Malware Analysis Report

2025-01-18 07:43

Sample ID 230814-tk5zgsfc6y
Target 085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8
SHA256 085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8
Tags
djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8

Threat Level: Known bad

The file 085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8 was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) lux3 pub1 backdoor discovery infostealer persistence ransomware spyware stealer trojan

SmokeLoader

RedLine

Detected Djvu ransomware

Djvu Ransomware

Vidar

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Deletes itself

Modifies file permissions

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-14 16:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 16:07

Reported

2023-08-14 16:10

Platform

win10-20230703-en

Max time kernel

88s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ECE1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5FD6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5FD6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\713C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7C1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\713C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bd0e24ba-6ad7-458b-aad1-a3a5edc81665\\EABE.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EABE.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ip-api.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ECE1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 3204 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 3204 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 3204 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECE1.exe
PID 3204 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECE1.exe
PID 3204 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECE1.exe
PID 3204 wrote to memory of 5028 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 3204 wrote to memory of 5028 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 3204 wrote to memory of 5028 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 4288 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Users\Admin\AppData\Local\Temp\EABE.exe
PID 3204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 3204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 3204 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 5028 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 2776 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 3204 wrote to memory of 1564 N/A N/A C:\Windows\SysWOW64\timeout.exe
PID 3204 wrote to memory of 1564 N/A N/A C:\Windows\SysWOW64\timeout.exe
PID 1564 wrote to memory of 1556 N/A C:\Windows\SysWOW64\timeout.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1564 wrote to memory of 1556 N/A C:\Windows\SysWOW64\timeout.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1564 wrote to memory of 1556 N/A C:\Windows\SysWOW64\timeout.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 1916 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3204 wrote to memory of 1916 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1916 wrote to memory of 992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1916 wrote to memory of 992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1916 wrote to memory of 992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3204 wrote to memory of 4544 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD.exe
PID 3204 wrote to memory of 4544 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD.exe
PID 3204 wrote to memory of 4544 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CD.exe
PID 1168 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Windows\SysWOW64\icacls.exe
PID 1168 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Windows\SysWOW64\icacls.exe
PID 1168 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\EABE.exe C:\Windows\SysWOW64\icacls.exe
PID 668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 668 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\EF63.exe C:\Users\Admin\AppData\Local\Temp\EF63.exe
PID 3528 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 3528 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe
PID 3528 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\F168.exe C:\Users\Admin\AppData\Local\Temp\F168.exe

Processes

C:\Users\Admin\AppData\Local\Temp\085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8.exe

"C:\Users\Admin\AppData\Local\Temp\085845f88b6e98c6a1391e1a65617a221a5142b173c0f8448b1a134b03815db8.exe"

C:\Users\Admin\AppData\Local\Temp\EABE.exe

C:\Users\Admin\AppData\Local\Temp\EABE.exe

C:\Users\Admin\AppData\Local\Temp\ECE1.exe

C:\Users\Admin\AppData\Local\Temp\ECE1.exe

C:\Users\Admin\AppData\Local\Temp\EF63.exe

C:\Users\Admin\AppData\Local\Temp\EF63.exe

C:\Users\Admin\AppData\Local\Temp\EABE.exe

C:\Users\Admin\AppData\Local\Temp\EABE.exe

C:\Users\Admin\AppData\Local\Temp\F168.exe

C:\Users\Admin\AppData\Local\Temp\F168.exe

C:\Users\Admin\AppData\Local\Temp\EF63.exe

C:\Users\Admin\AppData\Local\Temp\EF63.exe

C:\Users\Admin\AppData\Local\Temp\F168.exe

C:\Users\Admin\AppData\Local\Temp\F168.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FACF.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FACF.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BC.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BC.dll

C:\Users\Admin\AppData\Local\Temp\5CD.exe

C:\Users\Admin\AppData\Local\Temp\5CD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\bd0e24ba-6ad7-458b-aad1-a3a5edc81665" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\EF63.exe

"C:\Users\Admin\AppData\Local\Temp\EF63.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F168.exe

