Malware Analysis Report

2025-04-14 07:00

Sample ID 230927-cqkr3afa6w
Target e00d940074426874a881b3528d394208.bin
SHA256 527c6f8b9a106489a0297d3966761c5d30b1c82838f43f175e62802f20f80ef9
Tags
djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub1 upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

527c6f8b9a106489a0297d3966761c5d30b1c82838f43f175e62802f20f80ef9

Threat Level: Known bad

The file e00d940074426874a881b3528d394208.bin was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub1 upx

Windows security bypass

Glupteba payload

UAC bypass

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

RedLine

Glupteba

Vidar

Downloads MZ/PE file

Windows security modification

Modifies file permissions

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 02:16

Reported

2023-09-27 02:19

Platform

win7-20230831-en

Max time kernel

113s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D0AA.exe = "0" C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F29E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D0AA.exe = "0" C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02999d13-f697-4550-b33f-cf8311b87b54\\C7D1.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-UB62L.tmp C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-TLBHV.tmp C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GQNPN.tmp C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-Q2E9L.tmp C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\F29E.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E78F4A0-5CDC-11EE-A954-C6D3BD361474} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CD11.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\C7D1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 1188 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 1188 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 1188 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 1188 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1188 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2384 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2604 wrote to memory of 1480 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1188 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 1188 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 1188 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 1188 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2580 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 1188 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0AA.exe
PID 1188 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0AA.exe
PID 1188 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0AA.exe
PID 1188 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0AA.exe
PID 1188 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe
PID 1188 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe
PID 1188 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe
PID 1188 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED50.exe
PID 2984 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Windows\SysWOW64\icacls.exe
PID 2984 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Windows\SysWOW64\icacls.exe
PID 2984 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Windows\SysWOW64\icacls.exe
PID 2984 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Windows\SysWOW64\icacls.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\CD11.exe C:\Users\Admin\AppData\Local\Temp\CD11.exe
PID 1188 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\F29E.exe
PID 1188 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\F29E.exe
PID 1188 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\F29E.exe
PID 1188 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\F29E.exe
PID 2984 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe
PID 2984 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\C7D1.exe C:\Users\Admin\AppData\Local\Temp\C7D1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D0AA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe

"C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe"

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CAEE.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CAEE.dll

C:\Users\Admin\AppData\Local\Temp\CD11.exe

C:\Users\Admin\AppData\Local\Temp\CD11.exe

C:\Users\Admin\AppData\Local\Temp\CD11.exe

C:\Users\Admin\AppData\Local\Temp\CD11.exe

C:\Users\Admin\AppData\Local\Temp\D0AA.exe

C:\Users\Admin\AppData\Local\Temp\D0AA.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\02999d13-f697-4550-b33f-cf8311b87b54" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ED50.exe

C:\Users\Admin\AppData\Local\Temp\ED50.exe

C:\Users\Admin\AppData\Local\Temp\CD11.exe

"C:\Users\Admin\AppData\Local\Temp\CD11.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F29E.exe

C:\Users\Admin\AppData\Local\Temp\F29E.exe

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

"C:\Users\Admin\AppData\Local\Temp\C7D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CD11.exe

"C:\Users\Admin\AppData\Local\Temp\CD11.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

"C:\Users\Admin\AppData\Local\Temp\C7D1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 92

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D0AA.exe" -Force

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"

C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PDR89.tmp\is-25S05.tmp" /SL4 $201F2 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe

"C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe"

C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe

"C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build3.exe

"C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe

"C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe"

C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe

"C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build2.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build3.exe

"C:\Users\Admin\AppData\Local\de811d8a-3484-41da-a39d-fdc150e41d97\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230927021856.log C:\Windows\Logs\CBS\CbsPersist_20230927021856.cab

C:\Windows\system32\taskeng.exe

taskeng.exe {94B07DBC-5536-4468-B750-54F47EE9D514} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 colisumy.com udp
AR 186.13.17.220:80 colisumy.com tcp
AR 186.13.17.220:80 colisumy.com tcp
AR 186.13.17.220:80 colisumy.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 host-file-host6.com udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 116.202.182.4:80 116.202.182.4 tcp
AR 186.13.17.220:80 colisumy.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
AR 186.13.17.220:80 colisumy.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
PL 146.59.10.173:45035 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/1376-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/1376-1-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1376-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1376-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1188-3-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/1376-7-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1376-8-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2384-18-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2384-19-0x00000000002F0000-0x0000000000382000-memory.dmp

\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2384-20-0x0000000003ED0000-0x0000000003FEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2984-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2984-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAEE.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2580-36-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2984-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-43-0x0000000003FB0000-0x00000000040CB000-memory.dmp

memory/2984-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2440-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-39-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0AA.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2440-53-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0AA.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/2440-54-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\CAEE.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/2972-56-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/1480-57-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/1480-58-0x00000000000D0000-0x00000000000D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDB62.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarDDC5.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca7bbbed2a26de0f45f168e1249942b4
SHA1 88b106fd7f039937dac6b23d8fe318d8351ffe52
SHA256 0f3623e2f43dd5fa4d85144551e93a1f0143a1573bc1795ba337e15837d24143
SHA512 9c44245135b7c28863e5e7f1932ae451670c9fecdd45ec2d90902a476c36c02665e074295358314543a5e9945e52372375c00f0269c860975b8c6efa28cee811

