Malware Analysis Report

2025-04-14 07:04

Sample ID 230723-r3r48seh8x
Target b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074
SHA256 b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074
Tags
amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074

Threat Level: Known bad

The file b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074 was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan

Djvu Ransomware

Detected Djvu ransomware

Detect Fabookie payload

Amadey

Fabookie

RedLine

SmokeLoader

Downloads MZ/PE file

Stops running service(s)

Deletes itself

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 14:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 14:43

Reported

2023-07-23 14:46

Platform

win10-20230703-en

Max time kernel

52s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aedd73e6-9adb-4462-acf1-aec438f9708d\\F52D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F52D.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\sc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\sc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 3312 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 3312 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 3312 wrote to memory of 4728 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3312 wrote to memory of 4728 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4728 wrote to memory of 4440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4728 wrote to memory of 4440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4728 wrote to memory of 4440 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4204 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 3312 wrote to memory of 4588 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3312 wrote to memory of 4588 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4588 wrote to memory of 3592 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3312 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC93.exe
PID 3312 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC93.exe
PID 3312 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC93.exe
PID 3312 wrote to memory of 4420 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E.exe
PID 3312 wrote to memory of 4420 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E.exe
PID 3312 wrote to memory of 4420 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E.exe
PID 3312 wrote to memory of 4984 N/A N/A C:\Windows\System32\sc.exe
PID 3312 wrote to memory of 4984 N/A N/A C:\Windows\System32\sc.exe
PID 3312 wrote to memory of 4984 N/A N/A C:\Windows\System32\sc.exe
PID 3312 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe
PID 3312 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe
PID 3312 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe
PID 2696 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Windows\SysWOW64\icacls.exe
PID 2696 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Windows\SysWOW64\icacls.exe
PID 2696 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Windows\SysWOW64\icacls.exe
PID 2264 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 2264 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 2264 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 2264 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 2264 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 2264 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 2264 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\13A8.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 2696 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 2696 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 2696 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 3312 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 3312 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 3312 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 316 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4904 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4904 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4904 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F52D.exe C:\Users\Admin\AppData\Local\Temp\F52D.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe
PID 4692 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\3163.exe C:\Users\Admin\AppData\Local\Temp\3163.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe

"C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe"

C:\Users\Admin\AppData\Local\Temp\F52D.exe

C:\Users\Admin\AppData\Local\Temp\F52D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F79F.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F79F.dll

C:\Users\Admin\AppData\Local\Temp\F52D.exe

C:\Users\Admin\AppData\Local\Temp\F52D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F8AA.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F8AA.dll

C:\Users\Admin\AppData\Local\Temp\FC93.exe

C:\Users\Admin\AppData\Local\Temp\FC93.exe

C:\Users\Admin\AppData\Local\Temp\1E.exe

C:\Users\Admin\AppData\Local\Temp\1E.exe

C:\Users\Admin\AppData\Local\Temp\909.exe

C:\Users\Admin\AppData\Local\Temp\909.exe

C:\Users\Admin\AppData\Local\Temp\13A8.exe

C:\Users\Admin\AppData\Local\Temp\13A8.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\aedd73e6-9adb-4462-acf1-aec438f9708d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\F52D.exe

"C:\Users\Admin\AppData\Local\Temp\F52D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3163.exe

C:\Users\Admin\AppData\Local\Temp\3163.exe

C:\Users\Admin\AppData\Local\Temp\3163.exe

C:\Users\Admin\AppData\Local\Temp\3163.exe

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

C:\Users\Admin\AppData\Local\Temp\38E6.exe

C:\Users\Admin\AppData\Local\Temp\38E6.exe

C:\Users\Admin\AppData\Local\Temp\F52D.exe

"C:\Users\Admin\AppData\Local\Temp\F52D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\38E6.exe

C:\Users\Admin\AppData\Local\Temp\38E6.exe

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\4701.exe

C:\Users\Admin\AppData\Local\Temp\4701.exe

C:\Users\Admin\AppData\Local\Temp\48C7.exe

C:\Users\Admin\AppData\Local\Temp\48C7.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\3163.exe