"C:\Users\Admin\AppData\Local\Temp\F168.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A43.exe

C:\Users\Admin\AppData\Local\Temp\A43.exe

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

C:\Users\Admin\AppData\Local\Temp\EF63.exe

"C:\Users\Admin\AppData\Local\Temp\EF63.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F168.exe

"C:\Users\Admin\AppData\Local\Temp\F168.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

C:\Users\Admin\AppData\Local\Temp\713C.exe

C:\Users\Admin\AppData\Local\Temp\713C.exe

C:\Users\Admin\AppData\Local\Temp\713C.exe

C:\Users\Admin\AppData\Local\Temp\713C.exe

C:\Users\Admin\AppData\Local\Temp\7C1B.exe

C:\Users\Admin\AppData\Local\Temp\7C1B.exe

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

"C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe"

C:\Users\Admin\AppData\Local\Temp\EABE.exe

"C:\Users\Admin\AppData\Local\Temp\EABE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe

"C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe"

C:\Users\Admin\AppData\Local\Temp\D642.exe

C:\Users\Admin\AppData\Local\Temp\D642.exe

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build3.exe

"C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

"C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe"

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe

"C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe"

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build3.exe

"C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build3.exe"

C:\Users\Admin\AppData\Local\Temp\EABE.exe

"C:\Users\Admin\AppData\Local\Temp\EABE.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 480

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

"C:\Users\Admin\AppData\Local\Temp\5FD6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

"C:\Users\Admin\AppData\Local\Temp\5FD6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\713C.exe

"C:\Users\Admin\AppData\Local\Temp\713C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build2.exe

"C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build2.exe"

C:\Users\Admin\AppData\Local\Temp\FC3A.exe

C:\Users\Admin\AppData\Local\Temp\FC3A.exe

C:\Users\Admin\AppData\Local\Temp\713C.exe

"C:\Users\Admin\AppData\Local\Temp\713C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build3.exe

"C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build2.exe

"C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build2.exe"

C:\Users\Admin\AppData\Local\Temp\286B.exe

C:\Users\Admin\AppData\Local\Temp\286B.exe

C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build2.exe

"C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build2.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build2.exe

"C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build3.exe

"C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build3.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\3184.exe

C:\Users\Admin\AppData\Local\Temp\3184.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1472

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

C:\Users\Admin\AppData\Local\Temp\4915.exe

C:\Users\Admin\AppData\Local\Temp\4915.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe" & exit

C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build2.exe

"C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

"C:\Users\Admin\AppData\Local\Temp\3BA7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build3.exe

"C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\dhgccsc

C:\Users\Admin\AppData\Roaming\dhgccsc

C:\Users\Admin\AppData\Roaming\aggccsc

C:\Users\Admin\AppData\Roaming\aggccsc

C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build2.exe

"C:\Users\Admin\AppData\Local\ff7d02f1-dd71-4551-b339-94d9d9644a6b\build2.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\3BA7.exe

"C:\Users\Admin\AppData\Local\Temp\3BA7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5D98.exe

C:\Users\Admin\AppData\Local\Temp\5D98.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 780

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\60A7.exe

C:\Users\Admin\AppData\Local\Temp\60A7.exe

C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build2.exe

"C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build2.exe"

C:\Users\Admin\AppData\Local\Temp\60A7.exe

C:\Users\Admin\AppData\Local\Temp\60A7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\67AD.dll

C:\Users\Admin\AppData\Local\Temp\cli.exe

"C:\Users\Admin\AppData\Local\Temp\cli.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\67AD.dll

C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build3.exe

"C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build3.exe"

C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build2.exe

"C:\Users\Admin\AppData\Local\e4ee0873-8287-4d49-b77b-676e22ec0b89\build2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 288

C:\Users\Admin\AppData\Local\Temp\60A7.exe

"C:\Users\Admin\AppData\Local\Temp\60A7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\60A7.exe

"C:\Users\Admin\AppData\Local\Temp\60A7.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\36f01a50-79c8-4ef1-a631-a140d678cffc\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build2.exe

"C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build2.exe"

C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build3.exe

"C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build3.exe"

