Malware Analysis Report

2025-04-14 07:05

Sample ID 230909-zyf56sdh71
Target 34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846
SHA256 34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846
Tags
amadey djvu redline smokeloader amadey_api logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer ransomware spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846

Threat Level: Known bad

The file 34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846 was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader amadey_api logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer ransomware spyware trojan

Djvu Ransomware

Amadey

SmokeLoader

RedLine

Stops running service(s)

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

GoLang User-Agent

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 21:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 21:07

Reported

2023-09-09 21:37

Platform

win10v2004-20230831-en

Max time kernel

306s

Max time network

1819s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe"

Signatures

Amadey

trojan amadey

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FF91.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FBE7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F936.exe
PID 3092 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F936.exe
PID 3092 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F936.exe
PID 3092 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBE7.exe
PID 3092 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBE7.exe
PID 3092 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBE7.exe
PID 3092 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe
PID 3092 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe
PID 3092 wrote to memory of 4916 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe
PID 3092 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\493.exe
PID 3092 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\493.exe
PID 3092 wrote to memory of 4264 N/A N/A C:\Users\Admin\AppData\Local\Temp\493.exe
PID 3092 wrote to memory of 7860 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 7860 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 7896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 7896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 7940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A.exe
PID 3092 wrote to memory of 7940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A.exe
PID 3092 wrote to memory of 7940 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5A.exe
PID 7896 wrote to memory of 7972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 7896 wrote to memory of 7972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 7896 wrote to memory of 7972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3092 wrote to memory of 7996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1020.exe
PID 3092 wrote to memory of 7996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1020.exe
PID 3092 wrote to memory of 7996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1020.exe
PID 7860 wrote to memory of 8012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 7860 wrote to memory of 8012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 7860 wrote to memory of 8012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4916 wrote to memory of 8104 N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4916 wrote to memory of 8104 N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4916 wrote to memory of 8104 N/A C:\Users\Admin\AppData\Local\Temp\FF91.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3092 wrote to memory of 3480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 3480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3480 wrote to memory of 5852 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3480 wrote to memory of 5852 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3480 wrote to memory of 5852 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3092 wrote to memory of 3040 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3092 wrote to memory of 3040 N/A N/A C:\Windows\system32\regsvr32.exe
PID 8104 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 8104 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 8104 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3092 wrote to memory of 5208 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F5.exe
PID 3092 wrote to memory of 5208 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F5.exe
PID 3092 wrote to memory of 5208 N/A N/A C:\Users\Admin\AppData\Local\Temp\29F5.exe
PID 3040 wrote to memory of 5136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3040 wrote to memory of 5136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3040 wrote to memory of 5136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 8104 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 8104 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 8104 wrote to memory of 5292 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3868 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F5.exe
PID 3092 wrote to memory of 3868 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F5.exe
PID 3092 wrote to memory of 3868 N/A N/A C:\Users\Admin\AppData\Local\Temp\31F5.exe
PID 3092 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\433C.exe
PID 3092 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\433C.exe
PID 3092 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\Temp\433C.exe
PID 3092 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\480F.exe
PID 3092 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\480F.exe
PID 3092 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Temp\480F.exe
PID 3092 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE2.exe
PID 3092 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE2.exe
PID 3092 wrote to memory of 4604 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE2.exe
PID 3092 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\Temp\560B.exe
PID 3092 wrote to memory of 4952 N/A N/A C:\Users\Admin\AppData\Local\Temp\560B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe

"C:\Users\Admin\AppData\Local\Temp\34d0143c50446214a7c6fa2f05391f71605027ecb5cf7bc4f3530312aa2e7846.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

C:\Users\Admin\AppData\Local\Temp\F936.exe

C:\Users\Admin\AppData\Local\Temp\F936.exe

C:\Users\Admin\AppData\Local\Temp\FBE7.exe

C:\Users\Admin\AppData\Local\Temp\FBE7.exe

C:\Users\Admin\AppData\Local\Temp\FF91.exe

C:\Users\Admin\AppData\Local\Temp\FF91.exe

C:\Users\Admin\AppData\Local\Temp\493.exe

C:\Users\Admin\AppData\Local\Temp\493.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\84D.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C08.dll

C:\Users\Admin\AppData\Local\Temp\E5A.exe

C:\Users\Admin\AppData\Local\Temp\E5A.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C08.dll

C:\Users\Admin\AppData\Local\Temp\1020.exe

C:\Users\Admin\AppData\Local\Temp\1020.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\84D.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1F54.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1F54.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2437.dll

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\31F5.exe

C:\Users\Admin\AppData\Local\Temp\31F5.exe

C:\Users\Admin\AppData\Local\Temp\433C.exe

C:\Users\Admin\AppData\Local\Temp\433C.exe

C:\Users\Admin\AppData\Local\Temp\4CE2.exe

C:\Users\Admin\AppData\Local\Temp\4CE2.exe

C:\Users\Admin\AppData\Local\Temp\480F.exe

C:\Users\Admin\AppData\Local\Temp\480F.exe

C:\Users\Admin\AppData\Local\Temp\680D.exe

C:\Users\Admin\AppData\Local\Temp\680D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\70AA.dll

C:\Users\Admin\AppData\Local\Temp\7629.exe

C:\Users\Admin\AppData\Local\Temp\7629.exe

C:\Users\Admin\AppData\Local\Temp\560B.exe

C:\Users\Admin\AppData\Local\Temp\560B.exe

C:\Users\Admin\AppData\Local\Temp\29F5.exe

C:\Users\Admin\AppData\Local\Temp\29F5.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2437.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\70AA.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4296 -ip 4296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 292

