Malware Analysis Report

2025-01-18 08:24

Sample ID 230810-p8nb5aeg21
Target 18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51
SHA256 18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51
Tags
djvu redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer ransomware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51

Threat Level: Known bad

The file 18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51 was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader vidar d2840cabd9794f85353e1fae1cd95a0b logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer ransomware stealer trojan

Detected Djvu ransomware

RedLine

SmokeLoader

Vidar

Djvu Ransomware

Downloads MZ/PE file

Deletes itself

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 13:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 13:00

Reported

2023-08-10 13:02

Platform

win10-20230703-en

Max time kernel

29s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3828 set thread context of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3252 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3252 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3252 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\49B7.exe
PID 3252 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\49B7.exe
PID 3252 wrote to memory of 2120 N/A N/A C:\Users\Admin\AppData\Local\Temp\49B7.exe
PID 3252 wrote to memory of 1180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3252 wrote to memory of 1180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1180 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1180 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1180 wrote to memory of 4848 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3828 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\47D2.exe C:\Users\Admin\AppData\Local\Temp\47D2.exe
PID 3252 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F37.exe
PID 3252 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F37.exe
PID 3252 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F37.exe
PID 3252 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\538E.exe
PID 3252 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\538E.exe
PID 3252 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\538E.exe

Processes

C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe

"C:\Users\Admin\AppData\Local\Temp\18dd9670dc48a93304f6d4bbe730ed1e750f3dcba555aee5f2743db9edb53b51.exe"

C:\Users\Admin\AppData\Local\Temp\47D2.exe

C:\Users\Admin\AppData\Local\Temp\47D2.exe

C:\Users\Admin\AppData\Local\Temp\49B7.exe

C:\Users\Admin\AppData\Local\Temp\49B7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4C0A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4C0A.dll

C:\Users\Admin\AppData\Local\Temp\47D2.exe

C:\Users\Admin\AppData\Local\Temp\47D2.exe

C:\Users\Admin\AppData\Local\Temp\4F37.exe

C:\Users\Admin\AppData\Local\Temp\4F37.exe

C:\Users\Admin\AppData\Local\Temp\538E.exe

C:\Users\Admin\AppData\Local\Temp\538E.exe

C:\Users\Admin\AppData\Local\Temp\65AF.exe

C:\Users\Admin\AppData\Local\Temp\65AF.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4a33fd01-aa65-40a1-8020-d6bae9e3f0a6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\47D2.exe

"C:\Users\Admin\AppData\Local\Temp\47D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\65AF.exe

C:\Users\Admin\AppData\Local\Temp\65AF.exe

C:\Users\Admin\AppData\Local\Temp\712A.exe

C:\Users\Admin\AppData\Local\Temp\712A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\789D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\789D.dll

C:\Users\Admin\AppData\Local\Temp\47D2.exe

"C:\Users\Admin\AppData\Local\Temp\47D2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\65AF.exe

"C:\Users\Admin\AppData\Local\Temp\65AF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7D80.exe

C:\Users\Admin\AppData\Local\Temp\7D80.exe

C:\Users\Admin\AppData\Local\Temp\8551.exe

C:\Users\Admin\AppData\Local\Temp\8551.exe

C:\Users\Admin\AppData\Local\Temp\8785.exe

C:\Users\Admin\AppData\Local\Temp\8785.exe

C:\Users\Admin\AppData\Local\Temp\90FB.exe

C:\Users\Admin\AppData\Local\Temp\90FB.exe

C:\Users\Admin\AppData\Local\Temp\7D80.exe

C:\Users\Admin\AppData\Local\Temp\7D80.exe

C:\Users\Admin\AppData\Local\Temp\65AF.exe

"C:\Users\Admin\AppData\Local\Temp\65AF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8551.exe

C:\Users\Admin\AppData\Local\Temp\8551.exe

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe

"C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe"

C:\Users\Admin\AppData\Local\Temp\8785.exe

C:\Users\Admin\AppData\Local\Temp\8785.exe

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build3.exe

"C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe

"C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe"

C:\Users\Admin\AppData\Local\Temp\E21A.exe

C:\Users\Admin\AppData\Local\Temp\E21A.exe

C:\Users\Admin\AppData\Local\Temp\7D80.exe

"C:\Users\Admin\AppData\Local\Temp\7D80.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

"C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe"

