Malware Analysis Report

2025-04-14 06:15

Sample ID 230926-bgr94sec69
Target 2ba491f6b487017a1c58b647a7e05d3c.bin
SHA256 732ad92486a19cdc14298dc323bd9ca4d87043522960f2123809f186f4442fd0
Tags
djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor dropper evasion infostealer loader ransomware spyware stealer trojan upx discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

732ad92486a19cdc14298dc323bd9ca4d87043522960f2123809f186f4442fd0

Threat Level: Known bad

The file 2ba491f6b487017a1c58b647a7e05d3c.bin was found to be: Known bad.

Malicious Activity Summary

djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor dropper evasion infostealer loader ransomware spyware stealer trojan upx discovery

Windows security bypass

RedLine

SmokeLoader

Djvu Ransomware

UAC bypass

Glupteba

Glupteba payload

Detected Djvu ransomware

Detect Fabookie payload

Fabookie

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Modifies file permissions

Executes dropped EXE

Deletes itself

UPX packed file

Loads dropped DLL

Checks computer location settings

Windows security modification

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 01:07

Reported

2023-09-26 01:09

Platform

win7-20230831-en

Max time kernel

53s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9A4F.exe = "0" C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9A4F.exe = "0" C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2860 set thread context of 1520 N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B83D.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\931B.exe
PID 1260 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\931B.exe
PID 1260 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\931B.exe
PID 1260 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\931B.exe
PID 1260 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 1260 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 1260 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 1260 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\94D1.exe C:\Users\Admin\AppData\Local\Temp\94D1.exe
PID 1260 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1260 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe
PID 1260 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe
PID 1260 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe
PID 1260 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\Temp\9A4F.exe
PID 1260 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACF6.exe
PID 1260 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACF6.exe
PID 1260 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACF6.exe
PID 1260 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\ACF6.exe
PID 1260 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe
PID 1260 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe
PID 1260 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe
PID 1260 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\B83D.exe C:\Windows\SysWOW64\WerFault.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9A4F.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe"

C:\Users\Admin\AppData\Local\Temp\931B.exe

C:\Users\Admin\AppData\Local\Temp\931B.exe

C:\Users\Admin\AppData\Local\Temp\94D1.exe

C:\Users\Admin\AppData\Local\Temp\94D1.exe

C:\Users\Admin\AppData\Local\Temp\94D1.exe

C:\Users\Admin\AppData\Local\Temp\94D1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9713.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9713.dll

C:\Users\Admin\AppData\Local\Temp\9A4F.exe

C:\Users\Admin\AppData\Local\Temp\9A4F.exe

C:\Users\Admin\AppData\Local\Temp\ACF6.exe

C:\Users\Admin\AppData\Local\Temp\ACF6.exe

C:\Users\Admin\AppData\Local\Temp\B83D.exe

C:\Users\Admin\AppData\Local\Temp\B83D.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 60

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9A4F.exe" -Force

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe

"C:\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe"

C:\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe

"C:\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe"

C:\Users\Admin\AppData\Local\Temp\is-5R1EQ.tmp\is-GAEFH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5R1EQ.tmp\is-GAEFH.tmp" /SL4 $201C6 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe

"C:\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe"

C:\Users\Admin\Pictures\U2ECg1q42RCBRqs9VdSwu50Q.exe

"C:\Users\Admin\Pictures\U2ECg1q42RCBRqs9VdSwu50Q.exe" --silent --allusers=0

C:\Users\Admin\Pictures\eKxXEbmcOIiOSP9NdMsD0oaV.exe

"C:\Users\Admin\Pictures\eKxXEbmcOIiOSP9NdMsD0oaV.exe"

C:\Users\Admin\Pictures\4ymUvP9swUPbWlDVJaoZUVpJ.exe

"C:\Users\Admin\Pictures\4ymUvP9swUPbWlDVJaoZUVpJ.exe" /s

C:\Users\Admin\Pictures\Wi98k8Hl6RPbT5kKvoe1CDa7.exe

"C:\Users\Admin\Pictures\Wi98k8Hl6RPbT5kKvoe1CDa7.exe"

C:\Users\Admin\Pictures\1I2ki0QT5jQSZFPROocKxfef.exe

"C:\Users\Admin\Pictures\1I2ki0QT5jQSZFPROocKxfef.exe"

C:\Users\Admin\Pictures\3wWmt9U3tQ1V7nycc7oHQkga.exe

"C:\Users\Admin\Pictures\3wWmt9U3tQ1V7nycc7oHQkga.exe"

C:\Users\Admin\AppData\Local\Temp\7zS71E5.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS785B.tmp\Install.exe