memory/2972-91-0x0000000000B40000-0x0000000000BC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 74a48d683fb12ade04164d3ebe47fab5
SHA1 08f13ca28a14eb8c3d20eaf9f869a9890945b78b
SHA256 8e7c7a4bedf00e699b94578d14214c0d9f02f63393ad110c11b3525ae87608c3
SHA512 2692e2aa9184eb8212a0e97f461b7cbbf404961c0a6533969e82d816ab8ad61eb227e8b77eaa94f4033b03f3572c40b3cd385e528e80832ae752303f4460195b

memory/1480-100-0x00000000022D0000-0x00000000023D8000-memory.dmp

memory/1480-101-0x00000000023E0000-0x00000000024CD000-memory.dmp

memory/1480-104-0x00000000023E0000-0x00000000024CD000-memory.dmp

memory/1480-105-0x00000000023E0000-0x00000000024CD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 967d5ad2683698acd30f5346e07065c9
SHA1 aea650641a36d19dc08a6846d1dbcb07951bcb19
SHA256 824569bc3b4543c779fe11bdc8766ace617126a123b68978e161aa490ac261f3
SHA512 9dcfddbaf872c5891181c9ce9842ea81887d6e95e90e7ff37a87bcc88f946108489e22ba24c50b45ce64e1e171a6aa5299ae39067c295165d98f438129a9f617

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a64f8f662e18f4417661bf752f883bdc
SHA1 b7caf0b582ad9e1681de06ca3f729f555d5365f1
SHA256 c8e4e8a6c2f4688a8ecf0faf3aa6a0656f75a0a8c975d864ed64b0f499c3c5e0
SHA512 844b724f8e916c7484323af70f08dde96b999b0f280b860290ec004d46acef7129d5f002a10e183ba1aa1f0e2412ecfd0e8548640c50c27610bb60423d92dd96

C:\Users\Admin\AppData\Local\Temp\ED50.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\ED50.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/1580-139-0x0000000000EC0000-0x0000000001554000-memory.dmp

memory/1580-140-0x0000000074310000-0x00000000749FE000-memory.dmp

C:\Users\Admin\AppData\Local\02999d13-f697-4550-b33f-cf8311b87b54\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\F29E.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\F29E.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

memory/2440-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-153-0x00000000002B0000-0x0000000000341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2984-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2992-161-0x00000000002B0000-0x0000000000341000-memory.dmp

\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1240-169-0x0000000000350000-0x00000000003E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\C7D1.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2972-164-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/1240-163-0x0000000000350000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD11.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1064-174-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1064-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2972-183-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/944-184-0x00000000FF040000-0x00000000FF0E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2972-194-0x0000000001FC0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2376-202-0x00000000026B0000-0x00000000027B0000-memory.dmp

memory/1888-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2376-204-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1888-206-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2196-216-0x00000000041F0000-0x00000000045E8000-memory.dmp

memory/1580-221-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2196-222-0x00000000041F0000-0x00000000045E8000-memory.dmp

memory/2972-223-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/2196-224-0x00000000045F0000-0x0000000004EDB000-memory.dmp

memory/2972-225-0x0000000000630000-0x000000000064A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2116-227-0x0000000000CC0000-0x0000000000E34000-memory.dmp

memory/2196-228-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2116-229-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/1888-231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1188-230-0x0000000002A60000-0x0000000002A76000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a64f8f662e18f4417661bf752f883bdc
SHA1 b7caf0b582ad9e1681de06ca3f729f555d5365f1
SHA256 c8e4e8a6c2f4688a8ecf0faf3aa6a0656f75a0a8c975d864ed64b0f499c3c5e0
SHA512 844b724f8e916c7484323af70f08dde96b999b0f280b860290ec004d46acef7129d5f002a10e183ba1aa1f0e2412ecfd0e8548640c50c27610bb60423d92dd96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 967d5ad2683698acd30f5346e07065c9
SHA1 aea650641a36d19dc08a6846d1dbcb07951bcb19
SHA256 824569bc3b4543c779fe11bdc8766ace617126a123b68978e161aa490ac261f3
SHA512 9dcfddbaf872c5891181c9ce9842ea81887d6e95e90e7ff37a87bcc88f946108489e22ba24c50b45ce64e1e171a6aa5299ae39067c295165d98f438129a9f617

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 74a48d683fb12ade04164d3ebe47fab5
SHA1 08f13ca28a14eb8c3d20eaf9f869a9890945b78b
SHA256 8e7c7a4bedf00e699b94578d14214c0d9f02f63393ad110c11b3525ae87608c3
SHA512 2692e2aa9184eb8212a0e97f461b7cbbf404961c0a6533969e82d816ab8ad61eb227e8b77eaa94f4033b03f3572c40b3cd385e528e80832ae752303f4460195b

memory/1064-248-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1064-249-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2432-252-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2432-253-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2432-254-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2432-261-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2104-272-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2432-273-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2432-277-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2104-276-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2432-258-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2432-278-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2432-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1064-283-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\F29E.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

\Users\Admin\AppData\Local\Temp\F29E.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

memory/2324-291-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2324-293-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\F29E.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

memory/2432-289-0x0000000000380000-0x0000000000386000-memory.dmp

memory/2972-307-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2116-316-0x0000000074310000-0x00000000749FE000-memory.dmp

