Malware Analysis Report

2025-04-14 07:23

Sample ID 230915-lk7t3scf56
Target ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74
SHA256 ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74
Tags
amadey dcrat djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74

Threat Level: Known bad

The file ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu redline smokeloader vidar 7b01483643983171e949f923c5bc80e7 logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan

DcRat

Detected Djvu ransomware

Amadey

RedLine

Vidar

Djvu Ransomware

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

Modifies file permissions

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-15 09:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-15 09:36

Reported

2023-09-15 09:39

Platform

win10-20230831-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13F1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\179D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe N/A
N/A N/A \??\c:\windows\system32\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4614.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8A42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build3.exe N/A
N/A N/A \??\c:\windows\system32\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3276121886-2679590765-2932751581-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\59d1e9b0-61e2-4a97-b16a-e1239dc57dcd\\122B.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\122B.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4228 set thread context of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4764 set thread context of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 3792 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 set thread context of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4436 set thread context of 1720 N/A \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4920 set thread context of 5016 N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe C:\Users\Admin\AppData\Local\Temp\42A8.exe
PID 4128 set thread context of 1384 N/A C:\Users\Admin\AppData\Local\Temp\42A8.exe C:\Users\Admin\AppData\Local\Temp\42A8.exe
PID 3236 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe
PID 5020 set thread context of 1928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe
PID 4200 set thread context of 2404 N/A C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe
PID 2684 set thread context of 4104 N/A C:\Users\Admin\AppData\Local\Temp\cc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1856 set thread context of 1556 N/A C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\14EC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\13F1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 3216 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 3216 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 3216 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F1.exe
PID 3216 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F1.exe
PID 3216 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F1.exe
PID 3216 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\14EC.exe
PID 3216 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\14EC.exe
PID 3216 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\14EC.exe
PID 3216 wrote to memory of 3792 N/A N/A C:\Users\Admin\AppData\Local\Temp\179D.exe
PID 3216 wrote to memory of 3792 N/A N/A C:\Users\Admin\AppData\Local\Temp\179D.exe
PID 3216 wrote to memory of 3792 N/A N/A C:\Users\Admin\AppData\Local\Temp\179D.exe
PID 3216 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3216 wrote to memory of 2132 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2132 wrote to memory of 3840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 3840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 3840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3216 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 3216 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 3216 wrote to memory of 4764 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 4764 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1C91.exe C:\Users\Admin\AppData\Local\Temp\1C91.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3792 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\179D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1580 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Windows\SysWOW64\icacls.exe
PID 1580 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Windows\SysWOW64\icacls.exe
PID 1580 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Windows\SysWOW64\icacls.exe
PID 1580 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 1580 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 1580 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe
PID 4516 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\122B.exe C:\Users\Admin\AppData\Local\Temp\122B.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe

"C:\Users\Admin\AppData\Local\Temp\ca9f141a58fa5008e7d7646442ffe9c9e377c160663315687c608c7af108ca74.exe"

C:\Users\Admin\AppData\Local\Temp\122B.exe

C:\Users\Admin\AppData\Local\Temp\122B.exe

C:\Users\Admin\AppData\Local\Temp\122B.exe

C:\Users\Admin\AppData\Local\Temp\122B.exe

C:\Users\Admin\AppData\Local\Temp\13F1.exe

C:\Users\Admin\AppData\Local\Temp\13F1.exe

C:\Users\Admin\AppData\Local\Temp\14EC.exe

C:\Users\Admin\AppData\Local\Temp\14EC.exe

C:\Users\Admin\AppData\Local\Temp\179D.exe

C:\Users\Admin\AppData\Local\Temp\179D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1A7C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1A7C.dll

C:\Users\Admin\AppData\Local\Temp\1C91.exe

C:\Users\Admin\AppData\Local\Temp\1C91.exe

C:\Users\Admin\AppData\Local\Temp\1C91.exe

C:\Users\Admin\AppData\Local\Temp\1C91.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\59d1e9b0-61e2-4a97-b16a-e1239dc57dcd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\122B.exe