.\Install.exe /jyafdidIl "385118" /S

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gSBFOfFwE" /SC once /ST 00:32:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230926010903.log C:\Windows\Logs\CBS\CbsPersist_20230926010903.cab

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gSBFOfFwE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 188.114.96.0:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 104.21.14.50:443 jetpackdelivery.net tcp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 galandskiyher3.com udp
US 104.21.32.208:443 lycheepanel.info tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
PL 146.59.10.173:45035 tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 shihabfabrics.com udp
US 8.8.8.8:53 yip.su udp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 int.down.360safe.com udp
SG 111.221.45.75:443 shihabfabrics.com tcp
US 8.8.8.8:53 justsafepay.com udp
US 188.114.97.1:443 justsafepay.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
DE 148.251.234.93:443 iplogger.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 iplogger.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.96.0:443 m7val1dat0r.info tcp
DE 148.251.234.93:443 iplogger.com tcp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 iup.360safe.com udp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 52.222.137.111:80 sd.p.360safe.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2268-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2268-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/2268-3-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1260-4-0x0000000002B20000-0x0000000002B36000-memory.dmp

memory/2268-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/1260-11-0x000007FEF6260000-0x000007FEF63A3000-memory.dmp

memory/1260-12-0x000007FE97730000-0x000007FE9773A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\931B.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\931B.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\94D1.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\94D1.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2756-25-0x0000000002620000-0x00000000026B2000-memory.dmp

memory/2756-26-0x0000000002620000-0x00000000026B2000-memory.dmp

memory/2756-27-0x0000000003FB0000-0x00000000040CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94D1.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

\Users\Admin\AppData\Local\Temp\94D1.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2648-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9713.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

\Users\Admin\AppData\Local\Temp\9713.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

C:\Users\Admin\AppData\Local\Temp\9A4F.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2632-35-0x0000000000150000-0x0000000000156000-memory.dmp

memory/2632-34-0x0000000010000000-0x000000001019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A4F.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\ACF6.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\ACF6.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/2652-53-0x0000000000D70000-0x0000000001404000-memory.dmp

memory/2632-54-0x0000000002250000-0x000000000235F000-memory.dmp

memory/840-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-57-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-58-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/840-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/840-62-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2632-64-0x0000000002360000-0x0000000002455000-memory.dmp

memory/840-65-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2632-68-0x0000000002360000-0x0000000002455000-memory.dmp

memory/2632-69-0x0000000002360000-0x0000000002455000-memory.dmp

\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/840-73-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/2860-74-0x00000000011D0000-0x0000000001262000-memory.dmp

memory/2652-75-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2860-76-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/840-77-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2860-79-0x0000000000D60000-0x0000000000DA0000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2860-88-0x0000000000CE0000-0x0000000000D1A000-memory.dmp

memory/2860-89-0x00000000003B0000-0x00000000003CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/796-91-0x00000000FFDC0000-0x00000000FFE62000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1584-102-0x00000000026F0000-0x00000000027F0000-memory.dmp

memory/1584-103-0x0000000000230000-0x0000000000239000-memory.dmp

memory/1520-104-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1520-106-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1520-108-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\B83D.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/1520-114-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/840-119-0x0000000000760000-0x00000000007A0000-memory.dmp

memory/2652-117-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2860-116-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/1520-112-0x0000000073800000-0x0000000073EEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2652-135-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/840-136-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/572-137-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/572-134-0x0000000001210000-0x0000000001384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1524-143-0x0000000004420000-0x0000000004818000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1524-149-0x0000000004420000-0x0000000004818000-memory.dmp

memory/1584-150-0x00000000026F0000-0x00000000027F0000-memory.dmp

memory/1524-151-0x0000000004820000-0x000000000510B000-memory.dmp

memory/1524-154-0x0000000000400000-0x0000000002985000-memory.dmp

memory/1520-156-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2348-155-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1520-158-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/2348-159-0x0000000000400000-0x0000000000413000-memory.dmp

memory/840-162-0x0000000000760000-0x00000000007A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/572-181-0x0000000073800000-0x0000000073EEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9B6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1524-210-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71da863a6ae8928cfdcb1b75a3f48ee3
SHA1 56f2bb89c33829dcbf7ae708b374e4d06af0ce70
SHA256 c2f9c2447c174334725d0bf22ae69dcdbbdbeeb8e98d64151a8b56cfb832fe9a
SHA512 8f9704ae4396d44768cf0fa7377d438b3b796cb07f7ac539edf2c03bb1ac9a962655801ca348a642e212a10c65f0c4e7e288cffcbdcf60c03653f79c1f29f01d

memory/2348-233-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95d604ed19c10c79b84f64efab908b54
SHA1 7feac756a07d768f47ce2b12abebe71a837284e6
SHA256 967e8e4e02e9730151a6b2d9d8fd972d7df7b177f8ffa464db6f36ebf551b5e7
SHA512 5176d0c05b087065d4ec433c46ab2d7c2e4290999fc6d37ee2b1099e70da45427a0cd80864e0bb81cdea5af1f75dab4f06b91dbcd3021a7ad76abd6cb9e17d75