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\rhuhgbb

C:\Users\Admin\AppData\Roaming\rhuhgbb

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\1020.exe

C:\Users\Admin\AppData\Local\Temp\1020.exe

C:\Users\Admin\AppData\Local\Temp\F936.exe

C:\Users\Admin\AppData\Local\Temp\F936.exe

C:\Users\Admin\AppData\Local\Temp\493.exe

C:\Users\Admin\AppData\Local\Temp\493.exe

C:\Users\Admin\AppData\Local\Temp\E5A.exe

C:\Users\Admin\AppData\Local\Temp\E5A.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3de18987-f878-4f0c-b2df-664e64d6bc16" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1020.exe

"C:\Users\Admin\AppData\Local\Temp\1020.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\493.exe

"C:\Users\Admin\AppData\Local\Temp\493.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\433C.exe

C:\Users\Admin\AppData\Local\Temp\433C.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\E5A.exe

"C:\Users\Admin\AppData\Local\Temp\E5A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\680D.exe

C:\Users\Admin\AppData\Local\Temp\680D.exe

C:\Users\Admin\AppData\Local\Temp\433C.exe

"C:\Users\Admin\AppData\Local\Temp\433C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\F936.exe

"C:\Users\Admin\AppData\Local\Temp\F936.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\Temp\680D.exe

"C:\Users\Admin\AppData\Local\Temp\680D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\7629.exe

C:\Users\Admin\AppData\Local\Temp\7629.exe

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7629.exe

"C:\Users\Admin\AppData\Local\Temp\7629.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\433C.exe

"C:\Users\Admin\AppData\Local\Temp\433C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5144 -ip 5144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 568

C:\Users\Admin\AppData\Local\Temp\F936.exe

"C:\Users\Admin\AppData\Local\Temp\F936.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E5A.exe

"C:\Users\Admin\AppData\Local\Temp\E5A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5928 -ip 5928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 568

C:\Users\Admin\AppData\Local\Temp\493.exe

"C:\Users\Admin\AppData\Local\Temp\493.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6708 -ip 6708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 568

C:\Users\Admin\AppData\Local\Temp\680D.exe

"C:\Users\Admin\AppData\Local\Temp\680D.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2256 -ip 2256

C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build2.exe

"C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 568

C:\Users\Admin\AppData\Local\Temp\7629.exe

"C:\Users\Admin\AppData\Local\Temp\7629.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build3.exe

"C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\fb2ba609-24eb-470a-8ab0-e8baf05f12e8\build2.exe

"C:\Users\Admin\AppData\Local\fb2ba609-24eb-470a-8ab0-e8baf05f12e8\build2.exe"

C:\Users\Admin\AppData\Local\Temp\1020.exe

"C:\Users\Admin\AppData\Local\Temp\1020.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7764 -ip 7764

C:\Users\Admin\AppData\Local\fb2ba609-24eb-470a-8ab0-e8baf05f12e8\build3.exe

"C:\Users\Admin\AppData\Local\fb2ba609-24eb-470a-8ab0-e8baf05f12e8\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 568

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 568

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 95.158.162.200:80 colisumy.com tcp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
BG 95.158.162.200:80 colisumy.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
BG 95.158.162.200:80 colisumy.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
BG 95.158.162.200:80 colisumy.com tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
GB 51.89.253.22:31098 tcp
GB 51.89.253.22:31098 tcp
US 8.8.8.8:53 126.155.27.67.in-addr.arpa udp
US 8.8.8.8:53 22.253.89.51.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 8.8.8.8:53 amadapi.tuktuk.ug udp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp
US 8.8.8.8:53 13.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
NL 85.209.3.13:11290 amadapi.tuktuk.ug tcp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 lpls.tuktuk.ug udp
US 95.214.27.254:80 lpls.tuktuk.ug tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
BA 109.175.29.39:80 colisumy.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
KR 211.59.14.90:80 zexeq.com tcp
KR 211.59.14.90:80 zexeq.com tcp
US 8.8.8.8:53 90.14.59.211.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
BA 109.175.29.39:80 colisumy.com tcp
KR 211.59.14.90:80 zexeq.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
KR 211.59.14.90:80 zexeq.com tcp
US 95.214.27.254:80 lpls.tuktuk.ug tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp

Files

memory/3292-0-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-2-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-1-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-6-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-7-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-8-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-9-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-10-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-12-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3292-11-0x000001B850C60000-0x000001B850C61000-memory.dmp

memory/3800-14-0x00000000025C0000-0x00000000025D5000-memory.dmp

memory/3800-15-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3800-16-0x0000000000400000-0x0000000002412000-memory.dmp

memory/3092-17-0x000000000B2B0000-0x000000000B2C6000-memory.dmp

memory/3800-18-0x0000000000400000-0x0000000002412000-memory.dmp

memory/3800-21-0x00000000025C0000-0x00000000025D5000-memory.dmp

memory/3800-22-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log - Shortcut (7).lnk

MD5 75dff4d43519e93acdb4f16424070c96
SHA1 62817d98f181d95c0dc57b90bf4e4d85d2cf4497
SHA256 3c02763a9fabeb24f5e820a6c359744e4f6e3ca4b9947292c63dbb399482df3d
SHA512 5e9da602bd02fcbc0e5e31b877080b0e2ad958b182ea5f6e7bf9e5f802be7e422bdac2a1c33e3dde94edf4f4f283e049cc1cab2657f8a12aab1195966a41ec75

C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log - Shortcut (7).lnk

MD5 433d3063d44b737a43f70ee0e1a45736
SHA1 986d6d1174fa36fe6d598a54bd259e6ee10d55ba
SHA256 2645fde9254c114632bae91005768a7482ee41c978f0bd8900adfb0bfa5b9167
SHA512 841b734b7f6d532d25e605ebb12ae3ecded5b26e5974646a3b61ad6e5e72e7621c58680c354daedd75c3c17e93eb1d8a1577bce8e95f90b7fe2a921d3ddc1775