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build3.exe

"C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build3.exe"

C:\Users\Admin\AppData\Local\Temp\8785.exe

"C:\Users\Admin\AppData\Local\Temp\8785.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F9CA.exe

C:\Users\Admin\AppData\Local\Temp\F9CA.exe

C:\Users\Admin\AppData\Local\Temp\8551.exe

"C:\Users\Admin\AppData\Local\Temp\8551.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E21A.exe

C:\Users\Admin\AppData\Local\Temp\E21A.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\7D80.exe

"C:\Users\Admin\AppData\Local\Temp\7D80.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

"C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe"

C:\Users\Admin\AppData\Local\Temp\8551.exe

"C:\Users\Admin\AppData\Local\Temp\8551.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E21A.exe

"C:\Users\Admin\AppData\Local\Temp\E21A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8785.exe

"C:\Users\Admin\AppData\Local\Temp\8785.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\E21A.exe

"C:\Users\Admin\AppData\Local\Temp\E21A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build2.exe

"C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build2.exe"

C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build3.exe

"C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\bb2a5601-aaf8-4b54-8cfe-d07d7ab4ca77\build2.exe

"C:\Users\Admin\AppData\Local\bb2a5601-aaf8-4b54-8cfe-d07d7ab4ca77\build2.exe"

C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build2.exe

"C:\Users\Admin\AppData\Local\6725cd08-0614-45b1-9ee0-4247a3dff931\build2.exe"

C:\Users\Admin\AppData\Local\bb2a5601-aaf8-4b54-8cfe-d07d7ab4ca77\build3.exe

"C:\Users\Admin\AppData\Local\bb2a5601-aaf8-4b54-8cfe-d07d7ab4ca77\build3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
MK 95.86.21.52:80 colisumy.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 52.21.86.95.in-addr.arpa udp
NL 108.61.99.145:3003 108.61.99.145 tcp
US 8.8.8.8:53 145.99.61.108.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 colisumy.com tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 126.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 11.248.250.209.in-addr.arpa udp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 colisumy.com tcp
NL 108.61.99.145:3003 108.61.99.145 tcp
US 8.8.8.8:53 zexeq.com udp
MX 187.156.82.96:80 zexeq.com tcp
US 8.8.8.8:53 96.82.156.187.in-addr.arpa udp
MX 187.156.82.96:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MK 95.86.21.52:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 142.4.24.122:443 admaiscont.com.br tcp
NL 209.250.248.11:33522 tcp
US 8.8.8.8:53 greenbi.net udp
KR 115.88.24.200:80 greenbi.net tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
MX 187.156.82.96:80 zexeq.com tcp
US 8.8.8.8:53 200.24.88.115.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
KR 115.88.24.200:80 greenbi.net tcp
KR 115.88.24.200:80 greenbi.net tcp
KR 115.88.24.200:80 greenbi.net tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
KR 115.88.24.200:80 greenbi.net tcp
US 8.8.8.8:53 126.158.241.8.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
KR 115.88.24.200:80 greenbi.net tcp
US 8.8.8.8:53 240.166.203.116.in-addr.arpa udp
MK 95.86.21.52:80 greenbi.net tcp
KR 115.88.24.200:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 187.156.82.96:80 zexeq.com tcp
KR 115.88.24.200:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
MK 95.86.21.52:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 187.156.82.96:80 zexeq.com tcp
KR 115.88.24.200:80 greenbi.net tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4896-123-0x00000000023B0000-0x00000000024B0000-memory.dmp

memory/4896-124-0x0000000000400000-0x00000000022E6000-memory.dmp

memory/4896-125-0x0000000002360000-0x0000000002369000-memory.dmp

memory/3252-126-0x00000000012F0000-0x0000000001306000-memory.dmp

memory/4896-127-0x0000000000400000-0x00000000022E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\49B7.exe

MD5 ddc3477f60be2a8e0a769fac076bdca0
SHA1 526da95ae84bdef293dd54de3d3186764e32e85e
SHA256 49d0892da4e2713520e67c13d962e9bd9ce0a25b53a9d7b8c1189a18ae4fb3f1
SHA512 c417e422976e7eb48a9c89002e42ed59710ea6d803666be53836046882d0d70c9b26533d29d7100ca7b158924ee3278b3d53b9251582a538020964b2414de3c7