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4abe0e63f53198c10dd34b82c1a0b05
SHA1 a46aa1ddbb8779414f7269459a23c3ebd9a12fe9
SHA256 302264d85354ce585336949357a05d0730444ec83897efd4969218effe1e9138
SHA512 998ac54e895b640d0b503a5787cf83909e142c6853f196a4cdd5164d23412bc8ffb15576762a6923937b69c5269b75be842442d8f5949728cb60f39571043563

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2028-292-0x0000000070730000-0x0000000070CDB000-memory.dmp

memory/2028-293-0x0000000070730000-0x0000000070CDB000-memory.dmp

memory/2028-305-0x0000000002610000-0x0000000002650000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a66d11a097b14b717702640c596166fe
SHA1 cf83b4cfee228ba7f0b01b40e2e9e0e23f54c87a
SHA256 54f1c1935bd81e8659cac9b3b1a57d02cd4716ea40752832cfdf448eceae5e0b
SHA512 660416fd62a5f4ab330a7e281649a6dcf99d33b6360e7da60936565491cc21a551ada4abcfca4208a9b9857d5c92f282f79374fde7782d80cb59c4bb2f88b6bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa3d958112f141ecf7f604d5b6e04910
SHA1 11d12fb9e71b1fed8ab34cc531d5b2e9c318bdb4
SHA256 a3fcba22b5264803da5d54924f112663cd9baefb5b7cb48b605608937dd8c65b
SHA512 d7519d21ee4bf48b1a0aa9011f9cff12d70a6cb1591ece8c5e335f557be420a5056b082f6cfca487537d48061ac14f47123701f5597d2451d593eecfbffdbea3

memory/1524-314-0x0000000004420000-0x0000000004818000-memory.dmp

memory/1524-339-0x0000000004820000-0x000000000510B000-memory.dmp

memory/572-353-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/1060-354-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1140-356-0x00000000013B0000-0x00000000013B8000-memory.dmp

C:\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe

MD5 86dc946b2539fe7373bf5bdb2d48eb98
SHA1 8ec9733f5972b572666346423335fa604bb72f45
SHA256 3e9a8e3dab51e589d1e42bd5e3c887be7cdabe8b82730b031feadc47fbb2af0d
SHA512 d6e40000253b3c58e0acd27547da3e84f4305395e3fb76e0e29bf5cceb7b8cc0b9d3b5c33dcf1ddaae69fa6bcb8cc0fc7d969a5c757650d587985588dbecc1ae

C:\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe

MD5 86dc946b2539fe7373bf5bdb2d48eb98
SHA1 8ec9733f5972b572666346423335fa604bb72f45
SHA256 3e9a8e3dab51e589d1e42bd5e3c887be7cdabe8b82730b031feadc47fbb2af0d
SHA512 d6e40000253b3c58e0acd27547da3e84f4305395e3fb76e0e29bf5cceb7b8cc0b9d3b5c33dcf1ddaae69fa6bcb8cc0fc7d969a5c757650d587985588dbecc1ae

\Users\Admin\AppData\Local\Temp\is-5R1EQ.tmp\is-GAEFH.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-5R1EQ.tmp\is-GAEFH.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

C:\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

\Users\Admin\Pictures\U2ECg1q42RCBRqs9VdSwu50Q.exe

MD5 6151f86e1471dc8ddbdda02b49761e87
SHA1 ed1f59479c180f166c73a3baa7759d72a86ca7cc
SHA256 edd707a7dc4a15976146b13d1ba1935b10884364fa17b30cca6f932849f801cb
SHA512 4e610482a1f36def0e912061005dde26a326f06c3e3692c3e55f8f28c4a0f4b639a33f40880f6e4a1ab5d1efbb1b6c7d9bc6dfae3d059e43eb7310bd08fdefe7

C:\Users\Admin\Pictures\U2ECg1q42RCBRqs9VdSwu50Q.exe

MD5 6151f86e1471dc8ddbdda02b49761e87
SHA1 ed1f59479c180f166c73a3baa7759d72a86ca7cc
SHA256 edd707a7dc4a15976146b13d1ba1935b10884364fa17b30cca6f932849f801cb
SHA512 4e610482a1f36def0e912061005dde26a326f06c3e3692c3e55f8f28c4a0f4b639a33f40880f6e4a1ab5d1efbb1b6c7d9bc6dfae3d059e43eb7310bd08fdefe7

