Malware Analysis Report

2025-04-14 05:17

Sample ID 230927-t2sqgsde63
Target 5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe
SHA256 5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef
Tags
djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef

Threat Level: Known bad

The file 5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe was found to be: Known bad.

Malicious Activity Summary

djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader ransomware spyware stealer trojan upx

Detect Fabookie payload

Glupteba payload

Glupteba

SmokeLoader

Detected Djvu ransomware

Djvu Ransomware

Fabookie

RedLine

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Deletes itself

UPX packed file

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Runs net.exe

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 16:33

Reported

2023-09-27 16:36

Platform

win7-20230831-en

Max time kernel

28s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2356 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2648 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BC3E.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 1428 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 1428 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 1428 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 2356 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\B97F.exe C:\Users\Admin\AppData\Local\Temp\B97F.exe
PID 1428 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe
PID 1428 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe
PID 1428 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe
PID 1428 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe
PID 1428 wrote to memory of 2204 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1428 wrote to memory of 2204 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1428 wrote to memory of 2204 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1428 wrote to memory of 2204 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1428 wrote to memory of 2204 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 2204 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\conhost.exe
PID 1428 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1DC.exe
PID 1428 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1DC.exe
PID 1428 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1DC.exe
PID 1428 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1DC.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2648 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\BC3E.exe C:\Windows\SysWOW64\WerFault.exe
PID 1428 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\C90D.exe
PID 1428 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\C90D.exe
PID 1428 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\C90D.exe
PID 1428 wrote to memory of 380 N/A N/A C:\Users\Admin\AppData\Local\Temp\C90D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe"

C:\Users\Admin\AppData\Local\Temp\B97F.exe

C:\Users\Admin\AppData\Local\Temp\B97F.exe

C:\Users\Admin\AppData\Local\Temp\B97F.exe

C:\Users\Admin\AppData\Local\Temp\B97F.exe

C:\Users\Admin\AppData\Local\Temp\BC3E.exe

C:\Users\Admin\AppData\Local\Temp\BC3E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BFD8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BFD8.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 120

C:\Users\Admin\AppData\Local\Temp\C90D.exe

C:\Users\Admin\AppData\Local\Temp\C90D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4379e296-cf30-44b4-a9da-b376b19f4b91" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

C:\Users\Admin\AppData\Local\Temp\E9D7.exe

C:\Users\Admin\AppData\Local\Temp\E9D7.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\C90D.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

"C:\Users\Admin\AppData\Local\Temp\C1DC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\is-UJA2A.tmp\is-UUKOM.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UJA2A.tmp\is-UUKOM.tmp" /SL4 $8011E "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\B97F.exe

"C:\Users\Admin\AppData\Local\Temp\B97F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\B97F.exe

"C:\Users\Admin\AppData\Local\Temp\B97F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Pictures\fXqAq51rXcsNJ6fUlwSDPhmP.exe

"C:\Users\Admin\Pictures\fXqAq51rXcsNJ6fUlwSDPhmP.exe"

C:\Users\Admin\Pictures\3ds9w7c0DLtCttuvYQN37f3V.exe

"C:\Users\Admin\Pictures\3ds9w7c0DLtCttuvYQN37f3V.exe" --silent --allusers=0

C:\Users\Admin\Pictures\ZpXpBjx8bl8ZPZ2uzDD4wrZO.exe

"C:\Users\Admin\Pictures\ZpXpBjx8bl8ZPZ2uzDD4wrZO.exe" /s

C:\Users\Admin\Pictures\AzIWuBf6UDYyMTSyCcszZvQ9.exe

"C:\Users\Admin\Pictures\AzIWuBf6UDYyMTSyCcszZvQ9.exe"

C:\Users\Admin\Pictures\quXfjEThODk3QFvuYeaSR8mR.exe

"C:\Users\Admin\Pictures\quXfjEThODk3QFvuYeaSR8mR.exe"

C:\Users\Admin\Pictures\3O06ZCDnaAX9EJUVfKqzmQ3j.exe

"C:\Users\Admin\Pictures\3O06ZCDnaAX9EJUVfKqzmQ3j.exe"

C:\Users\Admin\Pictures\OpvefWE2dsSW5FTr20DvRCP3.exe

"C:\Users\Admin\Pictures\OpvefWE2dsSW5FTr20DvRCP3.exe"

C:\Users\Admin\Pictures\429Bhekx4gKyd79O6KdoSMgU.exe

"C:\Users\Admin\Pictures\429Bhekx4gKyd79O6KdoSMgU.exe"