"C:\Users\Admin\AppData\Local\Temp\122B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\122B.exe

"C:\Users\Admin\AppData\Local\Temp\122B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1C91.exe

"C:\Users\Admin\AppData\Local\Temp\1C91.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1C91.exe

"C:\Users\Admin\AppData\Local\Temp\1C91.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\42A8.exe

C:\Users\Admin\AppData\Local\Temp\42A8.exe

C:\Users\Admin\AppData\Local\Temp\42A8.exe

C:\Users\Admin\AppData\Local\Temp\42A8.exe

C:\Users\Admin\AppData\Local\Temp\4614.exe

C:\Users\Admin\AppData\Local\Temp\4614.exe

C:\Users\Admin\AppData\Local\Temp\42A8.exe

"C:\Users\Admin\AppData\Local\Temp\42A8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8A42.exe

C:\Users\Admin\AppData\Local\Temp\8A42.exe

C:\Users\Admin\AppData\Local\Temp\42A8.exe

"C:\Users\Admin\AppData\Local\Temp\42A8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe

"C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe

"C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build3.exe

"C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

"C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe"

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

"C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe"

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe

"C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe"

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build3.exe

"C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build3.exe"

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe

"C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build3.exe

"C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build3.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\cc.exe

"C:\Users\Admin\AppData\Local\Temp\cc.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=43619 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW" --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcd9099758,0x7ffcd9099768,0x7ffcd9099778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1232 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1540 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:8

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s W32Time

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=43619 --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1872 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=43619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2200 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=43619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=43619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3012 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=43619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2196 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --remote-debugging-port=43619 --allow-pre-commit-input --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3316 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2540 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3e8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=3284 --field-trial-handle=1360,i,16222057896652393934,619103746175861589,131072 --disable-features=PaintHolding /prefetch:8

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 f.f.f.f.4.d.6.8.7.9.4.3.a.5.0.e.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 colisumy.com udp
BR 187.18.108.158:80 colisumy.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 158.108.18.187.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 mindshot.cl udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 38.181.25.43:3325 tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
BR 187.18.108.158:80 colisumy.com tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
GB 51.38.95.107:42494 tcp
US 8.8.8.8:53 107.95.38.51.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
BR 187.18.108.158:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 14.33.209.147:80 zexeq.com tcp
US 8.8.8.8:53 147.209.33.14.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
BR 187.18.108.158:80 colisumy.com tcp
KR 14.33.209.147:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
BR 187.18.108.158:80 colisumy.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
KR 14.33.209.147:80 zexeq.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 95.214.27.254:80 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
DE 5.75.212.216:27015 5.75.212.216 tcp
US 8.8.8.8:53 216.212.75.5.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
KR 14.33.209.147:80 zexeq.com tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.212.216:27015 5.75.212.216 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 95.214.27.254:80 tcp
NL 149.154.167.99:443 t.me tcp
DE 5.75.212.216:27015 5.75.212.216 tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 ogs.google.com udp
NL 216.58.214.14:443 youtube.com tcp
DE 172.217.23.206:443 apis.google.com tcp
NL 142.250.179.206:443 ogs.google.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.251.36.22:443 i.ytimg.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 172.217.168.226:443 googleads.g.doubleclick.net tcp
NL 172.217.168.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 226.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 i4.ytimg.com udp
NL 142.251.36.22:443 i.ytimg.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.250.179.170:443 jnn-pa.googleapis.com tcp
NL 142.250.179.170:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 95.214.27.254:80 tcp
N/A 127.0.0.1:43619 tcp
N/A 127.0.0.1:43619 tcp
N/A 127.0.0.1:43619 tcp
N/A 127.0.0.1:43619 tcp
US 95.214.27.254:80 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp

Files

memory/1420-1-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/1420-2-0x0000000000850000-0x0000000000859000-memory.dmp

memory/1420-3-0x0000000000400000-0x0000000000718000-memory.dmp

memory/3216-4-0x0000000000DF0000-0x0000000000E06000-memory.dmp

memory/1420-5-0x0000000000400000-0x0000000000718000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

C:\Users\Admin\AppData\Local\Temp\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/4228-16-0x00000000022A0000-0x0000000002335000-memory.dmp

memory/4228-17-0x0000000002470000-0x000000000258B000-memory.dmp

memory/1580-18-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13F1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/1580-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1580-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14EC.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/1580-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13F1.exe

MD5 fc55462468d1a34e514d01aa30c0a5cd
SHA1 168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA256 74ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512 e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d

C:\Users\Admin\AppData\Local\Temp\14EC.exe

MD5 ed6778e6fe0c07587f4892c807d7f883
SHA1 3a94caa9336934ca2b12173b24fa815ea963edcb
SHA256 a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512 b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544

memory/2780-36-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2780-35-0x0000000000590000-0x00000000005C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\179D.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

memory/1584-40-0x0000000002050000-0x0000000002080000-memory.dmp

memory/1584-39-0x0000000000400000-0x0000000000445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\179D.exe

MD5 c7b34cc95676afe2b43fce196202d3fa
SHA1 92eb09a6883ef684d3d175ece6599a61266bada9
SHA256 8d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA512 0e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16

C:\Users\Admin\AppData\Local\Temp\1A7C.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/1584-47-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/2780-49-0x0000000002330000-0x0000000002336000-memory.dmp

memory/1584-51-0x00000000023D0000-0x00000000023D6000-memory.dmp

memory/2780-50-0x0000000073460000-0x0000000073B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C91.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

C:\Users\Admin\AppData\Local\Temp\1C91.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

\Users\Admin\AppData\Local\Temp\1A7C.dll

MD5 e0286fab4e36e2523d461e6294395e22
SHA1 f0a6ac98bb771e720ac3683a75f7ec3af7ad75cd
SHA256 a03129d4c88ef87b55f37dcc126c02ffb9231800655eb0885936b2764577d919
SHA512 7d637411a7566053b2bf37b75e907052af66b8a404499afa9b23477bfc318952bb94837b8aa9c14e16156afa080cba0ca91663e068a482953b3576daf8c4f467

memory/3840-60-0x0000000003330000-0x0000000003336000-memory.dmp

memory/3840-61-0x0000000010000000-0x0000000010243000-memory.dmp

memory/1584-67-0x000000000A600000-0x000000000A63E000-memory.dmp

memory/1584-66-0x0000000002400000-0x0000000002410000-memory.dmp

memory/2780-69-0x0000000004A10000-0x0000000004A20000-memory.dmp

memory/4764-68-0x00000000024C0000-0x00000000025DB000-memory.dmp

memory/1584-65-0x000000000A5E0000-0x000000000A5F2000-memory.dmp

memory/2780-64-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

memory/1584-59-0x0000000009E30000-0x000000000A436000-memory.dmp

memory/2780-71-0x000000000A6B0000-0x000000000A6FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C91.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1460-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1460-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4764-70-0x0000000002420000-0x00000000024B6000-memory.dmp

memory/1460-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1460-76-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2108-80-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-84-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/2108-85-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/2108-86-0x0000000008E20000-0x0000000008E30000-memory.dmp

C:\Users\Admin\AppData\Local\59d1e9b0-61e2-4a97-b16a-e1239dc57dcd\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/1580-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1584-100-0x0000000073460000-0x0000000073B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/4780-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-104-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/4516-105-0x00000000022F1000-0x0000000002383000-memory.dmp

