Malware Analysis Report

2025-04-14 06:29

Sample ID 230926-tlll8sbc6z
Target dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe
SHA256 dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66
Tags
djvu redline smokeloader vidar be957cbbdc7ee5ad3ee6c696b5eb3079 logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan glupteba pub1 up3 dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66

Threat Level: Known bad

The file dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader vidar be957cbbdc7ee5ad3ee6c696b5eb3079 logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer persistence ransomware spyware stealer trojan glupteba pub1 up3 dropper loader

Glupteba payload

RedLine

Vidar

Windows security bypass

Detected Djvu ransomware

SmokeLoader

UAC bypass

Glupteba

Djvu Ransomware

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Windows security modification

Modifies file permissions

Loads dropped DLL

Deletes itself

Executes dropped EXE

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks processor information in registry

Modifies Internet Explorer settings

Checks SCSI registry key(s)

System policy modification

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 16:08

Reported

2023-09-26 16:11

Platform

win7-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9177.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9177.exe = "0" C:\Users\Admin\AppData\Local\Temp\9177.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9177.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\9177.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\9177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9177.exe = "0" C:\Users\Admin\AppData\Local\Temp\9177.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\03aa2f75-2ce0-4689-98ba-8967178fa033\\8F06.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9177.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9177.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EC85.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrfvabf N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrfvabf N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrfvabf N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a71400000000002000000000010660000000100002000000089e3115022d24960fff7be3ea6e48e8a7ed4b978c04a41079e49ea30771d4a47000000000e80000000020000200000003ac2f35974f3dc70fac8e512a82bf226de4f8ad780bb011b2b258331c35cee719000000029e73e842c6a9962d830690af76d2a5361e262033c7d12e40605b6bbc953b0e67f2aa6a017128203a390c088b97c9db4d678c4353271462415b66ba0a25cdfb63e3b9f92bfd1436bfc86ef69c9a12940741ca74618f35d787dc07f447a78b727a20788b9723c7788c93e3235834f8995a563deee11c0f0073822e2ce2dfcd64a01ed293cebab534d0561a05a224166634000000023fb5bf7526b1d03ad7e8b8658b54bc8d9bdfceff5dbc2cb82e5c24e0b6b5bafa40f45027374c38b47289e4d7e4fac183b3a3c4ecb8562bd7cc34c1e8bb3d3c7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401906442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ef37e493f0d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E8D6D51-5C87-11EE-9A54-661AB9D85156} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d7c4a5af680903a9e9ba2bb5e369d3823868cbb605f0e8292a8a90671b0bb0e9000000000e800000000200002000000042cf05d931150c3904a365fc9b04d66acab7ff4eadf3c2c37700d7004558bbf520000000b196ca1c23797179d5bd3fc4aae8552dd444905f078dbfb6bd363f8ec72e14b440000000845c0b0a28e3dfb4f28ec8234a15cca26e6abc60b221e3d414e3a7c9a46df5af8e1a6ec9573706b2233d7bbfbd62918eda5af4378ed34e06cf91a104b5abc7c1 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8F06.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wrfvabf N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 1332 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 1332 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 1332 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 1332 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9177.exe
PID 1332 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9177.exe
PID 1332 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9177.exe
PID 1332 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9177.exe
PID 2268 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2304 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Windows\SysWOW64\icacls.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\9177.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\Temp\8F06.exe
PID 2904 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2116 wrote to memory of 1328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 1328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 1328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2116 wrote to memory of 1328 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2888 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe
PID 2888 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe
PID 2888 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe
PID 2888 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\8F06.exe C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe
PID 852 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9177.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe

"C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8F06.exe

C:\Users\Admin\AppData\Local\Temp\8F06.exe

C:\Users\Admin\AppData\Local\Temp\8F06.exe

C:\Users\Admin\AppData\Local\Temp\8F06.exe

C:\Users\Admin\AppData\Local\Temp\9177.exe

C:\Users\Admin\AppData\Local\Temp\9177.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9177.exe" -Force

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\03aa2f75-2ce0-4689-98ba-8967178fa033" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Users\Admin\AppData\Local\Temp\8F06.exe

"C:\Users\Admin\AppData\Local\Temp\8F06.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8F06.exe

"C:\Users\Admin\AppData\Local\Temp\8F06.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

"C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe"

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

"C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe"

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

"C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EA91.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EA91.dll

C:\Users\Admin\AppData\Local\Temp\EC85.exe

C:\Users\Admin\AppData\Local\Temp\EC85.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 92

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

"C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

"C:\Users\Admin\AppData\Local\Temp\E8DB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

"C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe"

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

"C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5F101E04-B7F8-4480-90C8-88462AE81BDC} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe

