.exe
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
      "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
        Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\
          PID:1904
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F
        Creates scheduled task(s)
        PID:2884
  • C:\Users\Admin\AppData\Local\Temp\9410.exe
    C:\Users\Admin\AppData\Local\Temp\9410.exe
    Executes dropped EXE
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    PID:2440
    • C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "taskhost" /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"' & exit
      Executes dropped EXE
      Drops file in Windows directory
      PID:3616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn taskhost /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"' & exit
        PID:3240
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn taskhost /tr '"C:\Users\Admin\AppData\Roaming\taskhost.exe"'
          Creates scheduled task(s)
          PID:3364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC1F.tmp.bat""
      PID:3156
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        Delays execution with timeout.exe
        PID:2736
      • C:\Users\Admin\AppData\Roaming\taskhost.exe
        "C:\Users\Admin\AppData\Roaming\taskhost.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        PID:1232
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          Enumerates connected drives
          Drops file in Windows directory
          Modifies registry class
          Suspicious use of FindShellTrayWindow
          Suspicious use of SendNotifyMessage
          PID:3984
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            PID:2932
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
          PID:3184
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 708
            Program crash
            PID:3640
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          PID:3404
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
          PID:3624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 4448 dEykkSGjT
          PID:3660
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 708
            Program crash
            PID:3444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 1568
          Program crash
          PID:4164
  • C:\Users\Admin\AppData\Local\Temp\9A0D.exe
    C:\Users\Admin\AppData\Local\Temp\9A0D.exe
    Executes dropped EXE
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\9A0D.exe
      C:\Users\Admin\AppData\Local\Temp\9A0D.exe
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  • C:\Users\Admin\AppData\Local\Temp\9E44.exe
    C:\Users\Admin\AppData\Local\Temp\9E44.exe
    Executes dropped EXE
    Suspicious use of AdjustPrivilegeToken
    PID:1656
    • C:\ProgramData\5954_1640339821_5793.exe
      "C:\ProgramData\5954_1640339821_5793.exe"
      Modifies system executable filetype association
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      PID:2096
      • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe"
        Executes dropped EXE
        Modifies registry class
        PID:400
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"
          Executes dropped EXE
          Drops file in Program Files directory
          Drops file in Windows directory
          PID:3080
          • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            Executes dropped EXE
            PID:1712
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A8C4.dll
    Loads dropped DLL
    PID:4080
  • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
    C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe
    Executes dropped EXE
    PID:1688
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    PID:912
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    PID:2148
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

                  MD5

                  3b73078a714bf61d1c19ebc3afc0e454

                  SHA1

                  9abeabd74613a2f533e2244c9ee6f967188e4e7e

                  SHA256

                  ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

                  SHA512

                  75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

                • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

                  MD5

                  bcd0f32f28d3c2ba8f53d1052d05252d

                  SHA1

                  c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

                  SHA256

                  bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

                  SHA512

                  79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

                • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe

                  MD5

                  8db8df5afb216d89fcb0bdf24662c9b5

                  SHA1

                  f0819d096526f02b0f7c50b56cebd7c521600897

                  SHA256

                  bc9c19ede72076a2c8cc18a4b2305cabc999244fb92d471c87036bb796d3f89f

                  SHA512

                  dc63a71b6b04e89ecf744bf890c74caa11cb3525aeccaede6dafa72fa3eebd40b8d352651d0bc8b1deb0768a38e5c2660200cac84eec48ddab01beaa8c9c0bea

                • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

                  MD5

                  6e84b6096aaa18cabc30f1122d5af449

                  SHA1

                  e6729edd11b52055b5e34d39e5f3b8f071bbac4f

                  SHA256

                  c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759

                  SHA512

                  af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42

                • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

                  MD5

                  0d9146d70ac6a41ead1ea2d50d729508

                  SHA1

                  b9e6ff83a26aaf105640f5d5cdab213c989dc370

                  SHA256

                  0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

                  SHA512

                  c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

                • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

                  MD5

                  07e194ce831b1846111eb6c8b176c86e

                  SHA1

                  b9c83ec3b0949cb661878fb1a8b43a073e15baf1

                  SHA256

                  d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

                  SHA512

                  55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

                  MD5

                  8ffc3bdf4a1903d9e28b99d1643fc9c7

                  SHA1

                  919ba8594db0ae245a8abd80f9f3698826fc6fe5

                  SHA256

                  8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

                  SHA512

                  0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

                • C:\ProgramData\5954_1640339821_5793.exe

                  MD5

                  05ac7818089aaed02ed5320d50f47132

                  SHA1

                  f9dfd169342637416bdc47d3d6ac6a31f062577f

                  SHA256

                  bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

                  SHA512

                  1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

                • C:\ProgramData\5954_1640339821_5793.exe

                  MD5

                  05ac7818089aaed02ed5320d50f47132

                  SHA1

                  f9dfd169342637416bdc47d3d6ac6a31f062577f

                  SHA256

                  bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

                  SHA512

                  1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

                • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

                  MD5

                  05bdfd8a3128ab14d96818f43ebe9c0e

                  SHA1

                  495cbbd020391e05d11c52aa23bdae7b89532eb7

                  SHA256

                  7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

                  SHA512

                  8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

                • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

                  MD5

                  32853955255a94fcd7587ca9cbfe2b60

                  SHA1

                  c33a88184c09e89598f0cabf68ce91c8d5791521

                  SHA256

                  64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

                  SHA512

                  8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

                • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

                  MD5

                  0d9146d70ac6a41ead1ea2d50d729508

                  SHA1

                  b9e6ff83a26aaf105640f5d5cdab213c989dc370

                  SHA256

                  0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

                  SHA512

                  c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

                • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE

                  MD5

                  a49eb5f2ad98fffade88c1d337854f89

                  SHA1

                  2cc197bcf3625751f7e714ac1caf8e554d0be3b1

                  SHA256

                  99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

                  SHA512

                  4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\17C9.exe.log

                  MD5

                  41fbed686f5700fc29aaccf83e8ba7fd

                  SHA1

                  5271bc29538f11e42a3b600c8dc727186e912456

                  SHA256

                  df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

                  SHA512

                  234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9A0D.exe.log

                  MD5

                  605f809fab8c19729d39d075f7ffdb53

                  SHA1

                  c546f877c9bd53563174a90312a8337fdfc5fdd9

                  SHA256

                  6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

                  SHA512

                  82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

                  MD5

                  503fa91a7df32c765f0e3dd1040596a2

                  SHA1

                  1846e3eb6f44e0d2ccde57719c00f6dff1bd9ed3

                  SHA256

                  c9118508ba45c6b9dc7f4f01681432e7c283f9cc20736455ae7edbf8f91b97ef

                  SHA512

                  8c556812ca3deed0310e9070ca38f42b4f0c59aa87be373886bf9c67ca11edb4f635e08fb018d09b05724566dc1ecc761022d4646ec1a112787dab24982ca776

                • C:\Users\Admin\AppData\Local\Temp\12B7.exe

                  MD5

                  9f770a17a60478196befdf3240453933

                  SHA1

                  007181a2fae55d99cbae21d2a0dc75331ac85189

                  SHA256

                  b60494a81a5d1322f4ada1c89fb8f157039a4dbc4ce3fb2b97be9802c83daf53

                  SHA512

                  d8ee7478692a95403fb374e5762f1aa8a66fb58d463e533966a892c1b22b63035a14d12d8a3e459fe161c81bc10c7686eacb368417a867509918e1d8641fdab1

                • C:\Users\Admin\AppData\Local\Temp\12B7.exe

                  MD5

                  9f770a17a60478196befdf3240453933

                  SHA1

                  007181a2fae55d99cbae21d2a0dc75331ac85189

                  SHA256

                  b60494a81a5d1322f4ada1c89fb8f157039a4dbc4ce3fb2b97be9802c83daf53

                  SHA512

                  d8ee7478692a95403fb374e5762f1aa8a66fb58d463e533966a892c1b22b63035a14d12d8a3e459fe161c81bc10c7686eacb368417a867509918e1d8641fdab1