C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/756-328-0x00000000026E2000-0x0000000002711000-memory.dmp

memory/756-330-0x0000000000220000-0x0000000000271000-memory.dmp

memory/272-340-0x0000000000A60000-0x0000000000A68000-memory.dmp

C:\Users\Admin\AppData\Local\db246c22-0f53-45e9-bea6-e3611037a38c\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/272-500-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

memory/2080-533-0x00000000026B2000-0x00000000026E1000-memory.dmp

memory/1452-536-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2484-537-0x00000000714B0000-0x0000000071A5B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2694d7dbcf1850f41dc26d21010282b2
SHA1 0cc516dd4502fbb03463c0c682e46de66889c102
SHA256 de9dd68090ec6fb14c7b3840a7cc5e76e194c5fe9648bba491dddb124af7f57d
SHA512 46dd8ce7a7235ab83f9fe48fd9d4da4ea3115053f9afdd7ba2af3d1e7a1ad402d717b220043f921fb5dbf0d84eafaa825fa6397f7c5eb6cc76c3a88dcdb9cbbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59a3b9cc39b2434b727e56d439eedf84
SHA1 d90fab77d92b6265ee69494196ac8fb563740ed9
SHA256 1ae93be4f6f25ee3ec792374bc0fb60d7860caf9246fbcdb613b33edc5649365
SHA512 a3c860ce288790ab98be34b3222e86b39beeb8f5600d51505fb4708c6ef6052b6641064fb3ffe171c64275b475e40c08b1a5b8014eb1a136b751c1f27e02a7ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e951f1fd4f307801218fb5d3034a817
SHA1 f9356951e0d4d43eb90ea11d0ae6e9740a6eb33e
SHA256 a9002af371c05400bf8cb43d192630ffcba513c1c3793acee341ed4b7261bfd1
SHA512 6f0d7413f2d0b28299fccc0a8edc916f8efb90074721cf6c274bd2a26b00bea6f44ffb29f6453734201475133f9c998f7caa3c1a8eb8a09d057460b63c7ea398

memory/2484-678-0x00000000714B0000-0x0000000071A5B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0b8212ee26683031b15c4d80b2d80be
SHA1 9d3d00556dc69f037dafe135b9aa3efc7aced09e
SHA256 b5d11f6f7415445cb9cb5e8a0446cbe633df7d574d7ac596f29eed71935ecd72
SHA512 9e90f493f71fa5cef092af2b270477635d76e992a4a90ec22c25cfe39b204e918d58934d599ba86b84336dbd94ade2fac712d185a8476b1e99a19292589b93c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce8eb349073a5acf98ccaf43e6b3f9d5
SHA1 fbb9d5abd6bc5368947e42251a3de80dce420378
SHA256 fe7586673b400c9056302d9a83db48eec233f50a217f68b7dd3c31a5a4b559b2
SHA512 6da1b77b812d69cf2b4d1ec0bbfdfd9da11e6ff35bed0fe9c48be1e0456d22009716b825555657cef3c546cacb1283d4fa4b14ca7aea434ed74f994a6881ece2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 583b32d127e4b90309fa76c39f4f0ec6
SHA1 1ba436830d5d5b1cb0b021ab0f2ff9e7f505c0c3
SHA256 be66967109ee338a130221db3e32b50b5c9604314e2916eda5c04afcdf510bad
SHA512 de584cea033fae0237be9525f72281e95c48375a25f76a5310e6f80ca1f54e5e5343f35c4f0b79546935039f262d4fcca8d159839100ce8f198948c131b6a08c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b0c4416eff3811d84a3cf60fd9ff936
SHA1 0b36e2b332642e65c65612506ec2f6f76780ce2a
SHA256 d893f5cffa24b45afe6f7ced35be997a480a4c5407aec943991ce9398493d404
SHA512 dd8ecd0edd57182103615d61417fc0c3971617be570303f34df65976e74c99a390e63ae897110d351f310925095df95628ebcbab3918ec7cec7fb6a01751f961

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f229ac50604f15f797a9f53b3b70d0f
SHA1 34e27b2453af7d01313d276ee316a8cdf97bbde0
SHA256 8f06f586c5b0b2b747e0cd94ee62812f8f2d2aaa62d3936df8042b56abd29d62
SHA512 1f31cfba539f5171b1c37031a97c50ca0e8fe24efd9bfc677dfedc4b3d7a7371472f1d4193290af8b3acfce5e007fcc5edf1d898f1aac946da1be4deed22728f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 208187910ad27d253304aa77b8d1905a
SHA1 d4dc1753710e5ed8b75194b4fe02ed1b3f6d453b
SHA256 ffa17503ac1b04852fc68e654d9c61e47d3fd1b457628f0ec3a0d0067b1ae0c4
SHA512 1d57be467c10763c081d3a1e79b8440c49b78e1a580a62b5fcf3886e76e2aa2e142f9c6cb8ed21781afcbfb9c40b83bbd04cf95d68d49119617989b3b4fa56d4

memory/2196-1003-0x00000000041F0000-0x00000000045E8000-memory.dmp

memory/2196-1004-0x00000000045F0000-0x0000000004EDB000-memory.dmp

memory/2196-1005-0x0000000000400000-0x0000000002985000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 02:16

Reported

2023-09-27 02:19

Platform

win10v2004-20230915-en

Max time kernel

111s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11F8.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\11F8.exe
PID 3152 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\11F8.exe
PID 3152 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\Temp\11F8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe

"C:\Users\Admin\AppData\Local\Temp\c2fb2940935ea5f3ce7817171c7bf160d7ca4b6388e0dcc71dd32e39e0220a39.exe"