"C:\Users\Admin\AppData\Local\Temp\3163.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4701.exe

C:\Users\Admin\AppData\Local\Temp\4701.exe

C:\Users\Admin\AppData\Local\Temp\3163.exe

"C:\Users\Admin\AppData\Local\Temp\3163.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\38E6.exe

"C:\Users\Admin\AppData\Local\Temp\38E6.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\38E6.exe

"C:\Users\Admin\AppData\Local\Temp\38E6.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

"C:\Users\Admin\AppData\Local\Temp\3CBF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\75E3.exe

C:\Users\Admin\AppData\Local\Temp\75E3.exe

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

"C:\Users\Admin\AppData\Local\Temp\3CBF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe

"C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe"

C:\Users\Admin\AppData\Local\Temp\75E3.exe

C:\Users\Admin\AppData\Local\Temp\75E3.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4701.exe

"C:\Users\Admin\AppData\Local\Temp\4701.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4701.exe

"C:\Users\Admin\AppData\Local\Temp\4701.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\75E3.exe

"C:\Users\Admin\AppData\Local\Temp\75E3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe

"C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe"

C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe

"C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\75E3.exe

"C:\Users\Admin\AppData\Local\Temp\75E3.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe

"C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe"

C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe

"C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe"

C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe

"C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe"

C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe

"C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe

"C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe

"C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe

"C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe

"C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe"

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe

"C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC

C:\Program Files\Notepad\Chrome\updater.exe

"C:\Program Files\Notepad\Chrome\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 175.120.254.9:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 9.254.120.175.in-addr.arpa udp
NL 194.169.175.139:3003 194.169.175.139 tcp
US 8.8.8.8:53 139.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
FR 178.32.90.250:29608 tcp
FR 178.32.90.250:29608 tcp
US 8.8.8.8:53 250.90.32.178.in-addr.arpa udp
KR 175.120.254.9:80 colisumy.com tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 194.169.175.139:3003 194.169.175.139 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
KR 175.120.254.9:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
FR 178.32.90.250:29608 tcp
KR 175.120.254.9:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
NL 162.0.217.254:443 api.2ip.ua tcp
PE 190.12.87.61:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 61.87.12.190.in-addr.arpa udp
PE 190.12.87.61:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 175.120.254.9:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 175.120.254.9:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 175.120.254.9:80 colisumy.com tcp
PE 190.12.87.61:80 zexeq.com tcp
PE 190.12.87.61:80 zexeq.com tcp
US 8.8.8.8:53 greenbi.net udp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
KR 175.120.254.9:80 colisumy.com tcp
KR 175.119.10.231:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
PE 190.12.87.61:80 zexeq.com tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.120.254.9:80 colisumy.com tcp
PE 190.12.87.61:80 zexeq.com tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
PE 190.12.87.61:80 zexeq.com tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
DE 168.119.51.197:13370 168.119.51.197 tcp
US 8.8.8.8:53 197.51.119.168.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 168.119.51.197:13370 168.119.51.197 tcp
NL 149.154.167.99:443 t.me tcp
DE 168.119.51.197:13370 168.119.51.197 tcp

Files

memory/2780-118-0x0000000002840000-0x0000000002940000-memory.dmp

memory/2780-119-0x0000000000400000-0x000000000246F000-memory.dmp

memory/2780-120-0x0000000003F50000-0x0000000003F59000-memory.dmp

memory/3312-121-0x0000000000870000-0x0000000000886000-memory.dmp

memory/2780-122-0x0000000000400000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\F79F.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4204-135-0x0000000004130000-0x00000000041CB000-memory.dmp

memory/2696-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4440-140-0x0000000000400000-0x0000000000534000-memory.dmp

memory/4440-144-0x0000000002F60000-0x0000000002F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/2696-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4204-139-0x00000000041F0000-0x000000000430B000-memory.dmp