"C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\wrfvabf

C:\Users\Admin\AppData\Roaming\wrfvabf

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MO 180.94.156.61:80 colisumy.com tcp
KR 14.33.209.147:80 zexeq.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
KR 14.33.209.147:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 116.202.182.4:80 116.202.182.4 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MO 180.94.156.61:80 colisumy.com tcp
PL 146.59.10.173:45035 tcp
KR 14.33.209.147:80 zexeq.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 116.202.182.4:80 116.202.182.4 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3020-0-0x00000000003C0000-0x00000000003D5000-memory.dmp

memory/3020-1-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/3020-2-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3020-5-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/3020-4-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1332-3-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/3020-8-0x00000000003C0000-0x00000000003D5000-memory.dmp

memory/1332-9-0x000007FEF6600000-0x000007FEF6743000-memory.dmp

memory/1332-10-0x000007FF2FB00000-0x000007FF2FB0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2268-20-0x0000000002620000-0x00000000026B2000-memory.dmp

memory/2268-21-0x0000000002620000-0x00000000026B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2268-24-0x0000000003EA0000-0x0000000003FBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9177.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2604-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2604-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2268-33-0x0000000002620000-0x00000000026B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\9177.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2604-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-37-0x00000000010D0000-0x0000000001162000-memory.dmp

memory/2304-38-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2604-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-40-0x0000000000A80000-0x0000000000AC0000-memory.dmp

memory/2304-48-0x00000000003F0000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9A5E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2304-58-0x0000000000470000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9BE7.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\03aa2f75-2ce0-4689-98ba-8967178fa033\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2904-79-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1332-82-0x000007FEF6600000-0x000007FEF6743000-memory.dmp

memory/2904-81-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2568-83-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/2904-85-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2604-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2304-91-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2828-92-0x0000000000310000-0x00000000003A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F06.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2828-99-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2888-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-101-0x000000006F2E0000-0x000000006F88B000-memory.dmp

memory/2888-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-103-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/1332-104-0x000007FF2FB00000-0x000007FF2FB0A000-memory.dmp

memory/2568-105-0x00000000021D0000-0x0000000002210000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0b1798db6ad7196b55db8351beeaee43
SHA1 e7328fa8e5675d861a306153f14f8cdcf134bf87
SHA256 2d128ad2db21553b62831821c7c05c635c7896b7f1e554a66c48c69fcc550bba
SHA512 8cc6368e2a34d4fb2f254e74ef2dee6953b3e9c0cac93fd84e638bd0ff7f70b16af72dbe18c6e094520ae0f414faffeb4c0bfb67ed475176fccc61021c32c121

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 7d4fe8e346d4990f7d8f5d03f75b083f
SHA1 f012bdaec1962c60c04719386c14db2453c88ce9
SHA256 5512f254c857ec2a233ef334cb9a6d57f8e44a43ae47e5341fd1ae0c7edf6f6a
SHA512 2cfd668535371d7b34f4b37b0cbaf9c5d0c4bf5108437aae13bcfaa73efde6afa03b5a4ebedfbc1e338e4d6b2692ac5ffa1f8a23d377cb563c78f0b8c8e571e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c0af2c4e5049cf4e89143c4d594e6b4
SHA1 c38948cce9b5ab71b6cf83ab9e11ce13cdb0b85b
SHA256 577c43dd6d827cca60c4bf031915b0e4ddc2cc3b660144d051144cf07a91e95f
SHA512 a2ebc9fc9f0445e20c8f412b01522eaec77173003136f8173dc8f3a94ae224304bb1a7fcdf59200e47261696500ca77f7b6dbc2b4390fd79313f8ee71549d39a

memory/2888-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2888-119-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2568-120-0x000000006F2E0000-0x000000006F88B000-memory.dmp

memory/2888-124-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2888-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2888-127-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2888-132-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/852-146-0x0000000002690000-0x0000000002790000-memory.dmp

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/852-149-0x0000000000300000-0x0000000000351000-memory.dmp