memory/1584-107-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4780-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-108-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\122B.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bcf9c82a8e06cd4dbc7c6f8166b03d62
SHA1 aa072fd0adc30bc7d45952443a137972eaea0499
SHA256 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d
SHA512 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 5b477aee063a9be4b1f5bd5a43aa1cca
SHA1 50205fce161b2941e8cb47da44c4fff6414f5e2b
SHA256 f0024aa513413804d35311531d009bfc8b97d946f429c2f9f94ca3c5f8baea66
SHA512 359a81d1fc377e9577002c583d5d1b9deff5e1fd13eceea89bab12b5fc3ad55939747a57af54649ae3e5c21733a644ebf65e0ddaaea1f754387e2a7aea5278b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 fa4ae5fcb44bfaf845b845961180d250
SHA1 8257ee68bdd2bc3ea2723eda7aeba404195d46bf
SHA256 574c66c19561773196a88f115168cf5d73b71fd26f9034606fe38a5535d4df96
SHA512 ad1de0c1d0f5a4a7e3615b48537f75250779368b388520b001d96367d5aa19fa88a9f471d1212e679ab9eaae854374445807877891bf1b803fa6c7886877d253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c27d65bc5605f931091ed7dd7ff0c970
SHA1 d919ffc8646a0a4038cdf9eadaf8fe1d75951d3a
SHA256 9172aa28210010755675694371f1534b028918fac42d6247760c6691e3af7a00
SHA512 27f52cdb60ea787fd95a35f42135d5d7ae60c0d8fec4a583177e0fdacc4e2f6df6b75a9ede80128a3c9528fa05450abafe384371d29c92ee08628105fa93651b

memory/2780-113-0x0000000004A10000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C91.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1460-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4436-118-0x00000000008C0000-0x0000000000956000-memory.dmp

memory/1720-121-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C91.exe

MD5 d27125ae65af3a6ce086eeae8fa41521
SHA1 70209d54e90908fc10f99af3cb38620bd744f93b
SHA256 4745aee336bf0a92efae4475d6a541fbd9cc91b65532a26a1810b49ad5f8dbea
SHA512 93f941a68d8eaea98d146520f786773e688bf5673ab37110efe065e05f9af6f81c43e050e90b20348b92888abc519e2094bcce37e22ab9a4a0e439c8dd88b68e

memory/1720-122-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1720-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3840-124-0x0000000004F30000-0x000000000504A000-memory.dmp

memory/2780-125-0x000000000A8F0000-0x000000000A966000-memory.dmp

memory/2780-126-0x000000000A970000-0x000000000AA02000-memory.dmp

memory/2780-128-0x000000000AF50000-0x000000000AFB6000-memory.dmp

memory/2108-129-0x0000000073460000-0x0000000073B4E000-memory.dmp

memory/2780-127-0x000000000AA10000-0x000000000AF0E000-memory.dmp

memory/3840-130-0x0000000005280000-0x000000000537F000-memory.dmp

memory/3840-131-0x0000000005280000-0x000000000537F000-memory.dmp

memory/3840-133-0x0000000005280000-0x000000000537F000-memory.dmp

memory/3840-134-0x0000000005280000-0x000000000537F000-memory.dmp

memory/2108-135-0x0000000008E20000-0x0000000008E30000-memory.dmp

memory/2780-136-0x000000000B420000-0x000000000B470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/4920-144-0x0000000002390000-0x0000000002426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/5016-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-151-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4614.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

C:\Users\Admin\AppData\Local\Temp\4614.exe

MD5 2f212322c6b6d7db7250d0c282271925
SHA1 01676375932ea61ffb5128c244c0ecc7cb335a01
SHA256 3073eaf746e904b1e653992e78f7c5f95b3f9ad0989e4611412b038348c1afa1
SHA512 2dc544c11d9fb985b915d4af5ec2025468c6ca112c2301f161fd81577b24bdc28b2bf0e81979a7e4048e70ed8216fcac35cb055fd81b5b341e48c5ef8f2e446f

memory/4780-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3444-157-0x00000244DEFC0000-0x00000244DF070000-memory.dmp