\Users\Admin\AppData\Local\Temp\F79F.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\F8AA.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/2696-145-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-147-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC93.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

memory/3592-154-0x0000000002BD0000-0x0000000002BD6000-memory.dmp

\Users\Admin\AppData\Local\Temp\F8AA.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

C:\Users\Admin\AppData\Local\Temp\FC93.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

memory/4476-157-0x0000000002570000-0x0000000002670000-memory.dmp

memory/4476-160-0x0000000004090000-0x00000000040CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

memory/4476-163-0x00000000069C0000-0x00000000069F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

memory/4476-164-0x0000000006A90000-0x0000000006F8E000-memory.dmp

memory/4476-165-0x0000000004500000-0x0000000004534000-memory.dmp

memory/4476-166-0x0000000000400000-0x0000000002485000-memory.dmp

memory/4476-169-0x00000000043E0000-0x00000000043E6000-memory.dmp

memory/4476-168-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4476-167-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4476-170-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4476-174-0x0000000072700000-0x0000000072DEE000-memory.dmp

memory/4420-175-0x0000000004470000-0x00000000044A4000-memory.dmp

memory/4476-176-0x0000000007100000-0x0000000007706000-memory.dmp

memory/4476-177-0x0000000007710000-0x000000000781A000-memory.dmp

memory/4420-179-0x0000000000400000-0x0000000002485000-memory.dmp

memory/4476-178-0x0000000007850000-0x0000000007862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\909.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/4420-183-0x0000000006B40000-0x0000000006B7E000-memory.dmp

memory/4420-186-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-187-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-190-0x0000000007910000-0x000000000795B000-memory.dmp

memory/4420-191-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-193-0x0000000002560000-0x0000000002660000-memory.dmp

memory/4476-195-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4420-192-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\909.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/4420-184-0x0000000072700000-0x0000000072DEE000-memory.dmp

memory/3592-196-0x0000000004B40000-0x0000000004C3B000-memory.dmp

memory/4440-199-0x0000000004C20000-0x0000000004D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13A8.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/2264-205-0x00000000007D0000-0x0000000000C54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13A8.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/2264-207-0x0000000072700000-0x0000000072DEE000-memory.dmp

memory/4984-210-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/4984-211-0x00000000005E0000-0x00000000005E9000-memory.dmp

memory/4984-212-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3592-213-0x0000000004C40000-0x0000000004D21000-memory.dmp

memory/3592-215-0x0000000004C40000-0x0000000004D21000-memory.dmp

memory/4440-216-0x0000000004D20000-0x0000000004E01000-memory.dmp

memory/3592-219-0x0000000004C40000-0x0000000004D21000-memory.dmp

memory/4440-220-0x0000000004D20000-0x0000000004E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/1152-225-0x00007FF789AE0000-0x00007FF789B77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3592-231-0x0000000004C40000-0x0000000004D21000-memory.dmp

C:\Users\Admin\AppData\Local\aedd73e6-9adb-4462-acf1-aec438f9708d\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/4440-232-0x0000000004D20000-0x0000000004E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/2696-236-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/4476-239-0x0000000007B50000-0x0000000007BC6000-memory.dmp

memory/4420-240-0x0000000007BD0000-0x0000000007C62000-memory.dmp

memory/4476-243-0x0000000007C70000-0x0000000007CD6000-memory.dmp

memory/2264-244-0x0000000072700000-0x0000000072DEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/4984-258-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/3312-253-0x0000000004210000-0x0000000004226000-memory.dmp

memory/2696-250-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1152-260-0x00000000035D0000-0x0000000003740000-memory.dmp

memory/1152-261-0x0000000003740000-0x0000000003871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4476-271-0x0000000002570000-0x0000000002670000-memory.dmp

memory/4476-274-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4476-278-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4112-280-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4476-286-0x0000000072700000-0x0000000072DEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4524-291-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4112-288-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4904-287-0x00000000041CE000-0x000000000425F000-memory.dmp

memory/4692-285-0x000000000410B000-0x000000000419C000-memory.dmp

memory/4420-293-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-294-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-292-0x0000000072700000-0x0000000072DEE000-memory.dmp

memory/4420-295-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4420-296-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