memory/1740-150-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/1740-153-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1740-154-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2888-212-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ce255219-709f-4fe6-80f6-8d57e40f0dfe\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1740-217-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aa75ac8610b5937a04ef603eef4f9be
SHA1 6fd28ba1f323326a6712b63a6d638c2336752755
SHA256 22400fd84509be833744bd7d5b7658b92dbc226799ab32f0aff51087a32aefdb
SHA512 e1a32fb9fc782319401c44be02a19415fe2c43a895a250fc46e1b5ddde3d431a8df3db90b7deda8adf64f66fa2a334b2601d68e982e458dc52582597fa3aa3f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44a8d994442fe1a65f1099d136ce05a0
SHA1 0068442ab970c7554d28aef3cf35b79e5351cc67
SHA256 304d3ba57b0da476552498d5b6a9abdebcc88d53170002a3fdfd46d50794877b
SHA512 4a182c150aec6c3175defac0d92fdac9c536a0cd629a587bd396c671db41385145e4d07d154f81e7d578b385f05b267e7098877fd7d082a46eed7eb4eef5097f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33d2ff5f7b0daa0d6493287fc19a09bc
SHA1 2d5c624dcc19136002d6a3ccf27972461bba062d
SHA256 54e73b5000720197e88b35ce9cca1f873458f8a9001a9ba2c74f770e2bdebe3c
SHA512 c1019db413f04657d163b18a387ed01186f055c770d24945e11477770d68a4bc0e62dc1f074e79c68e7ebb731091fe7f9662fd6bd93efc32be484d7f489bad64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 810d7e38bbf0bbbf25f052ea98114b21
SHA1 f1325dc6238cb1d635ceee9b82c528160c21d954
SHA256 18655ccc4715f046269ac5e430aa2fa35f034415161e8426a2da84edfbac4d12
SHA512 a6676ef470cb7dcbf0a6b09c6a49c67215b7cd60a69bb1942f33efb380d0e26cf5ee1ed6d737ec756adff43a9028eff4777ac427fcec40d8fa25cfd7d60e8988

memory/1740-367-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5f707890455bce486ea9ef843ca2600
SHA1 8697cf2c1baf30f0bce36ad6c3ea7ed3949b0ac4
SHA256 95771f7e4944edcbbcccf2698edd1c7ae532f3665217734a7189b03c60c5a5c2
SHA512 e0e11b830e513e0049372c46dd0c902b9805548abc64ede6120797e71db312f9a40498c5bba04af73f10b1ba55c4b5c9c83cf21272d40417a81ddaacadc561f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6756027e3919df5312cdb7c31ff2b7e9
SHA1 0f5c45c0dd2161f860d5cf5ce57b24657780124d
SHA256 004833797773d2402b06222dab3fd326f680ad7f43b692dbfd9027a31a2026e3
SHA512 251fa7ccce98f973a2c882072e952678492688c3eb09c2ea96096c978a76c6b53625f0b49a692fe1e81e6180a116c3c52c742c5a478be23a253ce92d027279d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fc55eb8c04c0ca2af27e71d138da187
SHA1 ae5e982ad5b2327a4a6adc2400e8c08910ad9818
SHA256 b079ece79a56378eef418f3a205bdefd7a63764c9b57f00a75bc12fa4e3e1d4a
SHA512 9912e3272b2ce0a4cccf11c6e8bc8ef572d30b8278775af76a9bfb31a64b1fd7afbf064e961c788606f39660a89118dba0921dfccbb8636a1d4e830ad3550b3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 121592bfe79541e7349945f308358a4a
SHA1 c950fd94fdda18228ef8ccdedd68664903a88fdc
SHA256 ad63128ce4523f013c843a943f8497c809535d07cd8c04d68c98ab34782a609c
SHA512 2e5fcf3c0bcca47acc5c9c2b49051873fe1f9252facb81e82696d40882c5d9a3de58ae699d1edbec0e8a04157d8de70520b5b9f18b8835d2b5271b363c692494

memory/1740-548-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1e3eb91e242236580b8847c34132f99
SHA1 5f61438e1433e6751b73cbfba2de9178a092cbc6
SHA256 cfa8eec574a0783944a49b844aed4f0b70b648fe8039740fe7069db831100deb
SHA512 bfdec717ced87200654b67bc59fe2737231bde9dc5b9c3c84878f2a56a1403971a8bd02322dc51d3d3870936ef419e92c472ba8d61d7b410da3facf3f04036bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6492ef201bb4787ef16130e74df4a348
SHA1 d2de4aaeae6d47fdb41fb2cf3a71ed12301fab82
SHA256 f17937452b56c9710722d12b5a780892c849f902e0f9244234a0ea3ead84f190
SHA512 b35ef4e7392d6f79c6fa2eef5de09b4a0286df6647f84d64c499a9432ed6931c3dbb9fa1e2b8b4a0ee304cc6cd6a3e438f56486ffd63ff8a3705c08ee350d976

memory/1740-621-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2308-693-0x0000000002620000-0x00000000026B1000-memory.dmp

memory/2308-694-0x0000000002620000-0x00000000026B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2308-697-0x0000000003E30000-0x0000000003F4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2096-701-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA91.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/2308-705-0x0000000002620000-0x00000000026B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2096-712-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/2096-713-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\EA91.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/1716-717-0x0000000000180000-0x0000000000186000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ef710310056b15ab62a273a12d1c955
SHA1 ee9958055ac5bac94c9276a1ac5b3daa332c1547
SHA256 0ef21f71486119166b4ef94b7d142d0967f576f094d5b4222681194a7c6c8c3e
SHA512 14508d9eeec7dd6fb6c36661918442e153634e6d11fb07bbcee3bca7a634d2ff0c879285a5f14fd042657d4626aaba470be75e8bc6c090db07cff5f7f8430d1c