C:\vcredist2010_x64.log.html - Shortcut (7).lnk

MD5 48fb45d0982d16f614017f0fa0850cc4
SHA1 6e34c65b2b056e5e90ef15cc247bccd0ec1c4a44
SHA256 1a5f8de12c72ee1ea5a123aea367db15aafeeafa736feca698dd24970adecf48
SHA512 39b611dc86394dbcec568e84dc235d0d42d620541414c2bed2bcea0e39ac00893e2d992afab41abbfb323dec618a891046b3e8f6571b5f2c06aa93ddbd3cd7ec

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt - Shortcut (7).lnk

MD5 b5374846e8896f9f00f0f762aefb7262
SHA1 808b4badb6a52a226e297b56a6d1f14ac21e5ee3
SHA256 b145ba8e8a84577781bd3e3ef4c0293f6ba37d6443b3579a12671eca7d664845
SHA512 5177582d20ed68d3c794dee96e805de0658a12c7dc6eafb5a4c4a147cce94bbae02a8d03faadf7a4f2c8401f75fa19be1e3900c2bc0609627247ad3dc7a686ea

C:\vcredist2010_x86.log.html - Shortcut (7).lnk

MD5 e22ef9895679e6c983be94c84e819d38
SHA1 a8e3a7d697b7c095a60c56bcf639d8ee30200143
SHA256 598f28e85a44f12e823c7b51749321c9108bee180b3fd43e73a4e76c1ec2d77a
SHA512 89f4917e5f606af17718569a8fd2f27fd85b421ace769d1f2c8ee5aeeb31b16aea56edb97513f50be07ccae461378f068cc4d595d85180f4b0f808e8f05eecbd

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt - Shortcut (7).lnk

MD5 3cfa1e477cddfa4071dc716ad5efd8b6
SHA1 f5ac697e90c801a46edb1ce1f11dbed174aef9be
SHA256 1743d20dea8d4c60057797fd0bb10616d3e3456ee27cd5840f13577211377c01
SHA512 2fd85db915ac390e4f673d24d049cdc0bad5b811f2da2ef95e3616d13571f51793ea0b55daca2e0b6217302ed8b28bd319596f683e1392062dd754558d5f546c

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log - Shortcut (7).lnk

MD5 39514ae0bc453f9e43752eea61ef2686
SHA1 d142db7c928d654b7e2962393a897b2ae2caef30
SHA256 af9320e8e76a5e55d121f98571f733ae357d9944540f3392de48864c7112508e
SHA512 29e0e305c1a42009b2d9a2e0e40238d2e6dc4960f62bad08b32781f7673b340c13bc495aae45a7367541e2ab29096bdb3b02140443f6441558466af95b3dcc5a

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log - Shortcut (7).lnk

MD5 4b38bec3d11ddb62f89a826a6dbc3846
SHA1 40abc78819d104cf5cd6287c22530f04b26ee1bf
SHA256 8b36c1459f4f331b559f59cf01a1357bcbb32cc55d2c570025bd6b87521c9d0a
SHA512 1eb648595d9da0e89499a328f550b9f0ddd678d8bc5395a3d1ae2caa40bcdf184ec9d1a9454fa4b85efd5a5983e597a497410b043bc0cd02c0c5e67a3423ca49

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log - Shortcut (7).lnk

MD5 b87596f6feba38b4de761fc559d665b0
SHA1 814cf42431f0d34e51c86530e93c3b364b57bada
SHA256 e2df1aedd54d2277a2cd4fd30195a3fd2cf2c9f811e8308f6bbcdda31902f8be
SHA512 ff4f7bc0a9f4a12f95dabd92a2b2342964b8d0dbb65667510db9094f8f8ab897bca20bc2d76f72a48ecaa9e101f97e8817488438ca5146d6da4a41c7f7b399bd

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log - Shortcut (7).lnk

MD5 6fcec2e6533f04647f2f13f1d1aa9d52
SHA1 32196ebe173e90b1e522460e723da16578f11c72
SHA256 ae0adac89cb79aedf4c758b88f7fae0066b9a20acb48be0478773b03f056e111
SHA512 cc55938a15ffada6ce15f3731f03f01d906116bed8939d01b36b30b9777458c742016e30c6ce3cc9b795719c3230650eccd8820883d701a9516aab7d6c3516b1

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log - Shortcut (7).lnk

MD5 3bc8e1840e3f2e76345fefa05955a18e
SHA1 6178f1809980a174c06e078da5551b816a2805eb
SHA256 7926f782861c7783a5abe41f938d6808229d17ea5995ff0f8c129345793f13f0
SHA512 bcec58651b24fa71f6b3c65a0cd4ba271da5b796c1a7588cbb770167248982029a19686e1e2ce012f6d19bb33b8360664c99beff1e317cdc551805e520992a9c

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log - Shortcut (7).lnk

MD5 77a2ad493ebfe6a016b4e110c0105e69
SHA1 7870b85b51b50181de498579734105450a312b7d
SHA256 691a5f37dcd70f4350a007134aba588832164d8993425bc60ba3828db5d99bce
SHA512 cd1fd01f609b795389465fc1ba8fed513fdd099a9ab6f7288f3971b2dbf89c35e08f386b5ec2b751eb635e177793597398020d5ce5583aff97b108512774e6f2