C:\Users\Admin\AppData\Local\Temp\11F8.exe

C:\Users\Admin\AppData\Local\Temp\11F8.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1370.dll

C:\Users\Admin\AppData\Local\Temp\11F8.exe

C:\Users\Admin\AppData\Local\Temp\11F8.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1370.dll

C:\Users\Admin\AppData\Local\Temp\14C8.exe

C:\Users\Admin\AppData\Local\Temp\14C8.exe

C:\Users\Admin\AppData\Local\Temp\14C8.exe

C:\Users\Admin\AppData\Local\Temp\14C8.exe

C:\Users\Admin\AppData\Local\Temp\16CD.exe

C:\Users\Admin\AppData\Local\Temp\16CD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c0b3e6e4-f019-4e6f-87bc-aa20fcae0b11" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\14C8.exe

"C:\Users\Admin\AppData\Local\Temp\14C8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\16CD.exe" -Force

C:\Users\Admin\AppData\Local\Temp\269D.exe

C:\Users\Admin\AppData\Local\Temp\269D.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\14C8.exe

"C:\Users\Admin\AppData\Local\Temp\14C8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2B80.exe

C:\Users\Admin\AppData\Local\Temp\2B80.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4296 -ip 4296

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\2D75.exe

C:\Users\Admin\AppData\Local\Temp\2D75.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 568

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4196 -ip 4196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 292

C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe

"C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe"

C:\Users\Admin\Pictures\E9WvQXsXrsDNtnfCo3GbhVYN.exe

"C:\Users\Admin\Pictures\E9WvQXsXrsDNtnfCo3GbhVYN.exe"

C:\Users\Admin\Pictures\uQNLcemucTz3ywfcbGjvXygc.exe

"C:\Users\Admin\Pictures\uQNLcemucTz3ywfcbGjvXygc.exe" /s

C:\Users\Admin\Pictures\6cZteXUK0UMXUjg2bQzKR9km.exe

"C:\Users\Admin\Pictures\6cZteXUK0UMXUjg2bQzKR9km.exe"

C:\Users\Admin\Pictures\uF5dHWcWXvzR144uBSa92WXM.exe

"C:\Users\Admin\Pictures\uF5dHWcWXvzR144uBSa92WXM.exe"

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

"C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe

"C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe

"C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe"

C:\Users\Admin\AppData\Local\Temp\7zS5663.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\is-B6S22.tmp\a4nz1VH5LZXjVxKrybyW96oU.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B6S22.tmp\a4nz1VH5LZXjVxKrybyW96oU.tmp" /SL5="$F011A,4692544,832512,C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\AppData\Local\Temp\7zS5C20.tmp\Install.exe

.\Install.exe /jyafdidIl "385118" /S

C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe

"C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vYMRUVnKzvQEib2fztzH56OW.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vYMRUVnKzvQEib2fztzH56OW.exe" --version

C:\Users\Admin\AppData\Local\Temp\is-7VVV4.tmp\is-LLUAP.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7VVV4.tmp\is-LLUAP.tmp" /SL4 $7021E "C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe" 2490977 52224

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.56 --initial-client-data=0x2c4,0x2e8,0x2ec,0x248,0x2f0,0x6bfb3578,0x6bfb3588,0x6bfb3594

C:\Users\Admin\AppData\Local\Temp\is-0HSLA.tmp\is-PML6I.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0HSLA.tmp\is-PML6I.tmp" /SL4 $11005E "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

"C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2744 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20230915074204" --session-guid=bbceb0ad-9785-4977-a159-2d96c83b0d08 --server-tracking-blob=MzEzMjQ2NWY2ODU2NTBhOGUwMTNiYzQzNDk1MjUyMGZjYTM2ZmFlZDE5YTc3YjJhOWY4NDI0YmVlMGJjNjJlMDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NTc4MTEyNC44NjI0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjNDk3MzQ5My04YjMxLTQxNDYtYWIwYS0xM2ZmMjAzNTI2YjYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A005000000000000

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.56 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2c0,0x2fc,0x6a193578,0x6a193588,0x6a193594

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9560116549.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Program Files (x86)\OSHMount\OSHMount.exe

"C:\Program Files (x86)\OSHMount\OSHMount.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\11F8.exe

"C:\Users\Admin\AppData\Local\Temp\11F8.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Users\Admin\AppData\Local\Temp\11F8.exe

"C:\Users\Admin\AppData\Local\Temp\11F8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\is-0UBDN.tmp\_isetup\_setup64.tmp

helper 105 0x450

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5396 -ip 5396

C:\Program Files (x86)\OSHMount\OSHMount.exe

"C:\Program Files (x86)\OSHMount\OSHMount.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 25

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 25

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 188.114.96.0:80 jetpackdelivery.net tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 225.93.21.104.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 188.114.96.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 lycheepanel.info udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 galandskiyher3.com udp
US 8.8.8.8:53 83.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 104.21.32.208:443 lycheepanel.info tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 www.ccee.org.pe udp
DE 148.251.234.93:443 tcp
US 192.185.161.46:443 www.ccee.org.pe tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 111.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 46.161.185.192.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 43.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
TR 194.55.224.41:80 194.55.224.41 tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 41.224.55.194.in-addr.arpa udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 int.down.360safe.com udp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 116.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 18.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 9.60.156.108.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 sd.p.360safe.com udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
NL 52.222.137.111:80 sd.p.360safe.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
NL 108.156.60.43:80 int.down.360safe.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
US 8.8.8.8:53 script.google.com udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
DE 172.217.23.206:80 script.google.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
DE 172.217.23.206:443 script.google.com tcp