\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/1652-742-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1652-743-0x00000000704A0000-0x0000000070B8E000-memory.dmp

memory/1652-744-0x0000000000280000-0x0000000000286000-memory.dmp

\Users\Admin\AppData\Local\Temp\EC85.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2096-751-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1232-753-0x0000000000330000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\E8DB.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2512-761-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f62c625085fa9593b7493aa0d30510c
SHA1 f23427fb24ff8518488c88093ed88b0cb5fb276a
SHA256 97c4146751904eead1cd21fa2b8d93770cd1cd8a12b1adb8f16df98eb60670e7
SHA512 ee6360f49f34b4bbdbdec604272d1fdf8021aaff420a61a9d647dc3c29edb9170779f847c041b1cea0e357cee8a4dfe4616ec04d707f47afb3039e84777b3fb4

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 e3c640eced72a28f10eac99da233d9fd
SHA1 1d7678afc24a59de1da0bf74126baf3b8540b5b0
SHA256 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e
SHA512 bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1972-815-0x00000000002D2000-0x0000000000301000-memory.dmp

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\d9c41f09-6ace-4cd4-ab46-21aeb634a57d\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\SystemID\PersonalID.txt

MD5 324770a7653f940b6e66d90455f6e1a8
SHA1 5b9edb85029710a458f7a77f474721307d2fb738
SHA256 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30
SHA512 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23

C:\Users\Admin\AppData\Roaming\wrfvabf

MD5 b601d81d4004f43c394a697140a9b626
SHA1 c37b8c7e88d029960d156b9bb5fef32b3bef6dfc
SHA256 dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66
SHA512 6e523379f47b34bd31ffdad41a6df19950e9da0ae24ac8cf144d4333a518aa859f3be2bbc2ba6464c29e5db5c084c8b53f047cb6acd16ba4a35ace307651b12a

C:\Users\Admin\AppData\Roaming\wrfvabf

MD5 b601d81d4004f43c394a697140a9b626
SHA1 c37b8c7e88d029960d156b9bb5fef32b3bef6dfc
SHA256 dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66
SHA512 6e523379f47b34bd31ffdad41a6df19950e9da0ae24ac8cf144d4333a518aa859f3be2bbc2ba6464c29e5db5c084c8b53f047cb6acd16ba4a35ace307651b12a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f21232c527913504aef8dae543dc2388
SHA1 b8a395c15fe90879a9cd5062c91b206daf0e0a2a
SHA256 b917ef52fd962fcaee2499bb01584ff63895e8818541e35c4395ef68929502a3
SHA512 c72e3bd4ac6be8ec190925cc9fac726958d660fc959cc418f9e0cf28f9e3a7dcea6d5144f5e458194987729c0c8b48c773e97a591859d05dd5b44d767e9188a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3b6055be021ec2afb5f0fa987e481ae
SHA1 25bb3c0354d86d121042a804fdd481133708b778
SHA256 553ef086fb58783071bfd9f5f935a65305b39eaeb0d4ca0989b8259bc4cc44b4
SHA512 10f2f126a793875e876b5c207b5b1bf179b38a765062a36fdd868e0edbfc87a5599c46a2143d0a3bb500c20413d73ce6441d27753dbf061e84a4c6e0795ca182