memory/4112-297-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4524-300-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\F52D.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/4524-282-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/4476-276-0x0000000006A80000-0x0000000006A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4420-304-0x0000000002560000-0x0000000002660000-memory.dmp

memory/4328-306-0x0000000004100000-0x0000000004195000-memory.dmp

memory/4476-305-0x0000000006A80000-0x0000000006A90000-memory.dmp

memory/4576-311-0x0000000000400000-0x0000000000537000-memory.dmp

memory/360-313-0x0000000004040000-0x00000000040D7000-memory.dmp

memory/4576-312-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4576-308-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-307-0x00000000041D0000-0x00000000042EB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 debbf14f3483068c85dbb41089275387
SHA1 53c67f0496489a8bf83e645035b9e030fe22f052
SHA256 d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd
SHA512 ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 d707c34b5d58bb90759164b519b6ddc3
SHA1 12e7d5b795baba355c67e36353add92ee4dfbd8a
SHA256 4b91ef194e2d54395cdf31efc1c32b98531566ee2a220fa7a65340e3383d0441
SHA512 30ffed1effcf56685378168a2ac9f029545aa3887094ee740dc2603429779a2d7ec0dfb5173bba9a21508c1af061e04830a6fef96de90973362c91b67b205542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 463eeeb90228588b625904ac3bf42a69
SHA1 fa46cbe96797d0d8d4b2b7d9f6fa9cfca52a57a3
SHA256 4e443c36af23e395888b5586847dc5c3dd69cb85f0cced199ae47fbee9dd98fa
SHA512 b06da93073f792379ea03fa198cf55c15556cc9870b737ad469791c5bd1ee2e2330013737ba1f00be88a97fcc129c5c47a5387c6bb4f526bb4e8134968a8044e

memory/4204-321-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4204-322-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4568-327-0x00007FF728040000-0x00007FF7283FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48C7.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

C:\Users\Admin\AppData\Local\Temp\48C7.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

C:\Users\Admin\AppData\Local\Temp\48C7.exe

MD5 71b7dd7aea0be8f45cd1d494e45f2c82
SHA1 de03959e7f597c746e86defe0568c89ff4c7a7de
SHA256 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1
SHA512 fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5

memory/4112-334-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/2368-342-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/2368-344-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4988-353-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3312-355-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/4988-356-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3312-358-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3163.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

memory/3312-365-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/4576-373-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3312-372-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/3312-378-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/3312-381-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\75E3.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\75E3.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\3CBF.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\75E3.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build3.exe

MD5 04346db9f24a19c03a2578a79ca5252f
SHA1 26b510857e84ffaa0e5b89c3724a2a79c6311236
SHA256 266c1ffdde59dfb922cd80a835257e277b85cbda7659028243286aea760190d3
SHA512 cee5a839780c30ff6c99374d6b6905f1af3a061fdda6eb682e5d1b06a4c0077156d6b34c88d55567aa0ca2b57514d8cba433e90168bb1cb27c5af3fa150c46f2

C:\Users\Admin\AppData\Local\Temp\4701.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

C:\Users\Admin\AppData\Local\Temp\75E3.exe

MD5 4360c4d5f080473b1afb7cc57e03ab78
SHA1 fab11adee9d0a9689facca385f9d3fad8bbea4b6
SHA256 b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000
SHA512 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UT6V9SFL\build2[2].exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Roaming\eerhguv

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1nq2p5e.rl3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\ProgramData\57227912506412019740390558

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\68462860606417096594356893

MD5 dcac7589c66728ce87f51aea48746c0c
SHA1 8bf1e0ddd49c658154017b4efd781b35f2c2b3e5
SHA256 41d3cff236378944c160e16cb500f69df28b7b962b9a4f768de1ace20486b2fe
SHA512 3be051430ffdd638dc0c44876fb4595588d1248bae3623782f02e1eca5b33ad89c33dfa03c3c9ed1fbb434b3237bd810283a4cc3924f4af07b5ac6e0c5b0fad6

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\45560127411081860173880789

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77