memory/3444-158-0x00007FFCC9890000-0x00007FFCCA27C000-memory.dmp

memory/3444-160-0x00000244DF3E0000-0x00000244DF3E8000-memory.dmp

memory/3444-159-0x00000244F9800000-0x00000244F9810000-memory.dmp

memory/3444-161-0x00000244DF410000-0x00000244DF42A000-memory.dmp

memory/3444-162-0x00000244DF3F0000-0x00000244DF3F6000-memory.dmp

memory/3444-163-0x00000244E0DE0000-0x00000244E0E68000-memory.dmp

memory/2780-164-0x000000000B490000-0x000000000B652000-memory.dmp

memory/2780-165-0x000000000B670000-0x000000000BB9C000-memory.dmp

memory/4780-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-172-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1720-174-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5016-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-179-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A42.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

memory/1720-193-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1720-194-0x0000000000400000-0x0000000000537000-memory.dmp

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

memory/1720-184-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1384-201-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/1384-202-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-199-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1384-203-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1720-204-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/4128-197-0x0000000002430000-0x00000000024C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A42.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1720-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42A8.exe

MD5 7d89ee2a41ff47604d8e1b012c362951
SHA1 85b565ad860ebcd435b0e2aee4a268dc40a136a5
SHA256 0685a943d7b1700d0991ba35114ef3bb3dbb12bb65623a4d275c3b14147e795d
SHA512 9e9a54d667c154c12e80acddcfbdda324900612ea965219c481664e51dca29fcbe83521e05adbf954cc6dfee58ca1f864ba0e487c6ba1e6374988cf283b3b4a3

memory/3236-215-0x0000000003FD0000-0x0000000004021000-memory.dmp

memory/3236-214-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/1588-219-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1588-220-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1588-217-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3444-221-0x00007FFCC9890000-0x00007FFCCA27C000-memory.dmp

memory/1588-222-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\a7df4f9f-66b1-4959-8249-45ed712f6a38\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/3444-265-0x00000244F9800000-0x00000244F9810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

memory/4940-283-0x00007FF6704E0000-0x00007FF670518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe

MD5 b236b8e5bab2445e09876a88d83a995a
SHA1 3278af413aad4772a57a4c33418d504f958465d9
SHA256 ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2
SHA512 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/5020-309-0x0000000002410000-0x0000000002510000-memory.dmp

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1928-320-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

memory/1384-357-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build2.exe

MD5 d249cebde9fcfcddb47af02d6c10f268
SHA1 0c6a6a81326d9634b55e973cc4b0364693e9df53
SHA256 34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
SHA512 dfd33206b441eb51bd6c4544a11089d0f6754b124c43b7a33d6c7b3fd0de940df2e162337585dc7df66ac4ffb82fa404f140b877f531669bc84a9f8d1487a246

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\3d608e2d-4422-4cba-b1ce-f496cab1ed3b\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\39baf034-aa07-4ec9-b1ca-c4a187fdb381\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JS7S1RXL.cookie

MD5 1ea68c02878bcbdbf507508040a78bb4
SHA1 1506adbe3b73487bb5dfa7a9610449305dc64cde
SHA256 be3e49832e31e697e4d940555be2d73c4cec5329dca0ea0294a7b2d48edfc72c
SHA512 cc5b3ee6009d5666333063bb6657bf30844e5e12fabb380b72f0c0342940a39308a55cec95922d0958ac0931dc9d94341f26ee853b31377d34748439f8d23f0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 bfd0102806b3703dd5824bc3703ae7f7
SHA1 87a2569d8c23f9a773ce6dfabcbafcf1072b11a4
SHA256 e5383c59c5795192b3dc3f9c00718293443a3a396d1ebe4c393b85511a3a2b8b
SHA512 ab0f361e51fc7da9af17764dabb1f828172f53f59248b0f00bb87d3cc76756bd5c2f141f86f3b5c101f8a72c4c70de825fcc436be34c50a7ded74bcb7ffd285d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 ccae05f13debbf67093a4ca92f8a22f7
SHA1 2a05322d56af0818936938c680ad0d72b6ca0477
SHA256 ca6f597bf6228d733396ab5fcf18c7d2eff3de4fe805b33cd705fe039f35c67c
SHA512 19ed7de184fa674f66f53c2dbed9f40bc60ae7db5d4bbbbcba01931247faa7dc3e5b816a1b5fda364c33558e3bb1070f067879df47d92de2713178f6c9d59984