C:\Users\Admin\AppData\Local\Temp\49B7.exe

MD5 ddc3477f60be2a8e0a769fac076bdca0
SHA1 526da95ae84bdef293dd54de3d3186764e32e85e
SHA256 49d0892da4e2713520e67c13d962e9bd9ce0a25b53a9d7b8c1189a18ae4fb3f1
SHA512 c417e422976e7eb48a9c89002e42ed59710ea6d803666be53836046882d0d70c9b26533d29d7100ca7b158924ee3278b3d53b9251582a538020964b2414de3c7

memory/2120-144-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2120-143-0x00000000001C0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C0A.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

\Users\Admin\AppData\Local\Temp\4C0A.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

\Users\Admin\AppData\Local\Temp\4C0A.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/4848-151-0x0000000004000000-0x0000000004243000-memory.dmp

memory/4848-153-0x0000000000520000-0x0000000000526000-memory.dmp

memory/3828-155-0x0000000004000000-0x0000000004099000-memory.dmp

memory/4848-154-0x0000000004000000-0x0000000004243000-memory.dmp

memory/3828-157-0x00000000040C0000-0x00000000041DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/2120-166-0x0000000072BE0000-0x00000000732CE000-memory.dmp

memory/3976-167-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F37.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/3976-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-164-0x0000000004940000-0x0000000004946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F37.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/3976-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3976-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-171-0x0000000004B10000-0x0000000005116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\538E.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/2120-174-0x0000000005120000-0x000000000522A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\538E.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/2120-175-0x0000000004970000-0x0000000004982000-memory.dmp

memory/2120-176-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/2120-177-0x0000000004990000-0x00000000049CE000-memory.dmp

memory/2120-178-0x0000000005270000-0x00000000052BB000-memory.dmp

memory/2000-181-0x0000000004290000-0x00000000042C8000-memory.dmp

memory/2000-180-0x0000000002620000-0x0000000002720000-memory.dmp

memory/2000-182-0x0000000002430000-0x000000000246F000-memory.dmp

memory/2000-183-0x0000000006950000-0x0000000006E4E000-memory.dmp

memory/2000-184-0x00000000068A0000-0x00000000068D4000-memory.dmp

memory/2000-186-0x0000000000400000-0x00000000022FD000-memory.dmp

memory/2000-185-0x00000000042D0000-0x00000000042D6000-memory.dmp

memory/2000-187-0x0000000006940000-0x0000000006950000-memory.dmp

memory/2000-188-0x0000000072BE0000-0x00000000732CE000-memory.dmp

memory/4848-191-0x0000000004580000-0x000000000467E000-memory.dmp

memory/2000-192-0x0000000006940000-0x0000000006950000-memory.dmp

memory/2000-190-0x0000000006940000-0x0000000006950000-memory.dmp

memory/2728-193-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2000-194-0x0000000006940000-0x0000000006950000-memory.dmp

memory/2728-195-0x0000000000400000-0x00000000022FD000-memory.dmp

memory/4848-196-0x0000000004680000-0x0000000004765000-memory.dmp

memory/2728-197-0x0000000006B80000-0x0000000006B90000-memory.dmp

memory/2728-198-0x0000000006B80000-0x0000000006B90000-memory.dmp

memory/2728-200-0x0000000006B80000-0x0000000006B90000-memory.dmp

memory/4848-199-0x0000000004680000-0x0000000004765000-memory.dmp

memory/4848-202-0x0000000004680000-0x0000000004765000-memory.dmp

memory/2728-203-0x0000000072BE0000-0x00000000732CE000-memory.dmp

memory/2728-208-0x0000000006B80000-0x0000000006B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65AF.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\65AF.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/4848-211-0x0000000004680000-0x0000000004765000-memory.dmp

C:\Users\Admin\AppData\Local\4a33fd01-aa65-40a1-8020-d6bae9e3f0a6\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\4a33fd01-aa65-40a1-8020-d6bae9e3f0a6\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/4956-225-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4580-224-0x0000000004010000-0x00000000040AC000-memory.dmp

memory/4956-223-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65AF.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\712A.exe

MD5 bc6fc20334b58e5a165e0ddec731e036
SHA1 3783de8edc863c1816fd2d529dfa19dc74827198
SHA256 3156688acbde069277ddd60c99f6e87c959c61ee7fccc636777b43e72b121758
SHA512 a75d761d2d82b9486296adc68162e329afa94a53429b52c93479882401f4849148b683824db2be03e1bddefda7beb2a7793c5aa1650dcb30f0304687aea8440c