C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log - Shortcut (7).lnk

MD5 6ba272c9e384dc3486588f843f378b87
SHA1 2df8ff95e9b9b1c04a39d00d42a48d97dd5de3b3
SHA256 5b7fc6f53639e6ca0d4d92f07ebb1dc4d9776d9a4798a34ac8aa4f65fbe435b9
SHA512 f566fe600617838fd413686f3073dc9fbd4b1843d852609ce1717e1052ace440d7427b592a731e3b342ebab8129aab4fea24599af279d178f4e531a2c8d59585

C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log - Shortcut (7).lnk

MD5 fece67dd8964de208f34b48f2eb63eb8
SHA1 44e195d274c474cd4493d40466d1c0aede9889cd
SHA256 fc4627aea4fb974ca66aa27c2995ab416a0bc9c9afdc8630018b2f6ebde831a6
SHA512 052ce44087af02a150e7a770159894dfb9fcb7a5001e10a42af4fe0b03a29bab99e09c32414e94281f5e9b4d4e3d87c1ddd2aae324ac3c15906a15fb299339d1

C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log - Shortcut (7).lnk

MD5 a55dbd23bda8c85f57c00bdd2c266af5
SHA1 f7fb5502c48536a6e67041c611336cb24a964cd5
SHA256 3ec00d0d98d8e7f1e226edf2f2017a2e77680b1ba77f822cdf10034235a0fe67
SHA512 1ba80f548ae067494e63508eb7090362d129e26745bcd7f88823786742fe6d22ec3b775ccd357809c6c303079c362bce3b43b3550205b12f871abfbaee448db2

C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log - Shortcut (7).lnk

MD5 82e3952804c1d8a1cd9bc17f5ec3d4e6
SHA1 8fd09394da8b4d97f5457e3a5b2ae929cb5e922e
SHA256 1e3de108774f239422db4989c3137987f407e51143d244578529430fa7b7f6a1
SHA512 168ad042bc1824df6d179eeb0df585a276bcaa21100f714dd3b2a4004497b0b55adc49815317cb430b056b3cc4cdfc92565cc06fbf619e4c2af5cac6999d763b

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log - Shortcut (4).lnk

MD5 09f89bb817f2c19d3e0bcc14bb2e561c
SHA1 1ab72880018197bc9d585ab817af2d86699a343e
SHA256 81ffbf072f1fbce77b66be420e2ed569001f373b217f2d787b7ab6ba7412d1be
SHA512 863bea40cb68bce682b86a871cff85d657f67cd1740e8c4c855a705039de227c89a85fa8254dd20495cf3fcbfbb60778981c00c4843ce40669af2fbb0b2e4ed3

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log - Shortcut (4).lnk

MD5 7090f87e16dbac0d7e980c962882aa83
SHA1 804a8d258ba0dadde01378014149f77e0c5632f7
SHA256 449fb52f62bd3813444e6ea90df8377be245834bd4c2f0cafcfab2d9ed14af1b
SHA512 56327ef1494ec29b05e2242e2c90cd0449e540e7b398c0c2254771f56d79748578ab05f6bc4b17471bd8cee87e8b738f8dbab64409a2c8efe7b8403bd152d9a1

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log - Shortcut (4).lnk

MD5 748f57b59286fcd949e03e02d4152d27
SHA1 21e0ecc8532d3a7b15c91d950ce02c2b2b500434
SHA256 12bc711d8cc26a30a3a15a325dfc6d3474b354fc553fb6677cd02fadf09fed35
SHA512 06df368aa88c5a777598fb05377ee3390604e5da9c8dda46c95ec18269890ceba43e26e15d213ae131ffed8bf3280ad382f5ad4b27379c608dcbe8aef633c261

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log - Shortcut (4).lnk

MD5 9d2572fa24519126b251b720a4d559bc
SHA1 c9d70714a46c3d9c990cfff80a994011438c7153
SHA256 caff0e087199e3158ea571540f672e3907e5e0d8ac32d7d2bdd87a8fb503d0f6
SHA512 bb533a2fd6ca87a77df3c64758c5621b5ba0e08ec18693abb81d20099b8eeb164f82090ea22a14b2091d6b9cd01edc39f5e432a95765eb97bf270bafd647fbda

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log - Shortcut (4).lnk

MD5 0781e1c0295f1e1637161b39881d2922
SHA1 8c2fab7a77d03976c005831a23d2ba226e7044b8
SHA256 fdd48fb6048956f44656137067e2f39a322d08801e266ed6a0891248deb37bcd
SHA512 32c7e51da2390415c4be2ee262f493bd36efd94e72827d65def3c8cec50320c188da909bceba32ed395108d5af68eb229f347eed406957894379219d636af025

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log - Shortcut (4).lnk

MD5 248f0222c0f04d1626ba172254943d0d
SHA1 52bb4bcc31b6a7898c5a6eff4f187c07a51a3f89
SHA256 00687fbb9fd46243a6db375c0974b1ca193d2672c13ea4d5a5556bddae01a67c
SHA512 f112699148d4ae9f10ffe08bb48db22af00d8b9e0fc8579c3e1bd0a8994e15abfa4be8bdd144a362a46a05a4f23aaa568f1954685ab0d079422a3dbd8f9ca503

C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log - Shortcut (4).lnk

MD5 fec804f9a8c90c8eb7ed6fd65429f8d7
SHA1 4a55bbae696a19a268acfb5b23584abb94cdcd0d
SHA256 362a541401e539045cb610f3e4b91013d8ae8d026bee8477d247a49be9ff2135
SHA512 27579469cebc82c0fbfb50545ef5ccba927ebdde7337d11822582cd5f5e7dd3a79c65732df05e75c6b7466800b13cbaa955495b0d9e981ee3600f1656c826e31