C:\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe

MD5 d02570adda6c1a216020389f6048e3a4
SHA1 d3e7bbfbde5f7398129dc39e5900a668a9f189a8
SHA256 3550f24be280f3fe80059bc98f6497423c5b4e644a713f26c66fd45c38999084
SHA512 cef4ddd6f49d109d9bd13391476cfe27908541a00dde3a91fe03ae1f0469d0570a62b6b0d14599d13940a3979f8aa0eb5599f9e406cef74e45ef11c864096b93

C:\Users\Admin\Pictures\U2ECg1q42RCBRqs9VdSwu50Q.exe

MD5 6151f86e1471dc8ddbdda02b49761e87
SHA1 ed1f59479c180f166c73a3baa7759d72a86ca7cc
SHA256 edd707a7dc4a15976146b13d1ba1935b10884364fa17b30cca6f932849f801cb
SHA512 4e610482a1f36def0e912061005dde26a326f06c3e3692c3e55f8f28c4a0f4b639a33f40880f6e4a1ab5d1efbb1b6c7d9bc6dfae3d059e43eb7310bd08fdefe7

C:\Users\Admin\AppData\Local\Temp\is-5R1EQ.tmp\is-GAEFH.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe

MD5 d02570adda6c1a216020389f6048e3a4
SHA1 d3e7bbfbde5f7398129dc39e5900a668a9f189a8
SHA256 3550f24be280f3fe80059bc98f6497423c5b4e644a713f26c66fd45c38999084
SHA512 cef4ddd6f49d109d9bd13391476cfe27908541a00dde3a91fe03ae1f0469d0570a62b6b0d14599d13940a3979f8aa0eb5599f9e406cef74e45ef11c864096b93

\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe

MD5 d02570adda6c1a216020389f6048e3a4
SHA1 d3e7bbfbde5f7398129dc39e5900a668a9f189a8
SHA256 3550f24be280f3fe80059bc98f6497423c5b4e644a713f26c66fd45c38999084
SHA512 cef4ddd6f49d109d9bd13391476cfe27908541a00dde3a91fe03ae1f0469d0570a62b6b0d14599d13940a3979f8aa0eb5599f9e406cef74e45ef11c864096b93

\Users\Admin\Pictures\dqmcMpvuXTiaPb6nG9XAR8r7.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

\Users\Admin\Pictures\VBhEQDt73C2LjwipKQiYTezy.exe

MD5 d02570adda6c1a216020389f6048e3a4
SHA1 d3e7bbfbde5f7398129dc39e5900a668a9f189a8
SHA256 3550f24be280f3fe80059bc98f6497423c5b4e644a713f26c66fd45c38999084
SHA512 cef4ddd6f49d109d9bd13391476cfe27908541a00dde3a91fe03ae1f0469d0570a62b6b0d14599d13940a3979f8aa0eb5599f9e406cef74e45ef11c864096b93

\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe

MD5 86dc946b2539fe7373bf5bdb2d48eb98
SHA1 8ec9733f5972b572666346423335fa604bb72f45
SHA256 3e9a8e3dab51e589d1e42bd5e3c887be7cdabe8b82730b031feadc47fbb2af0d
SHA512 d6e40000253b3c58e0acd27547da3e84f4305395e3fb76e0e29bf5cceb7b8cc0b9d3b5c33dcf1ddaae69fa6bcb8cc0fc7d969a5c757650d587985588dbecc1ae

\Users\Admin\Pictures\XNDkGzN0oUDbfA9X8BDSoURg.exe

MD5 86dc946b2539fe7373bf5bdb2d48eb98
SHA1 8ec9733f5972b572666346423335fa604bb72f45
SHA256 3e9a8e3dab51e589d1e42bd5e3c887be7cdabe8b82730b031feadc47fbb2af0d
SHA512 d6e40000253b3c58e0acd27547da3e84f4305395e3fb76e0e29bf5cceb7b8cc0b9d3b5c33dcf1ddaae69fa6bcb8cc0fc7d969a5c757650d587985588dbecc1ae

memory/1260-422-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/1060-423-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1140-426-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/1524-428-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2348-429-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2028-432-0x0000000002610000-0x0000000002650000-memory.dmp

memory/528-434-0x0000000001170000-0x00000000016A5000-memory.dmp

memory/948-435-0x000000013FC60000-0x000000013FCCF000-memory.dmp

memory/796-436-0x0000000003580000-0x00000000036F1000-memory.dmp

memory/796-437-0x0000000003700000-0x0000000003831000-memory.dmp

memory/1140-438-0x000000001B310000-0x000000001B390000-memory.dmp

memory/1520-439-0x0000000008480000-0x00000000089B5000-memory.dmp

memory/2028-441-0x0000000070730000-0x0000000070CDB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Opera_installer_230926010838392528.dll