C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build2.exe

"C:\Users\Admin\AppData\Local\7b0ea835-9fea-4265-a340-380f012eee66\build2.exe"

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=34000 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataL9EBM" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataL9EBM" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataL9EBM\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataL9EBM" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffcb5bd9758,0x7ffcb5bd9768,0x7ffcb5bd9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1148 --field-trial-handle=1376,i,10101089199421452006,2575049531700366407,131072 --disable-features=PaintHolding /prefetch:2

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1544 --field-trial-handle=1376,i,10101089199421452006,2575049531700366407,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\Temp\setup.exe

"C:\Windows\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\72c7f5c2-fb93-4096-a1f8-0b318e1a6a93\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.1:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 98.58.98.109.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
MD 176.123.9.142:14845 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 126.129.241.8.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
RO 109.98.58.98:80 colisumy.com tcp
RO 109.98.58.98:80 colisumy.com tcp
PL 51.83.170.21:19447 tcp
US 8.8.8.8:53 21.170.83.51.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
HU 84.224.216.79:80 zexeq.com tcp
RO 109.98.58.98:80 colisumy.com tcp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 79.216.224.84.in-addr.arpa udp
US 142.4.24.122:443 admaiscont.com.br tcp
HU 84.224.216.79:80 zexeq.com tcp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
HU 84.224.216.79:80 zexeq.com tcp
RO 109.98.58.98:80 colisumy.com tcp
DE 94.130.190.4:8080 94.130.190.4 tcp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 4.190.130.94.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 194.169.175.233:3003 194.169.175.233 tcp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
PL 51.83.170.21:19447 tcp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 greenbi.net udp
MX 189.232.25.209:80 greenbi.net tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 209.25.232.189.in-addr.arpa udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
MX 189.232.25.209:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
MX 189.232.25.209:80 greenbi.net tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
DE 144.76.136.153:443 transfer.sh tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
HU 84.224.216.79:80 zexeq.com tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
MX 189.232.25.209:80 greenbi.net tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
NL 149.154.167.99:443 t.me tcp
MX 189.232.25.209:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
DE 94.130.190.4:8080 94.130.190.4 tcp
RO 109.98.58.98:80 colisumy.com tcp
MX 189.232.25.209:80 greenbi.net tcp
HU 84.224.216.79:80 zexeq.com tcp
MX 189.232.25.209:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 189.232.25.209:80 greenbi.net tcp
MX 189.232.25.209:80 greenbi.net tcp
MX 189.232.25.209:80 greenbi.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
MX 189.232.25.209:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
MX 189.232.25.209:80 greenbi.net tcp
RO 109.98.58.98:80 colisumy.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
MX 189.232.25.209:80 greenbi.net tcp
NL 104.85.1.163:443 www.microsoft.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
HU 84.224.216.79:80 zexeq.com tcp
DE 94.130.190.4:8080 94.130.190.4 tcp
MX 189.232.25.209:80 greenbi.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 185.159.129.168:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
MX 189.232.25.209:80 greenbi.net tcp
RU 185.149.146.118:80 tcp
MX 189.232.25.209:80 greenbi.net tcp
RU 77.91.77.144:80 tcp
NL 149.154.167.99:443 t.me tcp
DE 94.130.190.4:8080 94.130.190.4 tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 94.130.190.4:8080 94.130.190.4 tcp

Files

memory/4852-118-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/4852-119-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/4852-120-0x0000000000400000-0x00000000022E6000-memory.dmp

memory/3204-121-0x0000000000450000-0x0000000000466000-memory.dmp

memory/4852-122-0x0000000000400000-0x00000000022E6000-memory.dmp

memory/4852-125-0x00000000001F0000-0x00000000001F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\ECE1.exe

MD5 a060fab23a37378e1603bbb37dbcc3c4
SHA1 7b051af36964d2a33a1127aa1bc772437a508cbd
SHA256 0f8eb3245a569035ee103d68752b0e816e83dc01c076d25abdfc98c49ee7001c
SHA512 772b0449895bf34cdb8420aaafa60d424603ed8920be0af4242e30f7f3a13ace96af7622291d92e5eade761d8cd86ac9d389375bb6a4e86e93786d98ac120dfb