C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log - Shortcut (4).lnk

MD5 2ba745503f732fad5f7d44ff59b22fab
SHA1 b2780f76b0ddcb1562cd4c57ebd01a5315e5a93c
SHA256 ccbbffeeb9dc3ccc47041a2b44dec4a8d0c573cc30596e5617768dbb1c487f6e
SHA512 0e44577562571d6281f8d94cbb1603900f5c58400ab8ceb882ccaf7bb18692dbd6f0bcc9833bc0a1f87e3016ef70e0528147d86060fa352b38b45c3340e5083a

C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log - Shortcut (4).lnk

MD5 7bf57257dc8da3280b675fe05182bbf6
SHA1 d2962c1e23b3ff34828539a4c310220f3d9d412d
SHA256 3bf422373795fce3e129998f3063bd60124fc8dbeb5de20ed6bceae85051b2b8
SHA512 0ce9a9c12cc7451129439f4776e8572a7a8774fc4ed3e9ccd75cf8b6d7839a7a534c726c0d0224a5bad71942194f33649ea178918a174ac8543007f523127d06

C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log - Shortcut (4).lnk

MD5 00eaaf45ff676a7001f39aaebc855bf5
SHA1 e517e4d0734c676daff65e42fdd831dc4f7cea9d
SHA256 c49b4114a9448cc0af4b477b75431b844307814bf5abf67a2541f6910335a29d
SHA512 a306e2bdfed89bb001bc45c36ac08624bfe65585eb7347b04d68fb7afd292bbd964a1c2fef6a7b87c44cc246fa9991b3b8afea2ae221dd9048b1f7fad793bc3c

C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log - Shortcut (4).lnk

MD5 d2110bdc46e21af8819640041e8d0694
SHA1 ca592e0f5d12661842a16f27a93c5af94e5a896e
SHA256 c17e1e8ae1e0c52469a8b82da923061ad8797e796e4caaba1c63969bd9d14202
SHA512 462a2194437f18e620182dcf0fbdb5fc7282dedb2cb43660cb993e9a858c2cdbbc68c3e5c2cc9d7f297be76de826a223fd73607bd17094620283ff19695b2e8a

C:\Windows - Shortcut (5).lnk

MD5 a6491442c3f653de48837e6914bea80d
SHA1 8ba769cf763a0657f6884a8e922d72ae9196eb32
SHA256 7c3307837b937940bd1e47b15e3dd17bc38ffb8e0d291752676181f9428fa3ac
SHA512 068b0d1fd532502b7014c7af1875d6599097dc2a26a3702e6b32d9a27e69aa00866aa129bc0124995108845751aa3d8623cd9a7edbecadcebe13ffff55768974

C:\Windows - Shortcut (2).lnk

MD5 52e9c57e35c5f06a103eb4b552c622ba
SHA1 4f2a734ced47c01454eddf21b16a593452af3955
SHA256 9b412b8d3937a64144cc0877d21d39bff94e302eaf0c346bcdee74faaca2a489
SHA512 7c09b48a1d2213766ad368f0009fe26c0b0f0bc86a62bcf7aa8f103d937969acccc61e1a30e8305fc8cbc0e3a0be47279d0033158c0af95b1d99a0c8a5fd1f39

C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log - Shortcut (4).lnk

MD5 b064e0ce970693bd0b3bb977798f378e
SHA1 c9a7ec168a4bb1a2ce6f4e05a9aa6288c4898399
SHA256 58faa4733f59bf111b810eee6a4769926cead2ab68369848ebabfccdcbcc96d1
SHA512 b261f7cfded7c31da19ac20cad67dc3a5edadc2b722331f7b9cf9744102516e5f03c6f1b3f37aa0189f4e9969d084ce1341f83e0e014c9c81e5bd706004f84b2

C:\PerfLogs - Shortcut.lnk

MD5 c3fd11e82279bbd96a4b423f7bd8f9d6
SHA1 9e85d6851bf15795de2eaa66ff4eb66d6523d8c5
SHA256 37e4de88599e0025d267f51225461be6eebe06a2d52500c7aa2f58f98aa5b443
SHA512 d72b4a4c1d877833b6ed149bf08e67cdf5af8c9141d5677d4f03559d9a45ca35080529cf929edbabaad0f302e92d1c5b2558ed03aafcaed4e1d7715340597fc9

C:\Users - Shortcut (3).lnk

MD5 5e5e589a863f59bc8eef6ffc0b5f18a0
SHA1 318f3f15a1b836857d11d48754b5d8aebad57c9d
SHA256 72f0bb8b50a249f0a363df7812125c29481e6c344899865302658fe0140842b0
SHA512 49fa43d0cc790c923b6dfd22471a47630d169b9393f7bc2056982a23cbea592484bc90e0dfe96e9ffde71d94c17ee12fe3f43577328d1715067ab20010b82c61

C:\Program Files (x86) - Shortcut.lnk

MD5 005b043a29edb0d8a8d854764d0bb919
SHA1 aab785a1e2e3dbb4af68cb0bb7b32fd01bf15c6b
SHA256 e04c96dcf42573394a6c01f7b3be3aa53c1910ad3ee662046253f57b167ec3aa
SHA512 93ccd82a719500c1c9cfe10f9ecc7f9e322111d1f57bac7afbe6d9e085285113edebf0b216f5da49d58a732ed81c39fda59d057c4734014ceda952e491c9489c

C:\Program Files - Shortcut.lnk

MD5 1f2167d91b24f03d078791ce65eba718
SHA1 9a099781a76986d1c3c0bf8b24074cb8838faccd
SHA256 48a66d04dd41ae886f7f49ff785b32241dc128951dfb0e63577bc4ef3d883b9a
SHA512 5a679dfd4f8be99d885f587e53070863c5b0d15d8dd0a4461ec424224348720821354835d3e06d33fde5c23e5e4f1c3b7ffedf3a9ffc2d6759088780ddcf3787