Files

memory/568-0-0x0000000000720000-0x0000000000735000-memory.dmp

memory/568-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/568-2-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3152-3-0x00000000027F0000-0x0000000002806000-memory.dmp

memory/568-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/568-7-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/568-8-0x0000000000720000-0x0000000000735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11F8.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\11F8.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2972-18-0x00000000041B0000-0x0000000004244000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11F8.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/3464-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1370.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3464-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2972-20-0x0000000004390000-0x00000000044AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1370.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3464-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\14C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3464-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2440-31-0x0000000002360000-0x0000000002366000-memory.dmp

memory/2440-32-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/3384-39-0x0000000004260000-0x00000000042FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16CD.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/1928-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3384-40-0x00000000043B0000-0x00000000044CB000-memory.dmp

memory/1928-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1928-44-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/412-45-0x0000000000B40000-0x0000000000BC0000-memory.dmp

memory/1928-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/412-46-0x00000000731C0000-0x0000000073970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16CD.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 81cd1c91e0bb7275813bd9fbb1eb42e9
SHA1 df670cc5923ee20895b988b9ef630829c3d91337
SHA256 70d15a9cb8b72a48c0dff90910d52634d6c5ada5e68027857d83735c040a28ee
SHA512 5e750bc42b32d2fe37c60e50abd054eebfdbb5714e0956913c93525c6a33045561f363cb25541b0f01f5f105e42dd11b4267afbef9eb301010509424a5bd631e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

memory/412-55-0x0000000005B00000-0x00000000060A4000-memory.dmp

memory/412-57-0x0000000005650000-0x00000000056EC000-memory.dmp

memory/412-60-0x0000000005440000-0x00000000054D2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 0ca49252c75f88e0eab0967df494938c
SHA1 26fedcdb8453183c3f3e5e1376bfe4250c854584
SHA256 51a1984b353dafab7855eccb47991939444f6fbd2921b2a92a0925338a3d48b2
SHA512 4dd6a172e9529f4f0c6c05c7cc55ee7fb82fcd8cbdc3d6e838b57e6614c0026d6c734e06f0bbb39481067aa0b0852d8ca295e6518f11b01be4f545e18bc691f1

memory/412-66-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

memory/412-73-0x0000000002ED0000-0x0000000002EDA000-memory.dmp

memory/2440-75-0x00000000027A0000-0x00000000028A8000-memory.dmp

memory/412-76-0x0000000005520000-0x000000000553A000-memory.dmp

memory/412-74-0x00000000057E0000-0x0000000005840000-memory.dmp

memory/1928-77-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3464-84-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\269D.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\269D.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2328-88-0x0000000004150000-0x00000000041EE000-memory.dmp

memory/3688-87-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2440-92-0x00000000028B0000-0x000000000299D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/412-101-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2440-105-0x00000000028B0000-0x000000000299D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B80.exe

MD5 1204530e0653c9cf735e6a9a18fb3f87
SHA1 cde47279468553f8bf473ca0451994c288e27b8e
SHA256 b92ebb1dbabaa4779882176f863daeccab4bf271a043975bb1dfaa237ab3c285
SHA512 abe4ded3ccfdd6c43229397c51f8521783d1c689b4890e69359f4bf63dd368cd2f2e5738e9eb056415d407cce72f6506463c39066663b150fef1dd880c419537

memory/2948-111-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2948-115-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D75.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2948-122-0x00000000055A0000-0x0000000005BC8000-memory.dmp

memory/4032-124-0x0000000002700000-0x0000000002709000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/4032-121-0x0000000002860000-0x0000000002960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D75.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\2B80.exe

MD5 1204530e0653c9cf735e6a9a18fb3f87
SHA1 cde47279468553f8bf473ca0451994c288e27b8e
SHA256 b92ebb1dbabaa4779882176f863daeccab4bf271a043975bb1dfaa237ab3c285
SHA512 abe4ded3ccfdd6c43229397c51f8521783d1c689b4890e69359f4bf63dd368cd2f2e5738e9eb056415d407cce72f6506463c39066663b150fef1dd880c419537

memory/2948-107-0x0000000004F30000-0x0000000004F66000-memory.dmp

memory/4296-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-103-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/548-99-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/4296-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4296-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/548-90-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3688-86-0x0000000000C70000-0x0000000001304000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2440-147-0x00000000028B0000-0x000000000299D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/4032-141-0x0000000000400000-0x00000000025A6000-memory.dmp

memory/4968-151-0x00007FF62A680000-0x00007FF62A722000-memory.dmp

memory/5104-156-0x0000000002750000-0x0000000002850000-memory.dmp

memory/2152-194-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/3688-197-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/2948-196-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/2948-188-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/2152-183-0x0000000000370000-0x00000000004E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1480-180-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/5104-178-0x00000000025E0000-0x00000000025E9000-memory.dmp

memory/1480-176-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2948-167-0x0000000005D50000-0x0000000005D72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf143iku.55q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/3152-198-0x0000000002990000-0x00000000029A6000-memory.dmp

memory/4720-201-0x0000000004670000-0x0000000004A75000-memory.dmp

memory/3052-204-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2948-205-0x00000000060C0000-0x0000000006414000-memory.dmp

memory/4720-208-0x0000000004A80000-0x000000000536B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3052-220-0x00000000056C0000-0x00000000056C6000-memory.dmp