                • C:\Users\Admin\AppData\Local\Temp\17C9.exe

                  MD5

                  d37ada4c37879faaca26810efa63de83

                  SHA1

                  7f2c089d952985308eb0ce8ad26e9781ca7198d2

                  SHA256

                  4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

                  SHA512

                  439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

                • C:\Users\Admin\AppData\Local\Temp\17C9.exe

                  MD5

                  d37ada4c37879faaca26810efa63de83

                  SHA1

                  7f2c089d952985308eb0ce8ad26e9781ca7198d2

                  SHA256

                  4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

                  SHA512

                  439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

                • C:\Users\Admin\AppData\Local\Temp\17C9.exe

                  MD5

                  d37ada4c37879faaca26810efa63de83

                  SHA1

                  7f2c089d952985308eb0ce8ad26e9781ca7198d2

                  SHA256

                  4fdfb685505b7e84aed8b4dae35cea2dd0bcae94e3612832339230af970b5fa8

                  SHA512

                  439e417b6797af09ebab25932477ce66b376ed12348afc6baf1c6bb6f1dc5e0ba9e6f0ca8ba4cd554d3c8fa49c7f4fdae34cf994b7237e9459f6e9f1942876a5

                • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe

                  MD5

                  47d324d0398317af1f842dd2a271c3f0

                  SHA1

                  045937d0083abe615ce4780684f500dfde4c550b

                  SHA256

                  0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

                  SHA512

                  ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

                • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe

                  MD5

                  47d324d0398317af1f842dd2a271c3f0

                  SHA1

                  045937d0083abe615ce4780684f500dfde4c550b

                  SHA256

                  0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

                  SHA512

                  ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

                • C:\Users\Admin\AppData\Local\Temp\71F0.exe

                  MD5

                  c2840092e935583cce1e7b6d3a4b29f1

                  SHA1

                  992687dac9ced48e786796657bfa9f1017b7c2a1

                  SHA256

                  fd9df758b109ad226271791bbd507b9f058a7bad64c54d45486fc36df764cf12

                  SHA512

                  1cf4c6d06193e5a97129028eb2e9ae38f6305bb43124e2969f02be0bb3ef012129eb0944eec4431c8569ed6193cb0936737e753b017f4211bb7260851d51633d

                • C:\Users\Admin\AppData\Local\Temp\7E45.exe

                  MD5

                  3540c2c6a3cc2fdc5b08130cf3a492bc

                  SHA1

                  9f4d9ed274b7aefb4461f846d474adba7df198a5

                  SHA256

                  e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

                  SHA512

                  8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

                • C:\Users\Admin\AppData\Local\Temp\7E45.exe

                  MD5

                  3540c2c6a3cc2fdc5b08130cf3a492bc

                  SHA1

                  9f4d9ed274b7aefb4461f846d474adba7df198a5

                  SHA256

                  e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

                  SHA512

                  8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

                • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe

                  MD5

                  3540c2c6a3cc2fdc5b08130cf3a492bc

                  SHA1

                  9f4d9ed274b7aefb4461f846d474adba7df198a5

                  SHA256

                  e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

                  SHA512

                  8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

                • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe

                  MD5

                  3540c2c6a3cc2fdc5b08130cf3a492bc

                  SHA1

                  9f4d9ed274b7aefb4461f846d474adba7df198a5

                  SHA256

                  e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

                  SHA512

                  8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

                • C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe

                  MD5

                  3540c2c6a3cc2fdc5b08130cf3a492bc

                  SHA1

                  9f4d9ed274b7aefb4461f846d474adba7df198a5

                  SHA256

                  e6e2ef0f47b7373c844f856058c23bd5465dd9f22ed073aff09bbb4fc145e2ea

                  SHA512

                  8a884231911f612119742dbc8055851be63c4ebb2b87e1ab908c7a1f498560a1f89f6718df5e87ed2a457153c3cd1b460a9def0e27be37ea9dbc1d97046e1f9e