C:\odt - Shortcut.lnk

MD5 89fe13e57a47747c59299e71a5c2fd98
SHA1 d15e81d4d1c64e0b5376650dd527ffdd7cca4898
SHA256 17507903429ea75ad618c6c8d74d59b8672b882bcea935c12bb496556bd6a6d6
SHA512 ebbc95f89d686aa29bc8d447f20db234c9ebc5fd5d06c873f7a83f5839ddaa865f5152bc1b0da5e478bc6ec07f633eeea2bbfabe4dd450c751c63e1255725d66

C:\vcredist2010_x64.log.html - Shortcut (4).lnk

MD5 c6e8eb5a2988db29817947dc41d18b97
SHA1 24836daa6c905d6abed3fd16acdd1327e95e95ec
SHA256 21e6275ef571848ecd6fe77892355eb6e86c89842243f32c424e7ab771f1e6a6
SHA512 9ee643000d8d30139791dc1d45d66b5d6273459f4ace5a6808b01dd8352c4b60e4c5a8bf5b04cf6af0d6cce19ec2da22f4b0aa05832007c12317f31bf1f5f000

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt - Shortcut (4).lnk

MD5 5cb1eb9fce8c80bab7317b83c51cc310
SHA1 11fae053d64cef42924e389bd39eb3b71b9ca2d1
SHA256 94f6f4644200fe4d3e6827834921f90fbf18a25202e6d3b40ca8df0616796398
SHA512 3a5475e95f094691a0c931b62eb3049b75243a4b6fff96976eef1b7db425066fff370b1cda19223435a47e48d5093f0576a782a4f2a9e561eb2d1377c775e405

C:\vcredist2010_x86.log.html - Shortcut (4).lnk

MD5 67e2ca24e13e5ed3c39643d17e18d354
SHA1 cf0d33d371af9c594250be1bda415e62240cb1b9
SHA256 047a595b2906bbfe103eb4131f36c2f5b035f40185c42b30b28c62b03c30747a
SHA512 486880227d3eb4b622f0b3b7076eb7e5fefcf3a820b7d62f1c04d10dea7546e8cdd09eded6424694e2698a8066686ff518877a17fc7e31f3eb9aadc558a0702b

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt - Shortcut (4).lnk

MD5 b9c7422027ebefcfa8485c555e45bb84
SHA1 9589aefc046fe593bab367fffe891b5326b92172
SHA256 9374ba16a5b4812e3279b1d7e3ce64097d6a8f4ce0136f4e9930a027fc1338b0
SHA512 50f8b3fb391787a74167d69164993d403001af4272c9be200ab847053188f70fb914621b96ac90df959b2754f745ec919906736fdca779ff5ec304a6c1e3e4d4

C:\Users - Shortcut (5).lnk

MD5 159629070fa81345cf40096101b3e076
SHA1 46fcdb59ac7be2cadfff34c6ccab32f315d535c6
SHA256 6d917821d95f27cc2973400a6446a006ae307fe419af7a2f9531cf32183f7f73
SHA512 a2952b20a025b8b625abbec5b68f835a6ca40d3ebf8a4f5d8376cb5726783af5be4a1baaa3e931c771ab8a996a4407607484186c2aae994ef9d038957228ac41

C:\Users\Admin\AppData\Local\Temp\F936.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

C:\Users\Admin\AppData\Local\Temp\F936.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

C:\Users\Admin\AppData\Local\Temp\FBE7.exe

MD5 ef9c0ff70757e5358e68f3ec2beea1af
SHA1 7e8e4936e58a6e262e01d4d4940f63461bb2b83f
SHA256 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d
SHA512 ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850

C:\Users\Admin\AppData\Local\Temp\FBE7.exe

MD5 ef9c0ff70757e5358e68f3ec2beea1af
SHA1 7e8e4936e58a6e262e01d4d4940f63461bb2b83f
SHA256 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d
SHA512 ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850

memory/4480-2299-0x0000000074D50000-0x0000000075500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF91.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FF91.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4480-2307-0x0000000000100000-0x0000000000352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\493.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

C:\Users\Admin\AppData\Local\Temp\493.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

memory/4480-2900-0x00000000052F0000-0x0000000005894000-memory.dmp

memory/4480-3308-0x0000000004DE0000-0x0000000004E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C08.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\E5A.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\E5A.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\1020.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\1020.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

memory/4480-3318-0x00000000051E0000-0x00000000051F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84D.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\C08.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\84D.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

memory/8012-3331-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/7972-3329-0x0000000010000000-0x0000000010213000-memory.dmp

memory/7972-3328-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

\??\c:\users\admin\appdata\local\temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1F54.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\1F54.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\2437.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\29F5.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\29F5.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\29F5.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

memory/5852-3348-0x0000000002D10000-0x0000000002D16000-memory.dmp

memory/4480-3346-0x0000000074D50000-0x0000000075500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31F5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\31F5.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/8012-3356-0x0000000002C70000-0x0000000002D6F000-memory.dmp

memory/7972-3355-0x0000000010000000-0x0000000010213000-memory.dmp

memory/4480-3358-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/4480-3360-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/4480-3357-0x0000000002670000-0x0000000002680000-memory.dmp

memory/7972-3352-0x0000000002A90000-0x0000000002B8F000-memory.dmp

memory/5136-3364-0x0000000000C60000-0x0000000000C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\433C.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

memory/4480-3365-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/4480-3370-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/4480-3375-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\480F.exe