C:\Users\Admin\Pictures\uF5dHWcWXvzR144uBSa92WXM.exe

MD5 c07cde9cdad817a2175c3c9c53b352ad
SHA1 55b560ef669d490d6c658d9184c4caf8622aa5be
SHA256 eeef234981c35cfa85296fcb22bf0f70306ad54e80f1d40b8e04e1b7301e3dc5
SHA512 da3c83cf5524f0894667cfc5ab608587e65fca825f3db36f6f8e76fb1d0c8f202db7c7deb04fcb513df908cdf58db0f87ff4dcf1ed29134bda3d81528d03b5ad

memory/4032-219-0x0000000000400000-0x00000000025A6000-memory.dmp

C:\Users\Admin\Pictures\6cZteXUK0UMXUjg2bQzKR9km.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

MD5 3f833b8f344f9ffbb5a05a696e5fc4ae
SHA1 1665b93fb3b2b81a0abd52d6a82ee53418fce5ef
SHA256 71007775b34fad888b1637a6e3430c63b399881347e28577e68956211450f581
SHA512 8eed02396bf7156c5a23e5539b90c151037132359e597cfcdcdeb47e6fd886d985bfb6f0a1f3d5e9d13cecd77c949ef483300e9e8e85dd2dc3e1f6282493c9a8

C:\Users\Admin\Pictures\E9WvQXsXrsDNtnfCo3GbhVYN.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe

MD5 9040326030daa5a9b5997e7769866763
SHA1 2c4f9cde7b1bc58e6c465bc8e5452f9c8660b1a1
SHA256 55cb1824e50b3a62a7e0cc6861cf4c62396d081054d39428f27afd89a7753bd0
SHA512 0f70c3e85c7712692d9d8bd35eb59f053acfc91e275f15b45bfc64b0d14a4ab212ec811bbbcae69e7f54bedcbb915f1958e1fa40e5c3f54fbb0d39faa9184a7b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\Pictures\6CobDJtI9FngexZsSo8Qy3lu.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4720-227-0x0000000000400000-0x0000000002985000-memory.dmp

memory/212-290-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe

MD5 667cde8996e28d091ebd19e5ef999314
SHA1 ec70a1ee32d5e70580d97ac466c758b1bcd18f86
SHA256 4fa0adb39c322e2f607f086edbefdc38ca831c2b446518dfb4e81f2e81fe62a9
SHA512 179b460d61b5e0e888ee1bfe3cbd4642653a25b747d58454d70f87a2e32578ad312748dbef1bbef2ab4634187a227ca1de526299b34ec631d257f114a38bff43

C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe

MD5 9040326030daa5a9b5997e7769866763
SHA1 2c4f9cde7b1bc58e6c465bc8e5452f9c8660b1a1
SHA256 55cb1824e50b3a62a7e0cc6861cf4c62396d081054d39428f27afd89a7753bd0
SHA512 0f70c3e85c7712692d9d8bd35eb59f053acfc91e275f15b45bfc64b0d14a4ab212ec811bbbcae69e7f54bedcbb915f1958e1fa40e5c3f54fbb0d39faa9184a7b

C:\Users\Admin\Pictures\0SjvRFPEZRjvppKnSSl6IiOS.exe

MD5 9040326030daa5a9b5997e7769866763
SHA1 2c4f9cde7b1bc58e6c465bc8e5452f9c8660b1a1
SHA256 55cb1824e50b3a62a7e0cc6861cf4c62396d081054d39428f27afd89a7753bd0
SHA512 0f70c3e85c7712692d9d8bd35eb59f053acfc91e275f15b45bfc64b0d14a4ab212ec811bbbcae69e7f54bedcbb915f1958e1fa40e5c3f54fbb0d39faa9184a7b

C:\Users\Admin\Pictures\E9WvQXsXrsDNtnfCo3GbhVYN.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

memory/4420-312-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\uF5dHWcWXvzR144uBSa92WXM.exe

MD5 c07cde9cdad817a2175c3c9c53b352ad
SHA1 55b560ef669d490d6c658d9184c4caf8622aa5be
SHA256 eeef234981c35cfa85296fcb22bf0f70306ad54e80f1d40b8e04e1b7301e3dc5
SHA512 da3c83cf5524f0894667cfc5ab608587e65fca825f3db36f6f8e76fb1d0c8f202db7c7deb04fcb513df908cdf58db0f87ff4dcf1ed29134bda3d81528d03b5ad

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2309150741515582744.dll

MD5 81bddbe346c69597a522fc70d5c24e45
SHA1 7da630128951ae850745d6cba4cfaac13e755335
SHA256 f2ca6bf722bd74011587e7a7aa0ef88a032ab4410613cd14be68ddff9bda16a9
SHA512 90c1f3a0678225e308181bc249db4a21c2e946461012491934e3a903b7773bd040cbca1cc5439a13479b65bc424f3f6576b7779e566f44a61a770de77d6c5787

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\Pictures\2lhqBIVdst9UFZeYDXJtZOBK.exe