                • C:\Users\Admin\AppData\Local\Temp\9410.exe

                  MD5

                  4d59d86cb3926ff9362b0ea8669fbe2b

                  SHA1

                  03eaf04fe47afa81a8f066035fafea30467c1b24

                  SHA256

                  e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

                  SHA512

                  b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

                • C:\Users\Admin\AppData\Local\Temp\9410.exe

                  MD5

                  4d59d86cb3926ff9362b0ea8669fbe2b

                  SHA1

                  03eaf04fe47afa81a8f066035fafea30467c1b24

                  SHA256

                  e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

                  SHA512

                  b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

                • C:\Users\Admin\AppData\Local\Temp\9A0D.exe

                  MD5

                  20c0e8c83cd3162b4ddb26b49ba9bbf4

                  SHA1

                  770a05c226d2afc6903852dd4f75de8dc877e074

                  SHA256

                  907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

                  SHA512

                  0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

                • C:\Users\Admin\AppData\Local\Temp\9A0D.exe

                  MD5

                  20c0e8c83cd3162b4ddb26b49ba9bbf4

                  SHA1

                  770a05c226d2afc6903852dd4f75de8dc877e074

                  SHA256

                  907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

                  SHA512

                  0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

                • C:\Users\Admin\AppData\Local\Temp\9A0D.exe

                  MD5

                  20c0e8c83cd3162b4ddb26b49ba9bbf4

                  SHA1

                  770a05c226d2afc6903852dd4f75de8dc877e074

                  SHA256

                  907e64f8e086af51088e110a19a4fc2ed3ad100590affda6f1ec1251f38bc7aa

                  SHA512

                  0500a54f0e5fccf4d85fda36fcdc0a01f68d81d75787ffd29f412abec3c7b076f03586f74340696ddc2ee31efc26059bec34d46e4a66e43fe12e9e08d74ba7f5

                • C:\Users\Admin\AppData\Local\Temp\9AF4.exe

                  MD5

                  ae61ae9f1f366b30617c7dc04f43b905

                  SHA1

                  f0cafe847a308966c9b1cd71054df971f4639bc4

                  SHA256

                  0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93

                  SHA512

                  6ff7e4ec68591c48bc912edd690e1bf1558597a89d13a95c96a433c80a073565118ff9d5a593df493cc9fe6df12eed35e725bc55b08e065ab7f3bab08656a908

                • C:\Users\Admin\AppData\Local\Temp\9AF4.exe

                  MD5

                  ae61ae9f1f366b30617c7dc04f43b905

                  SHA1

                  f0cafe847a308966c9b1cd71054df971f4639bc4

                  SHA256

                  0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93

                  SHA512

                  6ff7e4ec68591c48bc912edd690e1bf1558597a89d13a95c96a433c80a073565118ff9d5a593df493cc9fe6df12eed35e725bc55b08e065ab7f3bab08656a908

                • C:\Users\Admin\AppData\Local\Temp\9AF4.exe

                  MD5

                  ae61ae9f1f366b30617c7dc04f43b905

                  SHA1

                  f0cafe847a308966c9b1cd71054df971f4639bc4

                  SHA256

                  0b6431d3a7f4a5661b1fc4c0ff62e302bb60ca0e37426a5c5940434a54a06d93

                  SHA512

                  6ff7e4ec68591c48bc912edd690e1bf1558597a89d13a95c96a433c80a073565118ff9d5a593df493cc9fe6df12eed35e725bc55b08e065ab7f3bab08656a908

                • C:\Users\Admin\AppData\Local\Temp\9E44.exe

                  MD5

                  ac696ff26dae3d008a7f1a8a33a6c067

                  SHA1

                  0e450582db291be053ac6a4ccf722dc4441b1f2e

                  SHA256

                  44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

                  SHA512

                  1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

                • C:\Users\Admin\AppData\Local\Temp\9E44.exe

                  MD5

                  ac696ff26dae3d008a7f1a8a33a6c067

                  SHA1

                  0e450582db291be053ac6a4ccf722dc4441b1f2e

                  SHA256

                  44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

                  SHA512

                  1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

                • C:\Users\Admin\AppData\Local\Temp\9FC7.exe

                  MD5

                  53baf2b70a6c0c7d018a7b128b273af0

                  SHA1

                  a20c953b3b655490f676bae75659c1cc2699bcb3

                  SHA256

                  07d0d9dda1d97f20683b43c5e8c21c5cddd546232876394d60a64cf692a27ff6

                  SHA512

                  038b479faa5606ce9bfe891e7ed66271d8bd61d36d6946cc44503497d5ef5284d5bb4622a2f02bb89cf009dc2f8c62025bec3f62e6275dd15c6e469575791e7f