MD5 4d323c42adbee24322f08205a8bc2ea1
SHA1 aefc450137522cd7b328cc5ef4a965c2f669c0ca
SHA256 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a
SHA512 f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee

C:\Users\Admin\AppData\Local\Temp\433C.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

C:\Users\Admin\AppData\Local\Temp\433C.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

C:\Users\Admin\AppData\Local\Temp\480F.exe

MD5 4d323c42adbee24322f08205a8bc2ea1
SHA1 aefc450137522cd7b328cc5ef4a965c2f669c0ca
SHA256 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a
SHA512 f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee

memory/4480-3382-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/4480-3386-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

\??\c:\users\admin\appdata\local\temp\4ce2.exe

MD5 4d323c42adbee24322f08205a8bc2ea1
SHA1 aefc450137522cd7b328cc5ef4a965c2f669c0ca
SHA256 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a
SHA512 f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee

C:\Users\Admin\AppData\Local\Temp\4CE2.exe

MD5 4d323c42adbee24322f08205a8bc2ea1
SHA1 aefc450137522cd7b328cc5ef4a965c2f669c0ca
SHA256 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a
SHA512 f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee

memory/7972-3389-0x0000000002B90000-0x0000000002C78000-memory.dmp

memory/4480-3390-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

\??\c:\users\admin\appdata\local\temp\560b.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4480-3399-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/8012-3398-0x0000000002D70000-0x0000000002E58000-memory.dmp

memory/4480-3403-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

memory/7972-3404-0x0000000002B90000-0x0000000002C78000-memory.dmp

memory/5852-3406-0x0000000003080000-0x000000000317F000-memory.dmp

memory/4480-3413-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70AA.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

memory/4480-3418-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\680D.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

memory/8012-3415-0x0000000002D70000-0x0000000002E58000-memory.dmp

\??\c:\users\admin\appdata\local\temp\680d.exe

MD5 8a1ed8a002c07a2489c97ec21fbb0e3c
SHA1 56fe94f3542f8e5c0160e36ddab1df32bf77ed35
SHA256 e74f536bb5049b239756351133c8587bc39d09efa632d25b005b010e009b8acf
SHA512 af9b0187517da474cbda2c3c4efff604d5d4e03777afc678be90253d8c694d4d8e1611a7f6f6ea4493f3f9c97303a7af79b25734dc08984b50113455f809e50e

memory/4480-3408-0x0000000004DB0000-0x0000000004DD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\560B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2437.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

\??\c:\users\admin\appdata\local\temp\7629.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\7629.exe

MD5 4bcdc2cfdf2a2b4040f82d3572be478a
SHA1 36af6e3e180b56287fa447a3b8809c711d77a869
SHA256 b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276
SHA512 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722

C:\Users\Admin\AppData\Local\Temp\70AA.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

C:\Users\Admin\AppData\Local\Temp\70AA.dll

MD5 38aa055d1dfe3e422306f799801f93db
SHA1 af7199552eff0434bfa54deeaca286b30e49029c
SHA256 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc
SHA512 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde

memory/3804-3458-0x0000000001140000-0x0000000001146000-memory.dmp

memory/4480-3461-0x0000000002670000-0x0000000002680000-memory.dmp

memory/4244-3480-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4480-3479-0x00000000052E0000-0x00000000052E1000-memory.dmp

memory/2428-3481-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-3484-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-3486-0x00000000050C0000-0x00000000056D8000-memory.dmp

memory/4244-3487-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

memory/4244-3489-0x00000000049C0000-0x00000000049D2000-memory.dmp

memory/4480-3485-0x0000000005D10000-0x0000000005DAC000-memory.dmp

memory/4244-3492-0x0000000004A20000-0x0000000004A5C000-memory.dmp

memory/2228-3496-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2428-3497-0x0000000004750000-0x0000000004760000-memory.dmp

memory/2228-3499-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4480-3498-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-3494-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2228-3501-0x0000000001840000-0x0000000001850000-memory.dmp

memory/2428-3507-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-3508-0x0000000004D40000-0x0000000004DB6000-memory.dmp

memory/2428-3510-0x00000000047D0000-0x0000000004836000-memory.dmp

memory/4244-3509-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-3511-0x0000000004A90000-0x0000000004AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2428-3514-0x0000000004750000-0x0000000004760000-memory.dmp

memory/2228-3516-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/2228-3517-0x0000000001840000-0x0000000001850000-memory.dmp

memory/2428-3518-0x0000000005F10000-0x00000000060D2000-memory.dmp

memory/4244-3519-0x0000000008350000-0x000000000887C000-memory.dmp

C:\Users - Shortcut (4).lnk

MD5 c1e404a98b42870a10ac6005a9a17772
SHA1 1abb548fec10a9a8868d9002992b8cd313902963
SHA256 5bc324e051fe8f32a9a31ed856cb9e1b3e5c799fc24cfea3181a5c1cae790b53
SHA512 eeaf4bf51a83074c8e021279aadcefd9d32488952a26dfd0a43154a3a751f75e413d481bad1cdb7e229aa38c118aea4a915c2c67052a0692af5ad541c9d82c67

memory/2228-3592-0x0000000006750000-0x00000000067A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 6bb82e63cdf8de9d79154002b8987663
SHA1 45a4870c3dbff09b9ea31d4ab2909e6ee86908a7
SHA256 57261cbea6f3d4a3755ec9cc56fa0adadb77b159fc7103c9e80e34d4d443b51e
SHA512 c55ffb0c9dca0c2e35e31f382089c7221cc518b6931df5b321cfa11a2a9923e8ea7560312cecfee532a912d2d2fcd02db620a2dc4d41e5094b0e14dfc6b51a05

memory/2428-3919-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4244-4002-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/2228-4742-0x0000000074D50000-0x0000000075500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 36b27ee796744fe1d4be4c4a75ee0d2f
SHA1 f3433f8cd907803dd93e4edb4a3688d7dd35311d
SHA256 2932d7163c09a6a0f3c0a05b3c02f4d0bf14755095e9045f5740554722f8d016
SHA512 f65c429ae067cace72fee5d6284c8c372a12afc33bf2ef3cdcd026c22167ff9e094e6aee89784ea235dd7b130d2b120b385e270f32069cf0efc603a9e001ed4d