C:\Users\Admin\AppData\Local\Temp\712A.exe

MD5 bc6fc20334b58e5a165e0ddec731e036
SHA1 3783de8edc863c1816fd2d529dfa19dc74827198
SHA256 3156688acbde069277ddd60c99f6e87c959c61ee7fccc636777b43e72b121758
SHA512 a75d761d2d82b9486296adc68162e329afa94a53429b52c93479882401f4849148b683824db2be03e1bddefda7beb2a7793c5aa1650dcb30f0304687aea8440c

memory/2120-228-0x0000000072BE0000-0x00000000732CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/3976-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4956-234-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-235-0x00000000053B0000-0x0000000005426000-memory.dmp

memory/2120-236-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/2120-241-0x0000000005A10000-0x0000000005A76000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 b6202e87fd07357a95429a1ba16c97ee
SHA1 689fc11ec1ee44a9c13d988cee26a8ed0c8c17f7
SHA256 8d17b33235f7b02e4fda7c61d82caec01172b4d6a4ef66591eaceefb3d4c7650
SHA512 aa85fe74c6105919a5dac2564a389e8ef4fc8b183593b945c04e9808ba6e41ab5419cec93e9364928cc319b98fe46311925747fefec6f7df01f8c91493d16cb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 cde3004d458a86374c76b63425fc9b8c
SHA1 91ed2720991b113dc6ee6b5705ec24b270e081df
SHA256 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447
SHA512 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 f5bf7dfe93c6c2c850e6ddf85c0df37a
SHA1 d553798928b5e5f9089ee1e8eec666f9d4575f69
SHA256 c0fad6bb6ad3c59f9d5d55b33817227aacf59eba94a286b7c127348c567927c1
SHA512 164864ccc4ac6c7a8f67308ece60238208245d2bf14d2234390372075dc4b02d1131a4902d3a93a40130b5c812b3734753a5cfc9691239537f43c54e326f255b

C:\Users\Admin\AppData\Local\Temp\789D.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

\Users\Admin\AppData\Local\Temp\789D.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/4668-248-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4416-253-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4416-258-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65AF.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/4956-255-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-257-0x0000000003FCA000-0x000000000405C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47D2.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\7D80.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\7D80.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/4668-263-0x00000000034E0000-0x00000000034E6000-memory.dmp

memory/4556-264-0x0000000002600000-0x0000000002700000-memory.dmp

memory/4556-265-0x00000000023E0000-0x00000000023E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8551.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\8551.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2120-275-0x0000000004A00000-0x0000000004A10000-memory.dmp

memory/4416-276-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2000-278-0x0000000002620000-0x0000000002720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/4556-270-0x0000000000400000-0x00000000022E6000-memory.dmp

memory/2000-279-0x0000000006940000-0x0000000006950000-memory.dmp

memory/2000-280-0x0000000006940000-0x0000000006950000-memory.dmp

memory/4764-281-0x0000000004020000-0x00000000040BD000-memory.dmp

memory/4416-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4416-285-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3252-288-0x0000000002C20000-0x0000000002C36000-memory.dmp

memory/2000-291-0x0000000006940000-0x0000000006950000-memory.dmp

memory/608-290-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65AF.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

memory/2728-287-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2000-284-0x0000000072BE0000-0x00000000732CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7D80.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2728-296-0x0000000006B80000-0x0000000006B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90FB.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/2112-303-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-305-0x0000000004040000-0x00000000040DB000-memory.dmp

memory/608-304-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3320-301-0x00000000040E0000-0x00000000041FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90FB.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

C:\Users\Admin\AppData\Local\Temp\90FB.exe

MD5 c4ddd8bb189f2874fd7a9369ece35c92
SHA1 e53e275bbe5b1347b81e98f55d5f5e4928e005a8
SHA256 04eda95779ded417ce8c151a83ce783f2369df3e660caf7ba3a09fb0310352f4
SHA512 05ecde33d466ed86c562f3a6ef0db774ef8881f91ef494a24eef4f6b6e96a90c650c2d8c32711ee9528a858350461f0adf3e823577a214e83b410024cffee856

memory/2112-293-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2112-306-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4556-297-0x0000000000400000-0x00000000022E6000-memory.dmp

memory/4416-310-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4416-313-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4416-314-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2784-325-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8551.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

memory/2784-328-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3012-326-0x0000000003FED000-0x000000000407F000-memory.dmp