MD5 6aceaeba686345df2e1f3284cc090abe
SHA1 5cc8eb87a170c5bc91472cd6cc6d435370ae741b
SHA256 73e29a88eccb162b70b366b9c91986b7bf5ce90b9072eaa88f146fb06e8d8885
SHA512 8448a64feaed4bb1af04c9a34d92c5ecfbf7da3c4cb2a1f23ccc024cfd53da8a18a6bdb45c8c337f212c23e0f1b25da44118e9b41774d7aa74b6e0a64f944d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51660971e1b9e5aff862040044008560
SHA1 37916a3455432b89650f83c023a80bbaf26fce52
SHA256 05f84afb06e596594010bbbee0be8ed808b5a4837034b8c900681aa9bb5ff232
SHA512 f26691c90f6f081277cba4918b09541cfb4d9f397cef3b7933dc5ecbdfd835db202b6341bd81795b1df72584c9cbb31fb6904e3c00054d234ab1d803bfaa4fcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7A0287F882E4FB5DB3569281562B042A

MD5 871c41cbe9ad4cfe6a24cd2327b37599
SHA1 7eb20cfdad0815e5b7fd69c8e847c9c6f0275a59
SHA256 801c3e14b92666e5cabf9602858591558697b481dee3d1cf3f1d4b0acb181222
SHA512 94c022e7f0c4652c0f1b5804887cf0051dece3992c93138da7f896107cbbec62f8eddc02f97677d2fa605e10250b2931159eee4002eaef3f03e38febefb1f18f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 54fd1fc8078ae8c004d343621ac9d4ae
SHA1 ddfc0a00064061335e6505cb4e72234c9f56b03f
SHA256 4fbf307250143da3b406071413c94df7fd44e2be2e8fd10bfe82d45291424984
SHA512 2f6e85b7afb412563d3ae1a6feaacdbc59aedb1b65218304dab7add1153fa7dc2281972aca227cac71b80ae7de42bc6c664b387bf507e93c65b5cbb4c1aaf838

memory/2028-475-0x0000000070730000-0x0000000070CDB000-memory.dmp

C:\Users\Admin\Pictures\4ymUvP9swUPbWlDVJaoZUVpJ.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\1I2ki0QT5jQSZFPROocKxfef.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\Wi98k8Hl6RPbT5kKvoe1CDa7.exe

MD5 86e56fa110cbf809e64637fb0aac26bd
SHA1 ee32eeac1760f3d761ef3e5cdb44abe37e335d98
SHA256 61229e77028e812362af394f5f242e5fb423127335fd4ab81f130d5d027df661
SHA512 105329232b912ccf0cfa57da59cae70b20e778848cbea129a2f803c28235ff1f5cd7d2ee223d964a1328a3270938ecf83d984f87b92124ddb91b36d733402125

memory/2028-492-0x0000000002610000-0x0000000002650000-memory.dmp

C:\Users\Admin\Pictures\3wWmt9U3tQ1V7nycc7oHQkga.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

memory/2828-493-0x0000000073800000-0x0000000073EEE000-memory.dmp

memory/2828-499-0x00000000008B0000-0x0000000000BCC000-memory.dmp

memory/1820-503-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/528-505-0x0000000001170000-0x00000000016A5000-memory.dmp

memory/2028-506-0x0000000002610000-0x0000000002650000-memory.dmp

memory/2764-522-0x0000000002070000-0x0000000002741000-memory.dmp

memory/1140-524-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2060-525-0x0000000000930000-0x0000000001001000-memory.dmp

memory/1524-526-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2060-527-0x0000000001400000-0x0000000001AD1000-memory.dmp

memory/2060-528-0x0000000001400000-0x0000000001AD1000-memory.dmp

memory/2060-537-0x0000000010000000-0x0000000010581000-memory.dmp

memory/2700-550-0x000000013FE70000-0x00000001403B3000-memory.dmp

memory/1820-569-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1524-574-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2WI42OW9ZHEIQZD8EN7M.temp

MD5 aac0e0e5f9d85b81950da89d1a13b613
SHA1 9bce070f7bb8d414bf19c46df8b552bc16b2d59a
SHA256 7f5a63e8ec84c7620cfe89de5e19ebdc7aa715946988afb9972861d1fb338721
SHA512 7f3cae6bc2aa8540e41ab1d22d6e2b8e0c7698e3f390cd0c95a620c5a3938a6b3c3b17e6984216b181b86a545b7e61651edcee0a6fed1642386f02b70561820f

memory/2700-592-0x000000013FE70000-0x00000001403B3000-memory.dmp

memory/528-601-0x0000000001170000-0x00000000016A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 4881eb0e1607cfc7dbedc665c4dd36c7
SHA1 b27952f43ad10360b2e5810c029dec0bc932b9c0
SHA256 eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e
SHA512 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 13701b5f47799e064b1ddeb18bce96d9
SHA1 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095
SHA256 a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa
SHA512 c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf

memory/1820-624-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/2700-643-0x000000013FE70000-0x00000001403B3000-memory.dmp

memory/1524-644-0x0000000000400000-0x0000000002985000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-26 01:07