C:\Users\Admin\AppData\Local\Temp\ECE1.exe

MD5 a060fab23a37378e1603bbb37dbcc3c4
SHA1 7b051af36964d2a33a1127aa1bc772437a508cbd
SHA256 0f8eb3245a569035ee103d68752b0e816e83dc01c076d25abdfc98c49ee7001c
SHA512 772b0449895bf34cdb8420aaafa60d424603ed8920be0af4242e30f7f3a13ace96af7622291d92e5eade761d8cd86ac9d389375bb6a4e86e93786d98ac120dfb

memory/4904-138-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4904-139-0x00000000001C0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF63.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

C:\Users\Admin\AppData\Local\Temp\EF63.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/4904-148-0x0000000073950000-0x000000007403E000-memory.dmp

memory/1168-154-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4904-153-0x0000000000B10000-0x0000000000B16000-memory.dmp

memory/1168-155-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F168.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

C:\Users\Admin\AppData\Local\Temp\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\F168.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/1168-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4288-151-0x0000000004030000-0x00000000040C8000-memory.dmp

memory/4288-150-0x00000000040D0000-0x00000000041EB000-memory.dmp

memory/1168-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4904-161-0x0000000009E70000-0x000000000A476000-memory.dmp

memory/4904-162-0x000000000A490000-0x000000000A59A000-memory.dmp

memory/5028-165-0x0000000003EC0000-0x0000000003F52000-memory.dmp

memory/4904-166-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/668-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/668-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4904-171-0x000000000A5E0000-0x000000000A61E000-memory.dmp

memory/668-172-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF63.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/5028-167-0x0000000004070000-0x000000000418B000-memory.dmp

memory/4904-164-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

memory/4904-174-0x000000000A690000-0x000000000A6DB000-memory.dmp

memory/668-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2776-176-0x0000000003FA0000-0x000000000403A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F168.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/3528-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3528-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FACF.dll

MD5 b8dfd5e196e6a5ff54c7a8534cc43225
SHA1 5d6fa2497e8c8910b059c4d156cf93b6d53962d5
SHA256 7e9bc698d3d4fd6ab4d9e155440fd4977d6ffd9f80a786c7be944ed386960277
SHA512 e60c2f66e1aba6ed523d125949d6acd8d04cdad7ef312e5788847d986ac313ca2362b15b4e5f2e7a736959e735955cee50abc1a8bf35558fab0299cf1d8d960d

memory/4904-183-0x0000000073950000-0x000000007403E000-memory.dmp

memory/3528-184-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\FACF.dll

MD5 b8dfd5e196e6a5ff54c7a8534cc43225
SHA1 5d6fa2497e8c8910b059c4d156cf93b6d53962d5
SHA256 7e9bc698d3d4fd6ab4d9e155440fd4977d6ffd9f80a786c7be944ed386960277
SHA512 e60c2f66e1aba6ed523d125949d6acd8d04cdad7ef312e5788847d986ac313ca2362b15b4e5f2e7a736959e735955cee50abc1a8bf35558fab0299cf1d8d960d

memory/1556-186-0x0000000000400000-0x0000000000674000-memory.dmp

memory/1556-187-0x0000000003320000-0x0000000003326000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f7dcb24540769805e5bb30d193944dce
SHA1 e26c583c562293356794937d9e2e6155d15449ee
SHA256 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512 cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

C:\Users\Admin\AppData\Local\Temp\BC.dll

MD5 b8dfd5e196e6a5ff54c7a8534cc43225
SHA1 5d6fa2497e8c8910b059c4d156cf93b6d53962d5
SHA256 7e9bc698d3d4fd6ab4d9e155440fd4977d6ffd9f80a786c7be944ed386960277
SHA512 e60c2f66e1aba6ed523d125949d6acd8d04cdad7ef312e5788847d986ac313ca2362b15b4e5f2e7a736959e735955cee50abc1a8bf35558fab0299cf1d8d960d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 594867da4d7e797ca4cdb3e324b533dd
SHA1 626dd3f5c79154f63b6fc4e2a608742c2d60fbe0
SHA256 3f6d3cc8adffbe2eec7cd78ea82ecfbe280be2cf85262f1b217426b8bce6be97
SHA512 8dbff29cb186ee4806180b881f336d8f05ca4fb402e17a20b93de395ffd127412c9a49477624313901a4d838021c7b6951670e331201228766777d533f6c084f