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4416-339-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-337-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2632-344-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1776-340-0x0000000003FF0000-0x0000000004082000-memory.dmp

memory/1020-347-0x0000000004300000-0x0000000004334000-memory.dmp

memory/4416-349-0x0000000000400000-0x0000000000537000-memory.dmp

memory/96-353-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2728-352-0x0000000006B80000-0x0000000006B90000-memory.dmp

C:\Users\Admin\AppData\Local\aa279b20-4977-4358-a695-c54aa2416fd3\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

memory/2728-351-0x0000000006B80000-0x0000000006B90000-memory.dmp

memory/2728-350-0x0000000008310000-0x0000000008360000-memory.dmp

memory/96-357-0x0000000000400000-0x000000000048C000-memory.dmp

memory/608-358-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E21A.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\E21A.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\SystemID\PersonalID.txt

MD5 edea70af63654c8ba57a9d59e1525734
SHA1 ed22b7b9c45a1e8a4df769a0c6f6e626373c640c
SHA256 5fac3f86ebd9436d74331c7951f44f8626d66dca56e1114b5dbc7fabba04057b
SHA512 387561eeb34d598fee5af4f4700160b17adcffb5da43fb84bd053a4306f4aba03b7910d0c59feada7a4a60a8901c4b26650f4bf07481164cfdbd6892acec6453

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 fd6fd7111bf7a89890ae55830e151166
SHA1 4ececff98c7b4d3603f102e9e4783605e5d43a76
SHA256 3c4e107d0f9affe7e9ec0c331f6edde2736084f80294a8bf0151be9bfefbd56b
SHA512 58ecba98d288b4c437e9ffe1c24063ddb067357c7a5b5ee5a03c6ddba55d03681137bd5c083d30388c1e1d3f2e8ebee541558b50f927835d89419b1682efda4d

C:\Users\Admin\AppData\Local\Temp\7D80.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Roaming\itsefbc

MD5 bc6fc20334b58e5a165e0ddec731e036
SHA1 3783de8edc863c1816fd2d529dfa19dc74827198
SHA256 3156688acbde069277ddd60c99f6e87c959c61ee7fccc636777b43e72b121758
SHA512 a75d761d2d82b9486296adc68162e329afa94a53429b52c93479882401f4849148b683824db2be03e1bddefda7beb2a7793c5aa1650dcb30f0304687aea8440c

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\F9CA.exe

MD5 bc6fc20334b58e5a165e0ddec731e036
SHA1 3783de8edc863c1816fd2d529dfa19dc74827198
SHA256 3156688acbde069277ddd60c99f6e87c959c61ee7fccc636777b43e72b121758
SHA512 a75d761d2d82b9486296adc68162e329afa94a53429b52c93479882401f4849148b683824db2be03e1bddefda7beb2a7793c5aa1650dcb30f0304687aea8440c

C:\Users\Admin\AppData\Local\Temp\F9CA.exe

MD5 bc6fc20334b58e5a165e0ddec731e036
SHA1 3783de8edc863c1816fd2d529dfa19dc74827198
SHA256 3156688acbde069277ddd60c99f6e87c959c61ee7fccc636777b43e72b121758
SHA512 a75d761d2d82b9486296adc68162e329afa94a53429b52c93479882401f4849148b683824db2be03e1bddefda7beb2a7793c5aa1650dcb30f0304687aea8440c

C:\Users\Admin\AppData\Local\Temp\8551.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\E21A.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\7D80.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\875eb8eb-035c-4e61-b8b9-709f87cfdebd\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\E21A.exe

MD5 8bb23abf06b5bdb0891e32e9ce73d904
SHA1 12a84875144cdb9bdc003a967292208299bc5c30
SHA256 7a8ce5022f910e4d871090dc4a176e571f99ed1c7269b0e19da9cc866bec48c4
SHA512 7839d991654d0670db40c7914e42cb6d8dc7eefe9d08f4adf99695b58df0e38ae4f8a90fe8ac8d0aa23d45f6ca0311b1a178393f764d7af41ed0b64c3eab96fd

C:\Users\Admin\AppData\Local\Temp\8551.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\8785.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b