MD5 c40a8a426c5f1b807187a3c5fdc324ed
SHA1 5c0e72d2a722cf1de6a8d92005da2b959189394d
SHA256 2e365d184044216ca9421b666ed302e797dc006118d003fa419a3a36fbc322b8
SHA512 038bf35e9c18162272edec01fb8b68e617f1b72a9f761db7510f1f02ab617dd4804f0d422df0baf3933537ce888792c0d12bf86ecf4a0c4d7f12f79d767c53b9

C:\Users\Admin\Pictures\vYMRUVnKzvQEib2fztzH56OW.exe

MD5 3f833b8f344f9ffbb5a05a696e5fc4ae
SHA1 1665b93fb3b2b81a0abd52d6a82ee53418fce5ef
SHA256 71007775b34fad888b1637a6e3430c63b399881347e28577e68956211450f581
SHA512 8eed02396bf7156c5a23e5539b90c151037132359e597cfcdcdeb47e6fd886d985bfb6f0a1f3d5e9d13cecd77c949ef483300e9e8e85dd2dc3e1f6282493c9a8

C:\Users\Admin\AppData\Local\Temp\is-7VVV4.tmp\is-LLUAP.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

memory/2152-390-0x00000000731C0000-0x0000000073970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5663.tmp\Install.exe

MD5 f003feaefaef1243989dd80d9449e075
SHA1 7d97c640dea4a23b8e2244e42a9d74e742e7f678
SHA256 9e4858febc7b7e67e2873ea0f675c475672d2f6a91ee3f840837d36a73ac3e71
SHA512 f398bdf9a48497a4d1bfee51fe11f65079378420d4d3fd9a81629a19661f3cb6e06dffa60c79b1ae6a0f71dd9deedaa161d1d65304c3f3e6bf79e1ced6f43fd7

C:\Users\Admin\AppData\Local\Temp\is-S444O.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2744-421-0x0000000000460000-0x0000000000995000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-77GNJ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-77GNJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-B6S22.tmp\a4nz1VH5LZXjVxKrybyW96oU.tmp

MD5 5b1d2e9056c5f18324fa9dd4041b5463
SHA1 64a703559e8d67514181f5449a1493ade67227af
SHA256 dda18b38700ca62172ba3bd0d2d3b3b0dd43e91fdb67b2b8e24044046ff17769
SHA512 961183656c2e0ed1f01ec937e01c5023b9aea5a9922aa9170735895a3a1e4bbe2b7de89f16f8c7df231b145975d103a02debf2f24b07daf0b90c341fe070a324

memory/2948-424-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/4720-423-0x0000000000400000-0x0000000002985000-memory.dmp

memory/4160-426-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5663.tmp\Install.exe

MD5 910f38ed8b8f0758fb0c297585d10814
SHA1 0ea7ce69f4e8381bbfdd1815cc1e6af4721ffa3f
SHA256 aa0a45ce39329a11d953b09b4bf9f4b1b3479f58b868125ec0504be9502f44be
SHA512 24c85c98bc815f1cbc67778302a977befc4408640a746388702a7ae09347ea5ae5c8491463b066e9534220855dc330aed633f99b099feb6b42b98108eb3984c8

memory/4420-428-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3052-429-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/212-430-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3052-392-0x00000000057E0000-0x000000000582C000-memory.dmp

memory/1656-387-0x0000000005E30000-0x0000000005FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7VVV4.tmp\is-LLUAP.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

memory/3052-380-0x00000000057A0000-0x00000000057DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0HSLA.tmp\is-PML6I.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe

MD5 e8e746f08e4da216e660fd7bb7276e13
SHA1 91a7de7c7534a3a84a2f656e72afa9bb8b718b38
SHA256 93732243ad985e5d087ed0f589f7c09cb0dd0f5df2b89cca4cce7941420d99fd
SHA512 e45fd745030c96280ff71c30ec55e184b5084fa903056bcae7a28a25476a483b25b76a44f0517cd1a29cc8a5b62ae5e49798ca7ef5340bc5f72e40d678fc655e

C:\Users\Admin\Pictures\0E7jVh4nDF9gF20x7AxBb2cc.exe

MD5 8e472adcee4daf173fbda804f618311f
SHA1 e7b899f6f3300c712c27f282f29fcabe238728f6
SHA256 1652493a7d1e3726c4a1657cbd5973a9ff18a8b1b1a820bd6cc6afb16a33333d
SHA512 93d2cbd8f11d7d76807e34404b4a3181cbfc3a2d0c60e7dde3ec501515108720bb912485504f1533ade2ed6de0aebaa2e57f73a459b13827ce3a4b47d4cc996a

C:\Users\Admin\Pictures\0E7jVh4nDF9gF20x7AxBb2cc.exe

MD5 b03c43f90da98699a846ba9b81fcfa24
SHA1 10d7be00fa317b2197ad8be2d988eb8fe9fc3488
SHA256 35101a60d2e5b345b35775ba166793c2f5b2b60665b12c872d853958adff613b
SHA512 a7f6f5eeb1538b3c0808ea912b5e42091e30056b6633f098677041f5bc5c21b783448a8a8ceccb3d781d74b0bbc2c2dcbbf72176c6a040c25ca16fc459106dda

memory/4812-368-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\c0b3e6e4-f019-4e6f-87bc-aa20fcae0b11\11F8.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\is-0HSLA.tmp\is-PML6I.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3052-359-0x0000000005740000-0x0000000005752000-memory.dmp

memory/1656-356-0x0000000000F70000-0x000000000128C000-memory.dmp

memory/4328-355-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\a4nz1VH5LZXjVxKrybyW96oU.exe