Reported

2023-09-26 01:09

Platform

win10v2004-20230915-en

Max time kernel

33s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\156.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\156.exe = "0" C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\156.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\156.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\156.exe = "0" C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\156.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 376 set thread context of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC23.exe
PID 3164 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC23.exe
PID 3164 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\FC23.exe
PID 3164 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 3164 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 3164 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 3164 wrote to memory of 3640 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3164 wrote to memory of 3640 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3640 wrote to memory of 3448 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3640 wrote to memory of 3448 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3640 wrote to memory of 3448 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 376 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FD9B.exe C:\Users\Admin\AppData\Local\Temp\FD9B.exe
PID 3164 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\156.exe
PID 3164 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\156.exe
PID 3164 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\156.exe
PID 3164 wrote to memory of 4304 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4304 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 4304 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1732.exe
PID 3164 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1732.exe
PID 3164 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1732.exe
PID 3164 wrote to memory of 1248 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1248 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3164 wrote to memory of 1248 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4304 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 4304 wrote to memory of 3936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\156.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\156.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\156.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\156.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe

"C:\Users\Admin\AppData\Local\Temp\e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b.exe"

C:\Users\Admin\AppData\Local\Temp\FC23.exe

C:\Users\Admin\AppData\Local\Temp\FC23.exe

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FF80.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FF80.dll

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

C:\Users\Admin\AppData\Local\Temp\156.exe

C:\Users\Admin\AppData\Local\Temp\156.exe

C:\Users\Admin\AppData\Local\Temp\F9F.exe

C:\Users\Admin\AppData\Local\Temp\F9F.exe

C:\Users\Admin\AppData\Local\Temp\1732.exe

C:\Users\Admin\AppData\Local\Temp\1732.exe

C:\Users\Admin\AppData\Local\Temp\1984.exe

C:\Users\Admin\AppData\Local\Temp\1984.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\156.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7191c04e-0da4-44c0-adec-82c5f0ffb9d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1248 -ip 1248

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 256

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q3OSD.tmp\is-GADQH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q3OSD.tmp\is-GADQH.tmp" /SL4 $E01A6 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

"C:\Users\Admin\AppData\Local\Temp\FD9B.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff859a846f8,0x7ff859a84708,0x7ff859a84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff859a846f8,0x7ff859a84708,0x7ff859a84718

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

"C:\Users\Admin\AppData\Local\Temp\FD9B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6808930490702848473,16948751274025466114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6808930490702848473,16948751274025466114,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11252282241116277253,8557006189757464703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.255.45.168:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 168.45.255.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 70d6dc55-c748-44d1-a8e5-aef76e9e657b.uuid.cdneurops.health udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/3532-1-0x0000000002730000-0x0000000002830000-memory.dmp

memory/3532-2-0x00000000042E0000-0x00000000042E9000-memory.dmp

memory/3532-3-0x0000000000400000-0x000000000259F000-memory.dmp

memory/3164-4-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

memory/3532-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/3532-8-0x00000000042E0000-0x00000000042E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC23.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\FC23.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/376-21-0x0000000004270000-0x0000000004310000-memory.dmp

memory/376-23-0x0000000004310000-0x000000000442B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF80.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

memory/2872-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2872-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\156.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\156.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2872-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF80.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

memory/3164-34-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-36-0x0000000000C30000-0x0000000000CC2000-memory.dmp

memory/3164-35-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-38-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/2872-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3164-41-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-44-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-42-0x0000000007490000-0x00000000074A0000-memory.dmp

memory/3448-37-0x0000000010000000-0x000000001019A000-memory.dmp

memory/3164-49-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-45-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3448-46-0x0000000001FF0000-0x0000000001FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9F.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\F9F.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/3164-56-0x0000000007480000-0x0000000007490000-memory.dmp

memory/4304-58-0x0000000000FC0000-0x0000000001654000-memory.dmp

memory/3164-61-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-59-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-53-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-51-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-66-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-65-0x0000000005840000-0x00000000058DC000-memory.dmp

memory/3164-75-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-74-0x00000000061D0000-0x0000000006774000-memory.dmp

memory/2804-77-0x0000000005D20000-0x0000000005DB2000-memory.dmp

memory/3164-80-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-85-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/3164-86-0x0000000007480000-0x0000000007490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1984.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\1984.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/3164-82-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-79-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-76-0x0000000007480000-0x0000000007490000-memory.dmp

memory/4304-72-0x00000000741F0000-0x00000000749A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1732.exe