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 36b27ee796744fe1d4be4c4a75ee0d2f
SHA1 f3433f8cd907803dd93e4edb4a3688d7dd35311d
SHA256 2932d7163c09a6a0f3c0a05b3c02f4d0bf14755095e9045f5740554722f8d016
SHA512 f65c429ae067cace72fee5d6284c8c372a12afc33bf2ef3cdcd026c22167ff9e094e6aee89784ea235dd7b130d2b120b385e270f32069cf0efc603a9e001ed4d

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

\??\c:\users\admin\appdata\local\temp\1000397001\taskhost.exe

MD5 36b27ee796744fe1d4be4c4a75ee0d2f
SHA1 f3433f8cd907803dd93e4edb4a3688d7dd35311d
SHA256 2932d7163c09a6a0f3c0a05b3c02f4d0bf14755095e9045f5740554722f8d016
SHA512 f65c429ae067cace72fee5d6284c8c372a12afc33bf2ef3cdcd026c22167ff9e094e6aee89784ea235dd7b130d2b120b385e270f32069cf0efc603a9e001ed4d

memory/5900-13277-0x0000000000DB0000-0x0000000001618000-memory.dmp

\??\c:\users\admin\appdata\local\temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

memory/1252-13278-0x0000000000860000-0x00000000009D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/5900-13290-0x00007FFC3E8D0000-0x00007FFC3EB99000-memory.dmp

memory/5900-13291-0x00007FFC3E8D0000-0x00007FFC3EB99000-memory.dmp

memory/3380-13296-0x0000000000570000-0x00000000005A0000-memory.dmp

memory/1252-13304-0x0000000000860000-0x00000000009D1000-memory.dmp

memory/5900-13297-0x00007FFC3E8D0000-0x00007FFC3EB99000-memory.dmp

memory/5900-13303-0x00007FFC00030000-0x00007FFC00031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/3380-13309-0x0000000074D50000-0x0000000075500000-memory.dmp

\??\c:\users\admin\appdata\local\temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/2184-13317-0x00007FF6993C0000-0x00007FF699DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

MD5 0eab9cbc81b630365ed87e70a3bcf348
SHA1 d6ce2097af6c58fe41f98e1b0f9c264aa552d253
SHA256 e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685
SHA512 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498

memory/5900-13292-0x00007FFC00000000-0x00007FFC00002000-memory.dmp

memory/2184-13328-0x00000237EE140000-0x00000237EE181000-memory.dmp

memory/2184-13325-0x00007FF6993C0000-0x00007FF699DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

\??\c:\users\admin\appdata\local\temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78724fd5de931eb917b1b7780ffe8b6e
SHA1 35c07e6a8c691074391d777542f1456e6bf77779
SHA256 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7
SHA512 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24

\??\c:\users\admin\appdata\local\temp\1000062001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe

MD5 b18bb9552c7b72fc4a7a31fbe2dd3c6f
SHA1 fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29
SHA256 e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8
SHA512 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 36b27ee796744fe1d4be4c4a75ee0d2f
SHA1 f3433f8cd907803dd93e4edb4a3688d7dd35311d
SHA256 2932d7163c09a6a0f3c0a05b3c02f4d0bf14755095e9045f5740554722f8d016
SHA512 f65c429ae067cace72fee5d6284c8c372a12afc33bf2ef3cdcd026c22167ff9e094e6aee89784ea235dd7b130d2b120b385e270f32069cf0efc603a9e001ed4d

C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

MD5 3f821e69fe1b38097b29ac284016858a
SHA1 3995cad76f1313243e5c8abce901876638575341
SHA256 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08
SHA512 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

MD5 07f52cda25a10e6415a09e2ab5c10424
SHA1 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe
SHA256 b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff
SHA512 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

memory/5900-13353-0x0000000000DB0000-0x0000000001618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

memory/5900-13360-0x0000000000DB0000-0x0000000001618000-memory.dmp

memory/5900-13362-0x00007FFC411B0000-0x00007FFC413A5000-memory.dmp

memory/5480-13363-0x0000000000DB0000-0x0000000001618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe

MD5 d27a1e32e78580ea15a4cf5119bc2907
SHA1 ffe9ae4c1622c95eca2eab429b99361d4d7a29fe
SHA256 fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5
SHA512 bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 36b27ee796744fe1d4be4c4a75ee0d2f
SHA1 f3433f8cd907803dd93e4edb4a3688d7dd35311d
SHA256 2932d7163c09a6a0f3c0a05b3c02f4d0bf14755095e9045f5740554722f8d016
SHA512 f65c429ae067cace72fee5d6284c8c372a12afc33bf2ef3cdcd026c22167ff9e094e6aee89784ea235dd7b130d2b120b385e270f32069cf0efc603a9e001ed4d

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pbf5bddt.y2u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build2.exe

MD5 e43099bbc23b6340d4585fa2335f3b28
SHA1 a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7
SHA256 fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255
SHA512 a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4

C:\Users\Admin\AppData\Local\0ebb33f0-0b5a-46b9-8c90-0fe1dfa77caa\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8bd52a6617d48a83a735c1407419cf9e

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73