\Users\Admin\AppData\Local\Temp\BC.dll

MD5 b8dfd5e196e6a5ff54c7a8534cc43225
SHA1 5d6fa2497e8c8910b059c4d156cf93b6d53962d5
SHA256 7e9bc698d3d4fd6ab4d9e155440fd4977d6ffd9f80a786c7be944ed386960277
SHA512 e60c2f66e1aba6ed523d125949d6acd8d04cdad7ef312e5788847d986ac313ca2362b15b4e5f2e7a736959e735955cee50abc1a8bf35558fab0299cf1d8d960d

memory/992-198-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 319387344eb10ec24156b999b5762913
SHA1 2b72205b87a15576dd7c37fcaa4627fa459bd49d
SHA256 4f938ac7509081bd9423349625ed9115ed4fd33ae8f9c132f8ce9ff1254ed79b
SHA512 05b35e80b98e3150c2081dcbe500cd36275ccdec25321bcb90950e45ce9daa7946389304f2c785b26885c7614e53d59d00edfc3fa7a624aa677e7dfa76b20ae7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 f7dcb24540769805e5bb30d193944dce
SHA1 e26c583c562293356794937d9e2e6155d15449ee
SHA256 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512 cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 c71acbbcaf7ce84e2ddc2d98cda70642
SHA1 cb9f41710dc102953ce400169020dd58bc3bedea
SHA256 189c4af50dd8180ed57bf24baeaff5685cdfa4ad58ca06a89a44a1cbdd6e09b9
SHA512 f198b97610211411d99684b6086940b53f175f0dd616704b0ff97fe32af444a68df9ab17a8276275898aef3825a818b6adcac4b913cf6820593ed8361447f515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 979482ca9ef939d4a62f58866cbfeda6
SHA1 b0fcfbc8c9bf35a6c68d777e08a78b482127d34c
SHA256 30581896718a00f5ca49085d01bbb9d715d99231c20c46ee88e3539e7a117c35
SHA512 7baf0e98e8b8245d959cb6d232e366533d5a37bcd57fea13f979d422c019ad458a5b5a7d3b3bbed919750e128792444f692b1d583a8b9a96a83922bea4aa983b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 4bbc42e55934d47d22ecbb12757a6686
SHA1 5648b54bc628789c64117a45f7db2c39c883129c
SHA256 50637a5091c5dcaec04d42d8ce687bd258f7300b3adec8d68df70ca468ab2128
SHA512 474eff03d9f57958bc849812451fda369c50cb10e7166b9437028618aa60c10e045d969566cdf20c54b987cb2144f8e7e675dc32434b6cb5aff07df2bac3b2f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 b86a8dada9f6da3e78161e3d0b4a77d0
SHA1 c4a9351f6d2a6a61334bfbaef69a4a0b3240ab6e
SHA256 883a7f0e98cb1b343ea98c178e3cd92db4a187cda809fb182532364df0569e3d
SHA512 b037b9fb9c3f4fe9eec8b484bc56aa3a273c8013023dce4cb4f33363db5627c8c6dfd3545453cd24a8b0eb630b959421c9287d8a63db44768eb789356bbf532d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 9051d5184e0b4219d91fec9765879f53
SHA1 3665f7cb99ebda704a209c15b6fd59506abd4165
SHA256 53348727a101a7f58aa1e5d52628f45723f1c1c51124751f244dc6e26967305c
SHA512 957470943a64a90bbf59208e9141da8c60c563bba000d15432633e04e61d28362541a6e97fff7956fce01facadfb4140a048d13b3abc8630f574d92e9871da68

memory/4288-221-0x0000000004030000-0x00000000040C8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 38fe20464f4566665a3e93bc25958d45
SHA1 f1da804263c20548ab1520bb7f728cba31aa1af9
SHA256 aa075f76b582d3c8d6aecc2a2b643a6434a818e44b20933625a2c30d21d78d7a
SHA512 c1ed7d73f7864e274259580c432f6efcd5b08251fa7e131d731b8421cfcb440d6436a57bac81fa74db9f12eb3aef8853bdf5454773dc33d89354ba1e9ba2679e