MD5 7d743b59dffa34ff9bb5d82196d74b37
SHA1 66de2cc818789d7f4e0620ca10b0309dbc4278f9
SHA256 147b7c2bd74eaf54d96146d84b6732d10079e129a06a1f84b1b59067925d74fe
SHA512 85ea15e8f4673bd78ceec0d0fbee76e64c3072c1fcabec1358699ab7343f2dc9950cec56de6d2b548f75caaf9c02488c354751ec57d548170d28e6721ec7f009

C:\Users\Admin\AppData\Local\Temp\1732.exe

MD5 7d743b59dffa34ff9bb5d82196d74b37
SHA1 66de2cc818789d7f4e0620ca10b0309dbc4278f9
SHA256 147b7c2bd74eaf54d96146d84b6732d10079e129a06a1f84b1b59067925d74fe
SHA512 85ea15e8f4673bd78ceec0d0fbee76e64c3072c1fcabec1358699ab7343f2dc9950cec56de6d2b548f75caaf9c02488c354751ec57d548170d28e6721ec7f009

memory/3164-63-0x0000000007480000-0x0000000007490000-memory.dmp

memory/3164-64-0x0000000007480000-0x0000000007490000-memory.dmp

memory/2804-87-0x0000000005770000-0x00000000057AA000-memory.dmp

memory/2804-88-0x00000000057D0000-0x00000000057EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3936-99-0x00007FF60EDD0000-0x00007FF60EE72000-memory.dmp

memory/4968-110-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2804-116-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/1440-131-0x0000000002640000-0x0000000002740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3532-154-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/3140-153-0x0000000000BF0000-0x0000000000D64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3252-160-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3008-162-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/3532-163-0x00000000056B0000-0x0000000005CC8000-memory.dmp

memory/3008-164-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/3532-165-0x00000000051A0000-0x00000000052AA000-memory.dmp

memory/3008-161-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4304-158-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/3008-157-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3252-155-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3532-145-0x0000000001020000-0x0000000001026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3008-142-0x0000000004E50000-0x0000000004E86000-memory.dmp

memory/1440-139-0x00000000040B0000-0x00000000040B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3164-141-0x0000000007490000-0x00000000074A0000-memory.dmp

memory/3532-140-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/556-167-0x0000000004670000-0x0000000004A78000-memory.dmp

memory/3532-166-0x00000000050B0000-0x00000000050C2000-memory.dmp

memory/3532-168-0x0000000005110000-0x000000000514C000-memory.dmp

memory/3140-169-0x00000000741F0000-0x00000000749A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3448-179-0x00000000023F0000-0x00000000024FF000-memory.dmp

memory/2448-182-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00vhfby4.kym.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\is-Q3OSD.tmp\is-GADQH.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/556-207-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q3OSD.tmp\is-GADQH.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/4756-205-0x0000000000190000-0x0000000000198000-memory.dmp

memory/3008-216-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/3140-211-0x00000000741F0000-0x00000000749A0000-memory.dmp

memory/3008-218-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/3164-217-0x00000000025B0000-0x00000000025C6000-memory.dmp

memory/3008-203-0x0000000005C90000-0x0000000005CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3008-222-0x0000000005F90000-0x00000000062E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UIUE3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-UIUE3.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-UIUE3.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/556-242-0x0000000004A80000-0x000000000536B000-memory.dmp

memory/2872-257-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3532-263-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/3448-262-0x0000000002500000-0x00000000025F5000-memory.dmp

memory/3448-252-0x0000000010000000-0x000000001019A000-memory.dmp

memory/2448-266-0x0000000000400000-0x0000000000413000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/2100-265-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3448-241-0x0000000002500000-0x00000000025F5000-memory.dmp

memory/4756-227-0x000000001AF20000-0x000000001AF30000-memory.dmp

memory/3252-220-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4756-221-0x00007FF856B90000-0x00007FF857651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3532-170-0x0000000005150000-0x000000000519C000-memory.dmp

memory/2100-270-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/556-269-0x0000000000400000-0x0000000002985000-memory.dmp

memory/3448-273-0x0000000002500000-0x00000000025F5000-memory.dmp

C:\Users\Admin\AppData\Local\7191c04e-0da4-44c0-adec-82c5f0ffb9d3\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/3428-289-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2872-290-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\FD9B.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/1804-314-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-319-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3478c18dc45d5448e5beefe152c81321
SHA1 a00c4c477bbd5117dec462cd6d1899ec7a676c07
SHA256 d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23
SHA512 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/1804-324-0x0000000000400000-0x0000000000537000-memory.dmp

memory/556-337-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

\??\pipe\LOCAL\crashpad_1388_LKTPMLBGPIHRTNQD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