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

MD5 e330cd6b466f98cb365655e2cdf42168
SHA1 7692c5b40a70b9fc4a345b352c5d34f5a9fcc1d6
SHA256 7f1bae0be319ac3423a11bcb8a885bd28d1701cd9fa3f88902d8e48125fc1ee9
SHA512 87c88f3d215f7d6c2f2a0d82f9604ccb1b45d07d627ce135b4f9eebff660f389b3303c29d9646e44a37c1c0fc4ac75c865e8f1c5a389c35356915fd4f1443a52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 f79de0202854709b497c8a68437153da
SHA1 26b6f80263d363fc752e1152542cea5e20813f25
SHA256 d67a6a926c54468672372f1f91026ce8bd2b0d75146b41f931aa30017a74a08b
SHA512 c591f71211bbbe59a787569408bce6b2da6a3fdcd6362cdcca083f7f8b59b1991b278385f963174fb89fb08e930863492cc8e7b3976154c52111284104ca1404

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 2e5b774e4e4cab5c36a85767bdf034f9
SHA1 6ecdc6e8e3bf397c3638f805f916c6e7e419e344
SHA256 cac3ed8aa44fe23522b3867172e3b0c1ee9d4ed55cf365adcfd21dd60b348f39
SHA512 ffd2166e297c3b3de89de9dacfa3f3c52f9aed210b0746fa8c9df61a1f5ae85f94016a5cec388631301033ad0cf77f34b2c955850bdd827c85115011f26c0391

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 2d2b6cafaa226749364effd3cb2f3f3e
SHA1 2952fde8815735ef19a34c07919bf7d686301fe6
SHA256 7bd22726b3a3fc351e2f95990bd2505996ffec83d62a380b9646980502228880
SHA512 4b05e660699f22daaaed1d72a91c958282f6395eea6fd7d71b099425cfc9a76b2098ef260832381d4c09dd66f08b1642fbb7ff55bdbb0a24de480516c7c2fdd5

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\39164030988770987539268144

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\08941765581014180060556835

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6c1a59c694d672e5691eb54e9f169ae5
SHA1 bd3ae7e091c33b31ed03dfc126d39fe1e4c44eda
SHA256 d9df2628101ae1fad10c93ae51f3713ec7db5e5762132319acce5b4c1d266c39
SHA512 afccd0d891cfc9ce6a53662c96f91ecd6832cdc33cb5b4b35c0d2795e7f6eaf24ffe32e84451219ddbc8c75a07097bb07d299b6b8543b4d00b84c4cbc795bc5b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6a12c4f475c734864623e8e1bbbeae2b
SHA1 40083b764290af35df572d3e7b7ba41be805610a
SHA256 6db6d8439969a396e8750319c934fd72b461505273edf88618306c00c0751faf
SHA512 e5cc98cb9c91809b63fc8bbfecdaa9307b78e32c8e7d8512a6b8679b2edc303e245a1f20f863d55af6ef2ff42a9dc99de8df244f5456cf5ecbc239b663c6ef8a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe596826.TMP

MD5 79a4397539ddeba9479e8157129902fd
SHA1 7ed5e5bd7a60797a35f0fa097a4a11c254efabc4
SHA256 395368e077f9a6fe59915b90704f6552868d558b6fb8b08b7020aec7f4207767
SHA512 77b438df99d625ea4e9918522fbe7e95a37492e445dc8f8482a6aa09b10827cfc37ad902e296343207efa4a415eb5f3cea5ad0b328831be3459a9542753c773a

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\ScriptCache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e0ca8120-05ed-4d30-95e0-009f37ab41ff\index-dir\the-real-index~RFe59799b.TMP