C:\Users\Admin\AppData\Local\Temp\5CD.exe

MD5 554362f8a18333a0645fbb5f857ced29
SHA1 304d28994735fb95d13bced8dc0865f2ce67928d
SHA256 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
SHA512 458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 38fe20464f4566665a3e93bc25958d45
SHA1 f1da804263c20548ab1520bb7f728cba31aa1af9
SHA256 aa075f76b582d3c8d6aecc2a2b643a6434a818e44b20933625a2c30d21d78d7a
SHA512 c1ed7d73f7864e274259580c432f6efcd5b08251fa7e131d731b8421cfcb440d6436a57bac81fa74db9f12eb3aef8853bdf5454773dc33d89354ba1e9ba2679e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 21a174528f898ebb392a1e5d7fa38ef9
SHA1 6187da5b86870d8591480944d26528632ac33936
SHA256 4311092f3b0e19a2e760ba0a966e93861aa21e8c4cd0fd8f57303b612638a02d
SHA512 3d1f8325f69853d3767b88c1854261ebde22d556f78537d3490886c70a6925767c90b76b86d39b475bc200c2f456f1083489777e3d7f56bf7d74e8a1877a8312

C:\Users\Admin\AppData\Local\Temp\5CD.exe

MD5 554362f8a18333a0645fbb5f857ced29
SHA1 304d28994735fb95d13bced8dc0865f2ce67928d
SHA256 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
SHA512 458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b

C:\Users\Admin\AppData\Local\Temp\A43.exe

MD5 554362f8a18333a0645fbb5f857ced29
SHA1 304d28994735fb95d13bced8dc0865f2ce67928d
SHA256 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
SHA512 458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b

memory/3528-233-0x0000000000400000-0x0000000000537000-memory.dmp

memory/668-234-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1168-238-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A43.exe

MD5 554362f8a18333a0645fbb5f857ced29
SHA1 304d28994735fb95d13bced8dc0865f2ce67928d
SHA256 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
SHA512 458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b

memory/4904-245-0x00000000049F0000-0x0000000004A82000-memory.dmp

memory/4904-248-0x000000000A850000-0x000000000AD4E000-memory.dmp

memory/4904-243-0x000000000A7D0000-0x000000000A846000-memory.dmp

memory/4544-250-0x0000000004110000-0x0000000004148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F168.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/4544-252-0x00000000042F0000-0x0000000004324000-memory.dmp

memory/4904-251-0x000000000AD50000-0x000000000ADB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF63.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/4544-249-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/4544-257-0x0000000004320000-0x0000000004326000-memory.dmp

memory/4544-259-0x0000000002470000-0x00000000024AF000-memory.dmp

memory/4544-258-0x00000000024B0000-0x00000000025B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/4400-270-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF63.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/4544-268-0x0000000073950000-0x000000007403E000-memory.dmp

memory/4400-274-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-277-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4688-279-0x0000000004092000-0x0000000004123000-memory.dmp

memory/4264-282-0x0000000002610000-0x0000000002710000-memory.dmp

memory/4544-281-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/4536-280-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F168.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

memory/2888-272-0x0000000004025000-0x00000000040B6000-memory.dmp

memory/4544-275-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/4544-271-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/4264-283-0x0000000000400000-0x00000000022FC000-memory.dmp

memory/4904-284-0x000000000B290000-0x000000000B452000-memory.dmp

C:\Users\Admin\AppData\Local\bd0e24ba-6ad7-458b-aad1-a3a5edc81665\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/4264-288-0x0000000006AC0000-0x0000000006AD0000-memory.dmp