                • C:\Users\Admin\AppData\Local\Temp\9FC7.exe

                  MD5

                  53baf2b70a6c0c7d018a7b128b273af0

                  SHA1

                  a20c953b3b655490f676bae75659c1cc2699bcb3

                  SHA256

                  07d0d9dda1d97f20683b43c5e8c21c5cddd546232876394d60a64cf692a27ff6

                  SHA512

                  038b479faa5606ce9bfe891e7ed66271d8bd61d36d6946cc44503497d5ef5284d5bb4622a2f02bb89cf009dc2f8c62025bec3f62e6275dd15c6e469575791e7f

                • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe

                  MD5

                  47d324d0398317af1f842dd2a271c3f0

                  SHA1

                  045937d0083abe615ce4780684f500dfde4c550b

                  SHA256

                  0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

                  SHA512

                  ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

                • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe

                  MD5

                  47d324d0398317af1f842dd2a271c3f0

                  SHA1

                  045937d0083abe615ce4780684f500dfde4c550b

                  SHA256

                  0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

                  SHA512

                  ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

                • C:\Users\Admin\AppData\Local\Temp\A8C4.dll

                  MD5

                  89b9c8fc262bb315e93896db9de81193

                  SHA1

                  c5b326b205510ddafbb06bfa94648b30eda26469

                  SHA256

                  5f3545ff14082140a0553413162d20c55cfd93907d2a4ed417b87c9027512576

                  SHA512

                  c8f7e3903ff3bd2a989fda675b70f6235719ab89eb9a0043d90aa8239e4fdc17b7b8e85df4eba6b5f41b3ae2ab5244497f1d932210561cb56f708efb4c1e799a

                • C:\Users\Admin\AppData\Local\Temp\AB71.exe

                  MD5

                  8a2c303f89d770da74298403ff6532a0

                  SHA1

                  2ad5d1cd0e7c0519824c59eea29c96ad19bda2cd

                  SHA256

                  ad81a89306826903162221826864ecb231b6a76721d1592d2f56801112f6eccd

                  SHA512

                  031cdcb63b902748b13b7dd977cb9e61a32881d0d11c2fe2162072c48be3122e72fd818d2a91695a13a2f112553487e301e8ac28b2e6afc0369b892db587d5b5

                • C:\Users\Admin\AppData\Local\Temp\AB71.exe

                  MD5

                  8a2c303f89d770da74298403ff6532a0

                  SHA1

                  2ad5d1cd0e7c0519824c59eea29c96ad19bda2cd

                  SHA256

                  ad81a89306826903162221826864ecb231b6a76721d1592d2f56801112f6eccd

                  SHA512

                  031cdcb63b902748b13b7dd977cb9e61a32881d0d11c2fe2162072c48be3122e72fd818d2a91695a13a2f112553487e301e8ac28b2e6afc0369b892db587d5b5

                • C:\Users\Admin\AppData\Local\Temp\tmpDC1F.tmp.bat

                  MD5

                  6bd641115c6ab670904f54c34f68dc0d

                  SHA1

                  0943179758237120ecdf7f207e8f5b3ee9c4ca8b

                  SHA256

                  9028964279460a46094dac45c5ac968569cc8783f6b12019d7a6c1950741166c

                  SHA512

                  520fc0704a453f40b50312a308113761ebab0c818ac513beba3038e84cdbebc1e4b45aeaf6980adc0be82618dedee858860ca0d2afd6711c46b245307c4ee5fa

                • C:\Users\Admin\AppData\Roaming\taskhost.exe

                  MD5

                  4d59d86cb3926ff9362b0ea8669fbe2b

                  SHA1

                  03eaf04fe47afa81a8f066035fafea30467c1b24

                  SHA256

                  e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

                  SHA512

                  b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

                • C:\Users\Admin\AppData\Roaming\taskhost.exe

                  MD5

                  4d59d86cb3926ff9362b0ea8669fbe2b

                  SHA1

                  03eaf04fe47afa81a8f066035fafea30467c1b24

                  SHA256

                  e429e6a66da5bc155ae5a73ea2fb9d0b2a19d8356868a5a01398b7c6870c4c34

                  SHA512

                  b5b9de2da60cf7b4f665831506bdb36eaa45ef4e86170b47527fab05dde324e18da8fdcec242b521bc626c7b5f022af893dac3037d5bc99aca527e37e950a513