\??\pipe\LOCAL\crashpad_4016_KOULFBYRTPTDNDAR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a209452e7339504b909f01253cb8bc56
SHA1 eeb6b684e5e40d89d346eb64fea4bd7cd67fb07c
SHA256 aff9c6c3bf8c30e95fe635199953442741bf9538210714448f4367c231f3993c
SHA512 9ab9c5599354fcbc4f7447d3b21d35a33ceddcff179bc3723832c9e3879d68defd0900019e0b02dd83a3b723f994ec2676984418f998e57e4c799d5204439950

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e144b0c5-ab14-4815-8679-7fd1e2de3924.tmp

MD5 e50fc39530bda64e9187f7e89bebb53a
SHA1 0046cfc5a5d03d8adb9f9ce0a59997ab0783a98e
SHA256 37eecd2e1c8e3e99fcd933641b6271e4dcc40634d2a9349c2e3b4b0d88218998
SHA512 a10245fd80b3db081882ad27250d9dccebc6cdd3df3a6a760c660ee126575ca78c25077d083a622309638a0bb48936cbaf0c76b6cb4d461d713417fc677fd61f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 03ed6f14d57cf19fd45259a41afaba71
SHA1 b82e655fd6995de3533433bcc0ad76bba8946717
SHA256 e600f7d3e2cb40989eae33701796a4d536309ba1a2b50bf2015f7ffab4fb1e43
SHA512 b2c7cc6064c50d9b154f63a079e229bb06c1371407a0475064bc603f71ba4995612eb9ee74de2e7cf44cc014a986dbb40b8e6dae6674455d65e58cf2ea841afe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a209452e7339504b909f01253cb8bc56
SHA1 eeb6b684e5e40d89d346eb64fea4bd7cd67fb07c
SHA256 aff9c6c3bf8c30e95fe635199953442741bf9538210714448f4367c231f3993c
SHA512 9ab9c5599354fcbc4f7447d3b21d35a33ceddcff179bc3723832c9e3879d68defd0900019e0b02dd83a3b723f994ec2676984418f998e57e4c799d5204439950

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b8b7df427c5a39eeab295ff6db9fa46e
SHA1 000d1d192bba449b5f46146226e759e029928819
SHA256 b6d89d77d25e0e3095ff02761344f3f039df0f8d379587f9de78f5c21e97097d
SHA512 96413f20d0ebb7bb4be572bc0707c8487f27aaa1ca7cfeaeeac9ffc1110e714068b13a44ee34199f2d660b2969af6294a4e38f7ce8f2b0e5fb8a2102f4641bcf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 25527bc42b96ef6632e82ec0802f58df
SHA1 21cdbe2ff547a65f68529ab14d2e0c744ce65d97
SHA256 b07743c22ee3cc8ee318a7c6914e74f4e831903a8dc410772f4b00cb24e357a2
SHA512 393eb9df503b7b78c3a26ed5db79af594d291705edee58a2a21c994fa5b8526b79aa7d1f92541bd9471d99a899d816de777b0d9a269ed34174743ddfa6d4b05f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e00bc96a15cb619f65fee4bf2298dd69
SHA1 bef35606d5c9b5de43922ecb0f90918806756d51
SHA256 e6ad9a423309501a185c2adf4b7f1c99c1a6c2778cd8f590745240cd7e58c145
SHA512 06244fe04b0b1d5dd4e358a8a899b3780b5ebea83204219eceaf1240e89182b1199d0a5795c9b1575ecfdd2c8b38b29869143850d6ebd0c8c0ad72afb8512e80

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 26b84dd57a9d4797b6232fd3f7bed2c3
SHA1 71615b21cd7654254dd60a0cee5289d324dcaf32
SHA256 385f5e7feb0a246f61cc608acab5a173888b524adde38ba005f632d46837cfe3
SHA512 fbd7fb539b0fd0449b7d49025564465f724590216580d56e8644e85dd2c5339a2bd721e76974dbae8cca0ccbd661646f99dfed0d30542c7648dbeb6a14dc4761

C:\Windows\rss\csrss.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Windows\rss\csrss.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e0c32170e0b9d1adcd719c99d4657a9b
SHA1 fe41f67ac662bb44eba6b649912242a590281c42
SHA256 4814019e9178b288e334328b0703109ff98194c243d79d99b6518e537579ade4
SHA512 be15082a268ad82986dcc998135c5430ab0c1f6b2e3957d5235693d6f88265fb63a7072d4a9ba5447728a08e57c4c6f1207d34630d2bb520d341ae0e84cf881a