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b0f6ff3a69edc350bc4794134b172c9
SHA1 74312013f4dfeb9545e7670cb1a138d56ebcc26f
SHA256 d974fe3a2df79850a3b3661c1dcf8be430441db239962171739650c3106c58d8
SHA512 0071aa8526557dfb24790fd80fc3f5ec175bfd152f97d1324a83505ac95b993a5bc4bfea936013c34c79596e2d5e97153d08e873bc728a5eaeb71f93a6afa5df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5dfbc1a1469e887efd183db90e43154
SHA1 5b5722a9ca7152624a4c62fe894b1dbb60340a14
SHA256 6dc28b62aeca1b997bb826a6c6c642cc1394e046cd70540c23c5dd1c2fc527c9
SHA512 4c4c7b1b737264f604b64a78a9356f3fc47b0b258e98d1a9cfa223cf5a5ac1dbad2709057aa8b3743d3c2a205a5df029b1b86dd067eda9d0f1297e1e1b67ec83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 9a37288d6f02ea6926281dfd0bf0d16a
SHA1 292164d9b1a291a11f159dc8048ce20d3dba3448
SHA256 841427d61bee56bc873a053db1eaf6a44cec133e26c295247deaf68a06be7b1d
SHA512 66315dbd9bdae5bacac6e9f8bee8509c79c6f9b3493f23f616992962bbb591599c1d53e4333e33a5533fe852f9d0598af21ec8a30c11ec8c51f7b2f663957296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 73f46425ea493b1262dbaf1c8fd11f71
SHA1 92c94e08e57c1ba7dd4cb3a298760f4dcb9b8b22
SHA256 0837e91e349cb5ca309059a6512fdb49756d2a1a73ff60c89c3473d0503003da
SHA512 3264ece7e974888a30d3ed89cf04ca509f6034128c5383ed72c47c8c631823fed9a2266fd625a1c3ce10b1f26bd4a70e9d6db5d2d84fa38ea21435e9f53f8621

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 250419b89f0f2c6842394adcc57460cf
SHA1 ea8abd8ea502aa16e5ddefcaa7b20d2f3c9bf0bc
SHA256 dbd58fd9b24fc9bcab0d6a68ad7fb45bac0aaeabe0a54b8d11f65af1a448232b
SHA512 950ff6a2d1d03c61a84e429f57d2556b838e627bb4b1c06c4b470b99e9bfe35ba9eb6b415a3746ba668cad83724fa27b0ffee5dec7e7afb78e4f802967bb5453

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbf2b514697a0c5de0c8dddf57b3cf5e
SHA1 1ee1061b8567667cdb1af726e39135bd245c899a
SHA256 9e72c7c7747b9978fcafd471100c5943b0c23a76245569bbc88257269e228ed3
SHA512 b89042a2179c4a137fdcfadd36d4782dfd56f277bc207a3c4a517082999fa9cba579038583f3dd5ed1db226dc1add9619083de13333e567c90949b2f6d169b27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab0af38ba9d612046cac461bfd524527
SHA1 14cff1d25898ae18550a0927b7a3efa891de209b
SHA256 89344a92e5a86c17040446a0c8ea2928c99c0dba39c5b3efe2a66fd190be56c9
SHA512 57c50a3c047ec1b672a22f416fd07bbb1509da475cedc4a81ed19ed8f88cc2f7dc10f7710124524d2864aa2e5cdb1007451131fed772bd73358d8af037bef51d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70be9ed10840d43e12e9fb0ab3e66830
SHA1 0ce24b2902783d2b96bd8a2ff7ddd287f555500a
SHA256 4b914e55fcf49621e8c5ad77a8f2c86500f22d0b42c4212b472435758a585356
SHA512 51363872c74b5eb9afe800959fc4f5a47bdd2bca15a70bdf767788e98aa703c7a7c2a56a3e41b9c21753375787ec8174065c6656d8137031920cc7d83d22b137

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c7e86ae1fa59a219bc84a2ca7af084b
SHA1 d8ea81c1f61006032937c52e5e58140d34eeb7d5
SHA256 6a11fc1a95fa529250db8340c222b289430793a8be4bf125526cbee2a743af06
SHA512 873be5654b0e9e11868695369e4a16b2b48a81e0bb8dab32e44aaf9981fa39164ef304e2af68f70e13fffe40a29102edf4a3d5c7647e168ad1f47b9f60016f6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2a098b0c355de91ed4c28f5f686db07
SHA1 c62b589b60a9921904e38910375e8fd635ba5767
SHA256 4e8c185a00781d09c845f152660c6ecc3f1fff657ca7102bb819662196ba81bc
SHA512 915b710c86972c635c0b4caaaec9f751e51f5c1841b5e6857f2f72a7589307b212b83dfb3f61143c117d35f8165993a35b48353ab4c1a70437f3de0cb637f1a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2a3f1137472ba8d18103d9b0370059a
SHA1 49514d71c212067e1e72f19e7d15a9b1489c789a
SHA256 557de2c2d7f7ffa02067c5faf5524459ae05ac2216493681692f2d4318dc7f79
SHA512 429704fbcaa57d8d6f631aa5a49a8b6ac68b2cc17c5e50d0dc4862225e3bce8cf04809085bba52741bf92538d4a6d47a712f37be579a9d1e90e94e50629aac5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2a3f1137472ba8d18103d9b0370059a
SHA1 49514d71c212067e1e72f19e7d15a9b1489c789a
SHA256 557de2c2d7f7ffa02067c5faf5524459ae05ac2216493681692f2d4318dc7f79
SHA512 429704fbcaa57d8d6f631aa5a49a8b6ac68b2cc17c5e50d0dc4862225e3bce8cf04809085bba52741bf92538d4a6d47a712f37be579a9d1e90e94e50629aac5a