memory/4264-289-0x0000000006AC0000-0x0000000006AD0000-memory.dmp

memory/4264-290-0x0000000006AC0000-0x0000000006AD0000-memory.dmp

memory/4580-294-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/4396-296-0x0000000003FFE000-0x0000000004090000-memory.dmp

memory/4904-292-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/4544-295-0x0000000006D40000-0x0000000006D50000-memory.dmp

memory/4904-287-0x000000000B470000-0x000000000B99C000-memory.dmp

memory/4580-297-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4264-298-0x0000000073950000-0x000000007403E000-memory.dmp

memory/4400-299-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4264-301-0x0000000006AC0000-0x0000000006AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\713C.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\713C.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/4580-306-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-300-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2196-312-0x0000000003FB0000-0x0000000004051000-memory.dmp

memory/4536-313-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-314-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\713C.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/3252-320-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3252-322-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C1B.exe

MD5 8649a2d298c3b0b880233097a6a881c5
SHA1 6d9d1f166f5126b4af8498b6be067f89ca530553
SHA256 607fac77dbebfaa9f62c94a8bf90fc48863e539b86f9fe6eb2d5e746023b6bf5
SHA512 da04cb0676dffe5f49b184690b69c99b82957084cc5955c76178b589efd30609384e66751c7c23fd0257deb66a4d28e93d9d140142b00b62d78a1ede1fb16c4e

C:\Users\Admin\AppData\Local\Temp\7C1B.exe

MD5 8649a2d298c3b0b880233097a6a881c5
SHA1 6d9d1f166f5126b4af8498b6be067f89ca530553
SHA256 607fac77dbebfaa9f62c94a8bf90fc48863e539b86f9fe6eb2d5e746023b6bf5
SHA512 da04cb0676dffe5f49b184690b69c99b82957084cc5955c76178b589efd30609384e66751c7c23fd0257deb66a4d28e93d9d140142b00b62d78a1ede1fb16c4e

memory/4400-324-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4400-323-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1556-326-0x0000000005280000-0x0000000005371000-memory.dmp

memory/4536-334-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 6ab37c6fd8c563197ef79d09241843f1
SHA1 cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5
SHA256 d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f
SHA512 dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

memory/3252-335-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-337-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4400-345-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4536-346-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4400-348-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4400-350-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1556-349-0x0000000005380000-0x000000000545A000-memory.dmp

memory/1168-352-0x0000000000400000-0x0000000000537000-memory.dmp

C:\SystemID\PersonalID.txt

MD5 dbe3661a216d9e3b599178758fadacb4
SHA1 29fc37cce7bc29551694d17d9eb82d4d470db176
SHA256 134967887ca1c9c78f4760e5761c11c2a8195671abccba36fcf3e76df6fff03b
SHA512 da90c77c47790b3791ee6cee8aa7d431813f2ee0c314001015158a48a117342b990aaac023b36e610cef71755e609cbf1f6932047c3b4ad4df8779544214687f

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

C:\Users\Admin\AppData\Local\Temp\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/1168-380-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D642.exe

MD5 8649a2d298c3b0b880233097a6a881c5
SHA1 6d9d1f166f5126b4af8498b6be067f89ca530553
SHA256 607fac77dbebfaa9f62c94a8bf90fc48863e539b86f9fe6eb2d5e746023b6bf5
SHA512 da04cb0676dffe5f49b184690b69c99b82957084cc5955c76178b589efd30609384e66751c7c23fd0257deb66a4d28e93d9d140142b00b62d78a1ede1fb16c4e