MD5 d59acdb742d03cabb2ed23ca55da1a32
SHA1 917c17aacedb3b39282f213fbd61e035947417a7
SHA256 25b68466e8c32d38d059cc75b4fb3df5fe2d824648cc91c1b2fa255f0dd0a79e
SHA512 0346d9009c3c465462470a36803fd6a3e27a34a5c5e9f2edfd29a3e10f29d2ad2abe6b490386f63927ed5db6644740ad7dfbab68f3f07da7ccf5546acfc472c0

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2309150742008624832.dll

MD5 19f42601395e315701a7fe80e13938c6
SHA1 2a1cea58d7cc270100cd33ae56cbb96600fc41ec
SHA256 357bb0bcb38c9389a2d2dc6f0e40f04fee21a8c29b298080a62916efd6ad2fdb
SHA512 b969795474778fec4066371b8a80fe25ed05964499cdd4d66fd42d4561601207002c8a382f7c74edb904a20396474ea7030ff1526daa1c122942bc3e5d1f3c16

memory/3052-345-0x0000000005830000-0x000000000593A000-memory.dmp

C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe

MD5 6dd4b757708aaf44fa71635f427679e0
SHA1 a20c23862d8a7f435db303ee4cebadf46d436d9d
SHA256 b952388adb769ae40ea6cffbd9e645e806612df99e573600eae1598a5d79f75c
SHA512 ac5787bb15650fe53b91e214f4a461a91dd0f46e0f081596c2ad0fecb1c0d749d3a3be870a9e177bc0aceb9200945dd7fa423ed0775e09b377c612512c73d296

C:\Users\Admin\Pictures\2lhqBIVdst9UFZeYDXJtZOBK.exe

MD5 375d5f4bbf4f19f45d4d493ffdd06d8a
SHA1 0bf75cf35241671b548ec3d447994b6918405848
SHA256 3523ca6b393ba2e0b2c21c5d69a0f1c8180c3189a2e4fa3cfcd2e16c301e9805
SHA512 f433ded16373a44d6b40a640b6e6a1aebd9fe27258545e05524869ed27d23bf332a49fd9e889426e19a2b2c5d1c28307239140f61853b1aa1cb358f9e620faed

C:\Users\Admin\Pictures\0E7jVh4nDF9gF20x7AxBb2cc.exe

MD5 d82047d71bd5e371a6a370071069f80b
SHA1 d769610b0470fb072a08132f8c5887530bdeae34
SHA256 08c14ad875aa6449199db853ce749352fd712634032735e851988c875e517c82
SHA512 b92d858d3b3b558372a985ff6aaba045a922624ab1679093f7f1f3a0243e2d66b8d77461a00a215d3717be6f03df002f66b4f328b743850a90a6fb4abad13f58

memory/4832-482-0x0000000000DD0000-0x0000000001305000-memory.dmp

memory/3464-495-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4328-509-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2292-548-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 89b007c9955f6084317ed290c87e65a0
SHA1 43bf45e1aa08a264e1ea54cf37138b7cdf52ef95
SHA256 7980c701b8a39002a634271045a65af75b4db3db958a390234b395b0d87ed34c
SHA512 afc874ee3e00aded0abfac7d22c2e65ea379dd89cb284083ba3e4a8a4afb575b3eb5efb05229f1df825d7e9aa115030c43582b6cce058eee4b93312bcfe5e9c3

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 13701b5f47799e064b1ddeb18bce96d9
SHA1 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095
SHA256 a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa
SHA512 c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 4881eb0e1607cfc7dbedc665c4dd36c7
SHA1 b27952f43ad10360b2e5810c029dec0bc932b9c0
SHA256 eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e
SHA512 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a

memory/1172-521-0x0000000010000000-0x0000000010581000-memory.dmp

memory/4160-520-0x0000000000400000-0x0000000000409000-memory.dmp

C:\ProgramData\Video Fetcher\Video Fetcher.exe

MD5 3b0a1e1d069d201168b7458d2ce17541
SHA1 22559e5e4da796f672fe05477acce4a146a722e4
SHA256 13871d6c14f091cd65419c210243f8ca0b0a18da20bd0db2d0cef65f7a4755ce
SHA512 d8d5909c9f94cd67858b1728f7435421d35d1c0513bb6bfcb8c0997d1e5716d7a569a2e406c5ae3d2bf5cb8d65e401c324f3136cbde47572445e1744cc06dccf

memory/4012-515-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/3152-514-0x00000000028D0000-0x00000000028E6000-memory.dmp

memory/4092-517-0x00007FF72B530000-0x00007FF72BA73000-memory.dmp

C:\Users\Admin\Pictures\OSuheudKv8fxUHoCeBP0tHkZ.exe

MD5 6dd4b757708aaf44fa71635f427679e0
SHA1 a20c23862d8a7f435db303ee4cebadf46d436d9d
SHA256 b952388adb769ae40ea6cffbd9e645e806612df99e573600eae1598a5d79f75c
SHA512 ac5787bb15650fe53b91e214f4a461a91dd0f46e0f081596c2ad0fecb1c0d749d3a3be870a9e177bc0aceb9200945dd7fa423ed0775e09b377c612512c73d296

memory/548-327-0x00000000731C0000-0x0000000073970000-memory.dmp

memory/3052-326-0x0000000005D40000-0x0000000006358000-memory.dmp