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2800-1394-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1652-1395-0x00000000704A0000-0x0000000070B8E000-memory.dmp

memory/2016-1399-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-26 16:08

Reported

2023-09-26 16:11

Platform

win10v2004-20230915-en

Max time kernel

96s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40C9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3664 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3168 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3168 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3168 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\40C9.exe
PID 3168 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\40C9.exe
PID 3168 wrote to memory of 936 N/A N/A C:\Users\Admin\AppData\Local\Temp\40C9.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe
PID 3664 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\3F80.exe C:\Users\Admin\AppData\Local\Temp\3F80.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe

"C:\Users\Admin\AppData\Local\Temp\dc8b62f26d484155e682b99547dc4861f2bf10fe7f2c2ff29ff948295022ab66_JC.exe"

C:\Users\Admin\AppData\Local\Temp\3F80.exe

C:\Users\Admin\AppData\Local\Temp\3F80.exe

C:\Users\Admin\AppData\Local\Temp\40C9.exe

C:\Users\Admin\AppData\Local\Temp\40C9.exe

C:\Users\Admin\AppData\Local\Temp\3F80.exe

C:\Users\Admin\AppData\Local\Temp\3F80.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\eb3b28dd-6212-440b-a24a-92d373a22742" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3F80.exe

"C:\Users\Admin\AppData\Local\Temp\3F80.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\40C9.exe" -Force

C:\Users\Admin\AppData\Local\Temp\50C8.exe

C:\Users\Admin\AppData\Local\Temp\50C8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"

C:\Users\Admin\AppData\Local\Temp\3F80.exe

"C:\Users\Admin\AppData\Local\Temp\3F80.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 836 -ip 836

C:\Users\Admin\AppData\Local\Temp\68F5.exe

C:\Users\Admin\AppData\Local\Temp\68F5.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\68F5.exe

C:\Users\Admin\AppData\Local\Temp\68F5.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\68F5.exe

"C:\Users\Admin\AppData\Local\Temp\68F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\73E4.exe

C:\Users\Admin\AppData\Local\Temp\73E4.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\68F5.exe

"C:\Users\Admin\AppData\Local\Temp\68F5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3556 -ip 3556

C:\Users\Admin\AppData\Local\Temp\is-OG4AH.tmp\is-TH0VI.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OG4AH.tmp\is-TH0VI.tmp" /SL4 $140236 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2088 -ip 2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mscorsvw.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4d3a46f8,0x7fff4d3a4708,0x7fff4d3a4718

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 568

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6F6F.dll

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6F6F.dll

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 568

C:\Users\Admin\AppData\Local\Temp\6422.exe

C:\Users\Admin\AppData\Local\Temp\6422.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4d3a46f8,0x7fff4d3a4708,0x7fff4d3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=mscorsvw.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1768,104560240790068802,4047204204516550136,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 28.246.36.23.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 34.255.171.99:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 99.171.255.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 gudintas.at udp
MX 201.124.210.95:80 gudintas.at tcp
US 8.8.8.8:53 95.210.124.201.in-addr.arpa udp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp

Files

memory/2648-0-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2648-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2648-2-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3168-3-0x00000000028D0000-0x00000000028E6000-memory.dmp

memory/2648-4-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2648-7-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2648-8-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\40C9.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/3664-20-0x0000000004250000-0x00000000042F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40C9.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/3664-22-0x0000000004350000-0x000000000446B000-memory.dmp

memory/4520-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/4520-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4520-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-28-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/936-26-0x00000000003A0000-0x0000000000432000-memory.dmp

memory/4520-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-30-0x0000000004FB0000-0x000000000504C000-memory.dmp

memory/936-31-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/936-32-0x0000000005490000-0x0000000005522000-memory.dmp

memory/936-38-0x0000000005140000-0x0000000005150000-memory.dmp

C:\Users\Admin\AppData\Local\eb3b28dd-6212-440b-a24a-92d373a22742\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/936-42-0x0000000004F10000-0x0000000004F4A000-memory.dmp

memory/936-43-0x0000000004F50000-0x0000000004F6A000-memory.dmp

memory/3168-44-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-46-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-47-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-48-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-45-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-50-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-49-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-54-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-52-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-63-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50C8.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/3168-67-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/1592-73-0x00000000041E0000-0x0000000004281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/836-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/936-93-0x0000000074480000-0x0000000074C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6422.exe