MD5 d82746717fc747146b75d034699f5f39
SHA1 7785fe9cd3d4f159ad5356363a0cc7b1cf552bfd
SHA256 48a617161f080d07bb4529e346f3dfb56dd40c53fb5a4ed5959d3faae9407157
SHA512 fa0a8763386f8348c99cf49f60a18061177ef63de164a2628a31c587ce3644683c9da14fb306d81ffed1522f6834a9f42361fca322170b5756695ae2c51f6bd6

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Code Cache\js\index-dir\the-real-index

MD5 8132315c0d55c2dce1c35d8f0a2ba4dd
SHA1 61c875b9ef0f82c7c43923860c22ea8f25f5ca34
SHA256 416f90fc24533d5770198c38c61aeb569f4a2dedd17fd6a3712c6f4df38e56ba
SHA512 932508db7b1ced981c22c0fc848a45a25756b2416d7995f890a08a8a505e1c9ffa9407415791d53f52193f280f317bdcd7160f903b002fc66abf0da6ff5700d7

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e0ca8120-05ed-4d30-95e0-009f37ab41ff\index-dir\the-real-index

MD5 3d73b6b536581ef24671d6d5aed90d8e
SHA1 a27abe065ff756d18ff9b4353d47fb94151881bf
SHA256 2c676853ae58352af425cae6c3a4628ae02b39ea1f542c03a5a1751d6c8ff6ae
SHA512 b09ab195797dfc6aebc0b3f7412b3d303b3527078f6a6cf339ebceff78ed4d82f168d11efba3a90dcaf9dd3c34724108f560601ada0c49884db270bf48cc2d5c

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ce7134720b902aefd11327670c658428
SHA1 bfbfe2eb8bdda8c478d9c982450de5c472486658
SHA256 0ea8f78bddce47b29698a9410aeeac4cc55ccc9b7b6dbf10420845250a77c1e0
SHA512 2601770eed7afb01bda4ae5bf0842669ad586a0446c8215b79bc6d9871ad5c7862525c9792e019a209c95529b93182270e566f61e60e343dd7f0b1fabaa9c8af

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 4af3c53a11ff78ada8e675aab9edd090
SHA1 e3e04de546644ebf05e7e91817c151575dfff503
SHA256 c9dc47e49b4b803e33dc9245be32745782ed868d7d2801aa79ef25621fbd3ea6
SHA512 9e560894a1576f9b89cccdf4995428001982e388a0c2eff0f30848f71831eafc944e63aae206ca9bc05167fc9310c0d2d0430a8ca71cd257dd03c86844cd3e85

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59797c.TMP

MD5 725742a8d9750e3bc1c4b1f236c49b87
SHA1 948eb78c72ca4df0b60e60d1a0dc6299f7907f9e
SHA256 8f0633b1ca228de4a78fe630845ab408c6fd80511e2bdeadd364a9150a778ba9
SHA512 116488179e7724f4ff0b521fb59e738859ac9a1d1c1defd1040b479406adcba79cd5e8b2f4104c3b00760cf2f19d4ba904f52a497d7af27a13cbc91ae18b1b57

C:\Users\Admin\AppData\Local\Google\Chrome\User DataOKLCW\Default\Code Cache\js\index-dir\the-real-index

MD5 253e668b3565af438a8d3020ac454646
SHA1 d5a23da218877b009830c94c78cf27c3c3757105
SHA256 d1e05298ecaa3fc2170abce41c05923a7ac0af09c0a5acef564e394ff8e51930
SHA512 5a8fa58f9963434e6fcde0247fbdc2f38a81f14bebc09ed85f225fe9f597630a8fa308d32bc95e3d9da9b9a0141508bbbdc6f5202b4627534980e143f5c79811

C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe

MD5 a137245d8bc8109c4bc3df6e2b37d327
SHA1 ed8973e65b2aacb60683787831de37e7c805fa6c
SHA256 f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee
SHA512 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00