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\D642.exe

MD5 8649a2d298c3b0b880233097a6a881c5
SHA1 6d9d1f166f5126b4af8498b6be067f89ca530553
SHA256 607fac77dbebfaa9f62c94a8bf90fc48863e539b86f9fe6eb2d5e746023b6bf5
SHA512 da04cb0676dffe5f49b184690b69c99b82957084cc5955c76178b589efd30609384e66751c7c23fd0257deb66a4d28e93d9d140142b00b62d78a1ede1fb16c4e

memory/3232-402-0x00000000025E6000-0x0000000002619000-memory.dmp

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\d09923b9-d550-40eb-9448-9799f15dae2c\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

memory/3232-405-0x0000000002440000-0x000000000249B000-memory.dmp

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build2.exe

MD5 6076ec9fc98856b3b627751f92843a35
SHA1 5520b12ee2f8d39d6c8def16c7d472d08d43ec65
SHA256 a3ec2956fea5d99ce309b2b2209dc4dbcbf5330482ebbe46a754eb8c0885a209
SHA512 36bba1852037db9c81808382bca048cd94dcdbdaa1e7108e39493fa4d48aa9164b79abb44fb2f766592516b586a558d14b20ae6e8ebb131f61d738b892a6d1be

memory/1456-415-0x0000000002516000-0x0000000002549000-memory.dmp

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\5e36a7f5-59c0-42f1-93f4-0dac3388a516\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\EABE.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

memory/3580-432-0x0000000004012000-0x00000000040A4000-memory.dmp

memory/5112-426-0x0000000002570000-0x0000000002670000-memory.dmp

memory/5112-436-0x0000000002350000-0x0000000002359000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\5FD6.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\Temp\713C.exe

MD5 981e09477bac0f573460982de095424a
SHA1 e6f0e6cf3f39b8f2d49a08ffb981e9047de4e282
SHA256 71c1dbc0811c30e43f16836b3045e67d2cc1721093232ada21e8263bcb9fccdb
SHA512 9084da3b47014b7a35d9c62f9cb38b6cedee9c27615d33e32ad038867c62a406081271fa0b35da7678eacc8420bdb314658e6959dfe952e84850a6ff39ab2bf4

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 6ab37c6fd8c563197ef79d09241843f1
SHA1 cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5
SHA256 d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f
SHA512 dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

C:\Users\Admin\AppData\Local\Temp\3184.exe

MD5 554362f8a18333a0645fbb5f857ced29
SHA1 304d28994735fb95d13bced8dc0865f2ce67928d
SHA256 7db4a17d481c2205c209742d495ae5752d770c4c9a06435d993b8c44fea7d337
SHA512 458621a6f23b53e5d13292b5f1147adec0f62325a3e4f1fefeb4a478e4707809c6c4898d73246baf708b3365cc58e69471d76e27c87c7c3e9d063d4949081e3b

C:\Users\Admin\AppData\Roaming\aggccsc

MD5 8649a2d298c3b0b880233097a6a881c5
SHA1 6d9d1f166f5126b4af8498b6be067f89ca530553
SHA256 607fac77dbebfaa9f62c94a8bf90fc48863e539b86f9fe6eb2d5e746023b6bf5
SHA512 da04cb0676dffe5f49b184690b69c99b82957084cc5955c76178b589efd30609384e66751c7c23fd0257deb66a4d28e93d9d140142b00b62d78a1ede1fb16c4e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0bb7e44d7a68b5b42bf90619c0966c1c

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\5D98.exe

MD5 436228b6ce496d3e4a36911f0b0ec465
SHA1 84627f74d472f066d4566ae894c887aa8b983060
SHA256 b6f607785f04df2fcd5fa6d1050b17ef6749e3e9af584e2a47fce3eb623d2088
SHA512 57bc704394564131774c4b898bc592d8314318e022e6f577050bd42edbd55d6d6016a69f23a5c4fdc675bedd080c3ce087d3e2257fcdf45fe4e637b9340c46be

C:\Users\Admin\AppData\Local\Temp\60A7.exe

MD5 ff584d2977080cc482ef59ba8989f523
SHA1 99438b1ea99018216ca2a4486d697614c9b9d19a
SHA256 75e0b55377343ebebb0d55ae63a70ccd0c5e8116de42dda76773ec55e1c3ce24
SHA512 912b28d1f67ab27daed084457c8a2c38b4e291828de0c0e45fa362c9b53fd845ee4e9642309c7185726954bfb8d4566a5f1d499014a464e54636be825d15369b

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aw4gy4fu.0zw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\61851028210082310774107369

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e