                • C:\Windows\directx.sys

                  MD5

                  8e966011732995cd7680a1caa974fd57

                  SHA1

                  2b22d69074bfa790179858cc700a7cbfd01ca557

                  SHA256

                  97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

                  SHA512

                  892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

                • C:\Windows\svchost.com

                  MD5

                  36fd5e09c417c767a952b4609d73a54b

                  SHA1

                  299399c5a2403080a5bf67fb46faec210025b36d

                  SHA256

                  980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

                  SHA512

                  1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

                • C:\Windows\svchost.com

                  MD5

                  36fd5e09c417c767a952b4609d73a54b

                  SHA1

                  299399c5a2403080a5bf67fb46faec210025b36d

                  SHA256

                  980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

                  SHA512

                  1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

                • C:\Windows\svchost.com

                  MD5

                  36fd5e09c417c767a952b4609d73a54b

                  SHA1

                  299399c5a2403080a5bf67fb46faec210025b36d

                  SHA256

                  980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

                  SHA512

                  1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

                • C:\odt\OFFICE~1.EXE

                  MD5

                  02c3d242fe142b0eabec69211b34bc55

                  SHA1

                  ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

                  SHA256

                  2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

                  SHA512

                  0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

                • \ProgramData\mozglue.dll

                  MD5

                  8f73c08a9660691143661bf7332c3c27

                  SHA1

                  37fa65dd737c50fda710fdbde89e51374d0c204a

                  SHA256

                  3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                  SHA512

                  0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                • \ProgramData\nss3.dll

                  MD5

                  bfac4e3c5908856ba17d41edcd455a51

                  SHA1

                  8eec7e888767aa9e4cca8ff246eb2aacb9170428

                  SHA256

                  e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                  SHA512

                  2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                • \ProgramData\sqlite3.dll

                  MD5

                  e477a96c8f2b18d6b5c27bde49c990bf

                  SHA1

                  e980c9bf41330d1e5bd04556db4646a0210f7409

                  SHA256

                  16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

                  SHA512

                  335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

                • \Users\Admin\AppData\Local\Temp\A8C4.dll

                  MD5

                  89b9c8fc262bb315e93896db9de81193

                  SHA1

                  c5b326b205510ddafbb06bfa94648b30eda26469

                  SHA256

                  5f3545ff14082140a0553413162d20c55cfd93907d2a4ed417b87c9027512576

                  SHA512

                  c8f7e3903ff3bd2a989fda675b70f6235719ab89eb9a0043d90aa8239e4fdc17b7b8e85df4eba6b5f41b3ae2ab5244497f1d932210561cb56f708efb4c1e799a

                • memory/400-241-0x0000000000000000-mapping.dmp

                • memory/788-200-0x0000000000000000-mapping.dmp

                • memory/1036-224-0x0000000000000000-mapping.dmp

                • memory/1036-228-0x0000000000D80000-0x0000000000DFA000-memory.dmp

                • memory/1036-229-0x00000000056B0000-0x00000000056B1000-memory.dmp

                • memory/1036-230-0x0000000005540000-0x0000000005541000-memory.dmp

                • memory/1036-227-0x0000000000D80000-0x0000000000DFA000-memory.dmp

                • memory/1232-302-0x0000000000000000-mapping.dmp

                • memory/1492-162-0x0000000000000000-mapping.dmp

                • memory/1492-177-0x0000000000400000-0x00000000004CA000-memory.dmp

                • memory/1492-175-0x0000000000836000-0x0000000000847000-memory.dmp

                • memory/1492-176-0x00000000004D0000-0x000000000061A000-memory.dmp

                • memory/1656-240-0x000001557F1D0000-0x000001557F1D2000-memory.dmp

                • memory/1656-236-0x000001557EC90000-0x000001557ECB4000-memory.dmp

                • memory/1656-231-0x0000000000000000-mapping.dmp

                • memory/1656-234-0x000001557E9C0000-0x000001557EA68000-memory.dmp

                • memory/1656-235-0x000001557E9C0000-0x000001557EA68000-memory.dmp

                • memory/1668-252-0x00000000004191CE-mapping.dmp

                • memory/1668-257-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/1668-251-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/1668-256-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/1712-169-0x0000000000C40000-0x0000000000CCC000-memory.dmp