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef

memory/4020-96-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3168-97-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/4020-99-0x0000000004510000-0x0000000004546000-memory.dmp

memory/2752-100-0x0000000002670000-0x0000000002770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\68F5.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\68F5.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/4020-107-0x0000000004BA0000-0x00000000051C8000-memory.dmp

memory/2752-101-0x00000000040A0000-0x00000000040A9000-memory.dmp

memory/836-95-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6422.exe

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2752-122-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2544-124-0x0000000004370000-0x000000000448B000-memory.dmp

memory/2544-128-0x0000000004100000-0x000000000419A000-memory.dmp

memory/4068-129-0x00007FF6C1800000-0x00007FF6C18A2000-memory.dmp

memory/1488-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-134-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1488-143-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-144-0x0000000002610000-0x0000000002710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ix2ls2t5.lpc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1180-156-0x00000000025E0000-0x00000000025E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2636-164-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4704-167-0x0000000074480000-0x0000000074C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\6F6F.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/4020-182-0x0000000005630000-0x0000000005984000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73E4.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/3784-186-0x00000000003A0000-0x0000000000514000-memory.dmp

memory/4704-187-0x0000000074480000-0x0000000074C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73E4.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/4480-195-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/4480-194-0x0000000000930000-0x0000000000936000-memory.dmp

memory/3480-196-0x0000000004770000-0x0000000004B71000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

memory/3480-198-0x0000000004B80000-0x000000000546B000-memory.dmp

memory/3168-199-0x0000000002CD0000-0x0000000002CE6000-memory.dmp

memory/4020-203-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/4020-204-0x0000000004560000-0x0000000004570000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 c6a36bbb30535b9de5bd886e3481dc6b
SHA1 7e969c08660f5ba5b21fdfc41f665a8ac30e8311
SHA256 82653b4b36e7d82041aeacb2ae2aebc37406069721d03f89c2d2b62d71ad57e3
SHA512 9942602f219c746b5ffc794b7f0a55a84ab4691ee73e88f61c8b0fbb360050a1137437131149019dbce0ded834560a0c6af7b28068b3906ddfd3cde4105a9bb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9b3947ff33696dbd8c370c804fee2698
SHA1 5f640d476a99cf7bcd3499f072b4fbc3cca6ae73
SHA256 25733c99d8a7d415c384bec06b4bcc9860afecfd04a31b71e682e4564dee3e42
SHA512 eae9d2beac5eaa33e0f142432a7632b2d3a3cee02e0c0fd33ee656e6d99e3bf0f4a58bbeb5258ed6c7eb32228722b4cfaf0f87f46e3f2b4ff4b7e8d22f680951

memory/3784-189-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/1488-205-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68F5.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2636-169-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4020-162-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/1488-161-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3480-228-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68F5.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2088-243-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1516-246-0x0000000004188000-0x0000000004219000-memory.dmp

memory/4388-249-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/2088-254-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2812-252-0x0000000001460000-0x0000000001470000-memory.dmp

memory/2088-273-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AHANA.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-AHANA.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Temp\is-AHANA.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-OG4AH.tmp\is-TH0VI.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3784-247-0x0000000074480000-0x0000000074C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OG4AH.tmp\is-TH0VI.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/4388-245-0x0000000002890000-0x0000000002896000-memory.dmp

memory/2812-241-0x0000000000C20000-0x0000000000C28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/3184-297-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3184-301-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4388-227-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4712-224-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2752-202-0x0000000000400000-0x0000000002599000-memory.dmp

memory/4020-159-0x0000000005550000-0x00000000055B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F6F.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/4020-150-0x0000000005390000-0x00000000053B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68F5.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3480-300-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4480-309-0x0000000010000000-0x00000000101A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4480-320-0x0000000002670000-0x0000000002778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3168-92-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/836-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3168-83-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-82-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

memory/3168-79-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-76-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/4968-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4704-72-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3168-71-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-69-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/4704-70-0x0000000000CD0000-0x0000000001364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50C8.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/936-60-0x0000000074480000-0x0000000074C30000-memory.dmp

memory/3168-59-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/3168-57-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/4520-56-0x0000000000400000-0x0000000000537000-memory.dmp