                • memory/1712-174-0x0000000005D60000-0x000000000625E000-memory.dmp

                • memory/1712-173-0x0000000001560000-0x0000000001561000-memory.dmp

                • memory/1712-248-0x0000000000000000-mapping.dmp

                • memory/1712-165-0x0000000000000000-mapping.dmp

                • memory/1712-172-0x00000000056B0000-0x00000000056B1000-memory.dmp

                • memory/1712-171-0x0000000005390000-0x00000000053AE000-memory.dmp

                • memory/1712-170-0x0000000005500000-0x0000000005576000-memory.dmp

                • memory/1712-168-0x0000000000C40000-0x0000000000CCC000-memory.dmp

                • memory/1904-217-0x0000000000000000-mapping.dmp

                • memory/2096-237-0x0000000000000000-mapping.dmp

                • memory/2144-185-0x00000000053E0000-0x00000000053F2000-memory.dmp

                • memory/2144-188-0x00000000054B0000-0x00000000054FB000-memory.dmp

                • memory/2144-189-0x0000000005380000-0x0000000005986000-memory.dmp

                • memory/2144-190-0x0000000005790000-0x00000000057F6000-memory.dmp

                • memory/2144-191-0x0000000006220000-0x0000000006296000-memory.dmp

                • memory/2144-192-0x0000000006340000-0x00000000063D2000-memory.dmp

                • memory/2144-193-0x00000000068E0000-0x0000000006DDE000-memory.dmp

                • memory/2144-186-0x0000000005510000-0x000000000561A000-memory.dmp

                • memory/2144-194-0x00000000064E0000-0x00000000064FE000-memory.dmp

                • memory/2144-195-0x0000000006FB0000-0x0000000007172000-memory.dmp

                • memory/2144-178-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/2144-187-0x0000000005470000-0x00000000054AE000-memory.dmp

                • memory/2144-183-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/2144-179-0x000000000041931A-mapping.dmp