\??\pipe\LOCAL\crashpad_2236_MJFENOSJXHAZZYUC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\3F80.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/4480-342-0x0000000002780000-0x000000000286D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9dd26c3203ecfa5de2cb8133a3a45fe2
SHA1 5728d3518120ceb7b2ccc78c7a0b6dcc3acc5a4f
SHA256 d4915db1d03dee479dd02b8a9c2affa8eb90ff22ad30d56638cfea9bb87a0fce
SHA512 e8b1c31fcbfb3ec5d74c29f547846181fc3fa84a79bfba70308f6761a5e35bd4f9a720f1e6104d2edba28f0464341daea91b4fc845be11bb968b5390ff9f621b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fd391a1c5885b23e948f29b62cbbf57a
SHA1 0fe4fbff8ce01188a103a47bb83156663a8a541a
SHA256 ac8647a55f2ed4e7e562fd19a748fffeb308c88115af44a21fdb9705ac84783b
SHA512 e114ff4ae253a639a76fde392e5c775b4f84ad7c107088149051fa0bf8d20d3258edb650bf833d5d6cf192958f0c4510e9b0c680ff264f17cb0e61dbedab07bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b69d8f0e095738fad0040053d0e97fc3
SHA1 741a68985bdd4c5b1c20bc537593544f0f40cc11
SHA256 9c47107907351e8b4fe3bf0dc47d9944d52d456e2872e1a4c1b03bbf405dbe8c
SHA512 d9abb832781772a4efc9258722cdf9d64fe90f30b4a6495c2ef534acb1cd216c45737c45c331a57b8e91eef7525ba72132ce1416be96a12a75bfabe1f470e0e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fd391a1c5885b23e948f29b62cbbf57a
SHA1 0fe4fbff8ce01188a103a47bb83156663a8a541a
SHA256 ac8647a55f2ed4e7e562fd19a748fffeb308c88115af44a21fdb9705ac84783b
SHA512 e114ff4ae253a639a76fde392e5c775b4f84ad7c107088149051fa0bf8d20d3258edb650bf833d5d6cf192958f0c4510e9b0c680ff264f17cb0e61dbedab07bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44fee590c4313c2554e4f68c40758b70
SHA1 4230701ee9d243f22b728b2a741b46094c1a1606
SHA256 53449003b7a41a56d0420b2f7d0f7c9a158d5fcd883361cd00fcc9c1d9c1ebdc
SHA512 5ba5a7bc68dc6ac0046ed9db5b069ad26a89e3812cd094df304f856744e60d0dcbeb93a2222a2d2c32da0824353cd982e27a5a9a164e234c2962ef3ffd726fed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0e4140d34269610edb34fc7f5d972cbc
SHA1 53a54ea3aa8825f45e43ae7a72c595fee7a7955a
SHA256 6ca44dd3f49d3affa7ef26b2aa88deebb06d30a8920e4ab08c81bca5f1edb018
SHA512 be27abd9c8c75b5e37a0e4e7e36a7feaeba7e4f7ee897b08790c0e7f3451c8ff4ba6abeeba86a7ef7972fc6df47ff9faaa8272c8f11c13e1a1f4af77e497fd7c

C:\Users\Admin\AppData\Roaming\sigertg

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 776864159109340fb35dd220b7f1561d
SHA1 ce4d639d000b02f5f580dd3f1ebd1a8c7a193784
SHA256 9846daf99d6375b48e8c101dcf6e28263569d857cb339649d4a652b72ab45484
SHA512 e5d322afb8dcdc4323de9799ffa5e47b9bae107143f992787b5cb9da49a837b28e31e67f912b238f4f6d3ef69f7dcdefb9a5dc5226b591ff40c6a2b52d65af6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0767817941e018ba67b86c5c237356f4
SHA1 5c2104a762c33dffd6a7fc98f591ff0314963217
SHA256 d80511c4962ecaa5a6c3f6112e781b2cbb9dc8b922742cfc2a8b7677aa049b93
SHA512 198f91c059b0f82f7590dfdbfe82e0e3eb871ce2c2188143c5233ace41369b2e58495ebd640564c07e4940a676cc875b32d7c263aca0faafad06ef0aeebef540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a0783.TMP

MD5 5a8a48f0fa80e0593f6ecc4e86d946da
SHA1 03235e2e503d593910f3f726f2c2bea3dee0265f
SHA256 0d81745c2bb0e63b5de1674db8533d794ed1cec8a4973b4237ac6c5632db4299
SHA512 50a4a4ce8cd67c295df1d923bcb072b7afd11dfbb77b0f3799a99ad2857f7bdd9ae79bf02a194eef38613453f2ec13580fd06d6b5aef61791342ad3e91633e72

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9151fc95cbfa11a1d1e5a031587c4ce7
SHA1 24f56cef2be614407f19ea3e34c9341e09fc1dc4
SHA256 4d313eadeb2fe5d53edc22dfad7e7e486606392c506a864a93e12f125b2fa4d4
SHA512 2ece95b296fd918c924571607241628bf03f36270e06d07198708293c320e5cd8a07f38890b6a99c63f2e78ba4009d93743248d1bdec3ec1e4a4b3be927ba37e