                • memory/2144-182-0x0000000000400000-0x0000000000420000-memory.dmp

                • memory/2144-184-0x0000000005990000-0x0000000005F96000-memory.dmp

                • memory/2144-196-0x00000000076B0000-0x0000000007BDC000-memory.dmp

                • memory/2240-116-0x0000000000400000-0x0000000000409000-memory.dmp

                • memory/2240-117-0x0000000000402F47-mapping.dmp

                • memory/2440-222-0x0000000000FF0000-0x0000000001496000-memory.dmp

                • memory/2440-221-0x0000000000FF0000-0x0000000001496000-memory.dmp

                • memory/2440-218-0x0000000000000000-mapping.dmp

                • memory/2440-223-0x00000000061E0000-0x00000000066DE000-memory.dmp

                • memory/2540-147-0x0000000000402F47-mapping.dmp

                • memory/2720-154-0x0000000003160000-0x0000000003176000-memory.dmp

                • memory/2720-119-0x0000000001280000-0x0000000001296000-memory.dmp

                • memory/2736-301-0x0000000000000000-mapping.dmp

                • memory/2796-213-0x00000000008D0000-0x0000000000A1A000-memory.dmp

                • memory/2796-207-0x0000000000000000-mapping.dmp

                • memory/2796-214-0x0000000000400000-0x0000000000852000-memory.dmp

                • memory/2812-152-0x0000000000900000-0x0000000000A4A000-memory.dmp

                • memory/2812-140-0x0000000000000000-mapping.dmp

                • memory/2812-151-0x0000000000030000-0x0000000000038000-memory.dmp

                • memory/2812-153-0x0000000000400000-0x0000000000812000-memory.dmp

                • memory/2836-120-0x0000000000000000-mapping.dmp

                • memory/2884-216-0x0000000000000000-mapping.dmp

                • memory/2932-322-0x0000000000000000-mapping.dmp

                • memory/3080-244-0x0000000000000000-mapping.dmp

                • memory/3156-298-0x0000000000000000-mapping.dmp

                • memory/3184-328-0x0000000001000000-0x0000000001001000-memory.dmp

                • memory/3184-320-0x0000000000400000-0x00000000006C0000-memory.dmp

                • memory/3184-325-0x0000000001000000-0x0000000001001000-memory.dmp

                • memory/3184-321-0x00000000006BAE86-mapping.dmp

                • memory/3184-324-0x0000000001000000-0x0000000001001000-memory.dmp

                • memory/3184-323-0x0000000001000000-0x0000000001001000-memory.dmp

                • memory/3236-134-0x0000000071B60000-0x0000000071BE0000-memory.dmp

                • memory/3236-156-0x0000000005D00000-0x0000000005D76000-memory.dmp

                • memory/3236-150-0x000000006FD00000-0x000000006FD4B000-memory.dmp

                • memory/3236-149-0x0000000004E80000-0x0000000004ECB000-memory.dmp

                • memory/3236-157-0x0000000005E20000-0x0000000005EB2000-memory.dmp

                • memory/3236-144-0x00000000752A0000-0x00000000765E8000-memory.dmp

                • memory/3236-143-0x0000000073DA0000-0x0000000074324000-memory.dmp

                • memory/3236-159-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

                • memory/3236-139-0x0000000004E40000-0x0000000004E7E000-memory.dmp

                • memory/3236-160-0x00000000068C0000-0x0000000006A82000-memory.dmp

                • memory/3236-136-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

                • memory/3236-135-0x00000000054F0000-0x0000000005AF6000-memory.dmp

                • memory/3236-137-0x0000000004FF0000-0x00000000050FA000-memory.dmp

                • memory/3236-132-0x0000000001000000-0x00000000011C6000-memory.dmp

                • memory/3236-133-0x0000000001000000-0x00000000011C6000-memory.dmp

                • memory/3236-131-0x00000000744C0000-0x00000000745B1000-memory.dmp

                • memory/3236-130-0x0000000000DF0000-0x0000000000E35000-memory.dmp

                • memory/3236-129-0x0000000073A60000-0x0000000073C22000-memory.dmp

                • memory/3236-161-0x0000000006FC0000-0x00000000074EC000-memory.dmp

                • memory/3236-128-0x0000000000050000-0x0000000000051000-memory.dmp

                • memory/3236-127-0x0000000001000000-0x00000000011C6000-memory.dmp

                • memory/3236-138-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

                • memory/3236-123-0x0000000000000000-mapping.dmp

                • memory/3236-126-0x0000000001000000-0x00000000011C6000-memory.dmp

                • memory/3236-155-0x0000000005170000-0x00000000051D6000-memory.dmp

                • memory/3236-158-0x00000000063C0000-0x00000000068BE000-memory.dmp

                • memory/3240-297-0x0000000000000000-mapping.dmp

                • memory/3364-299-0x0000000000000000-mapping.dmp

                • memory/3404-333-0x0000000000000000-mapping.dmp

                • memory/3616-294-0x0000000000000000-mapping.dmp

                • memory/3660-337-0x0000000000D60000-0x0000000000D61000-memory.dmp

                • memory/3660-341-0x0000000000D60000-0x0000000000D61000-memory.dmp

                • memory/3660-338-0x0000000000D60000-0x0000000000D61000-memory.dmp

                • memory/3660-336-0x0000000000D60000-0x0000000000D61000-memory.dmp

                • memory/3660-335-0x00000000006BAE86-mapping.dmp

                • memory/3788-201-0x0000000000000000-mapping.dmp

                • memory/3856-118-0x00000000020A0000-0x00000000020A9000-memory.dmp

                • memory/3892-211-0x0000000000900000-0x0000000000A4A000-memory.dmp

                • memory/3892-210-0x0000000000860000-0x000000000087D000-memory.dmp

                • memory/3892-212-0x0000000000400000-0x0000000000852000-memory.dmp

                • memory/3892-204-0x0000000000000000-mapping.dmp

                • memory/3984-319-0x0000000000000000-mapping.dmp

                • memory/3984-345-0x0000000002470000-0x0000000002471000-memory.dmp

                • memory/4004-202-0x0000000000000000-mapping.dmp

                • memory/4048-215-0x0000000000000000-mapping.dmp

                • memory/4080-253-0x0000000000000000-mapping.dmp