C:\Users\Admin\AppData\Local\Temp\is-SALRI.tmp\is-GL8NU.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SALRI.tmp\is-GL8NU.tmp" /SL4 $5016A "C:\Users\Admin\Pictures\AzIWuBf6UDYyMTSyCcszZvQ9.exe" 2871934 52224

C:\Users\Admin\Pictures\ZzFMwtT2QyHqSQNNuEL0FkaG.exe

"C:\Users\Admin\Pictures\ZzFMwtT2QyHqSQNNuEL0FkaG.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe

"C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe"

C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build3.exe

"C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\Pictures\dVwskRfKYiT9EtzS9uSNsuUy.exe

"C:\Users\Admin\Pictures\dVwskRfKYiT9EtzS9uSNsuUy.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe

"C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSACD3.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSB396.tmp\Install.exe

.\Install.exe /sFIsdidp "385118" /S

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1148039362647945628-15754253832049289166-14072077602140488990163211353-63036744"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230927163519.log C:\Windows\Logs\CBS\CbsPersist_20230927163519.cab

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe" & exit

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ghnNgyNwT" /SC once /ST 01:53:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 27

C:\Program Files (x86)\OSJMount\OSJMount.exe

"C:\Program Files (x86)\OSJMount\OSJMount.exe" -i

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 27

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ghnNgyNwT"

C:\Windows\system32\taskeng.exe

taskeng.exe {D9451116-5AA9-4359-B7D5-831E010FC51E} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Program Files (x86)\OSJMount\OSJMount.exe

"C:\Program Files (x86)\OSJMount\OSJMount.exe" -s

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ghnNgyNwT"

C:\Users\Admin\Pictures\360TS_Setup.exe

"C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.InstallRox.CPI202211 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Program Files (x86)\1695832561_0\360TS_Setup.exe

"C:\Program Files (x86)\1695832561_0\360TS_Setup.exe" /c:WW.InstallRox.CPI202211 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 pastebin.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 jetpackdelivery.net udp
US 188.114.97.0:80 jetpackdelivery.net tcp
US 8.8.8.8:53 new.drivelikea.com udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 188.114.96.0:443 new.drivelikea.com tcp
US 188.114.96.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 172.67.180.173:443 potatogoose.com tcp
RU 87.236.19.5:80 tcp
NL 185.26.182.112:443 tcp
US 85.217.144.143:80 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
PL 146.59.10.173:45035 tcp
US 172.67.187.122:443 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 colisumy.com udp
MX 187.212.236.52:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
AR 190.139.250.133:80 zexeq.com tcp
AR 190.139.250.133:80 zexeq.com tcp
DE 148.251.234.93:443 iplogger.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 st.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 195.201.252.32:80 195.201.252.32 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 iup.360safe.com udp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 sd.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 52.222.137.147:80 sd.p.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 185.26.182.112:80 tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
US 8.8.8.8:53 89717381-73cd-4093-a78d-55cfea201c20.uuid.cdneurops.health udp
NL 108.156.60.116:80 int.down.360safe.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
DE 162.19.139.184:12222 tcp
NL 108.156.60.9:80 int.down.360safe.com tcp
NL 108.156.60.43:80 int.down.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 108.156.60.18:80 int.down.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 108.156.60.116:80 int.down.360safe.com tcp

Files

memory/2024-1-0x0000000002750000-0x0000000002850000-memory.dmp

memory/2024-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2024-3-0x0000000000400000-0x0000000002599000-memory.dmp

memory/1428-4-0x0000000002790000-0x00000000027A6000-memory.dmp

memory/2024-5-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2024-8-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2356-18-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2356-22-0x0000000003F50000-0x000000000406B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2708-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2708-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2356-19-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2708-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

C:\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/2708-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFD8.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

\Users\Admin\AppData\Local\Temp\BFD8.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2656-46-0x0000000010000000-0x00000000102A9000-memory.dmp

memory/2512-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-50-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2512-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2656-47-0x00000000001A0000-0x00000000001A6000-memory.dmp

memory/2512-55-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2512-57-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C90D.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\C90D.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/380-73-0x0000000000B20000-0x0000000000BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCBD9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2512-83-0x0000000000310000-0x0000000000316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD59C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/380-101-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/2408-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/380-108-0x0000000004EF0000-0x0000000004F30000-memory.dmp

memory/2544-106-0x0000000001D60000-0x0000000001E7B000-memory.dmp

memory/2408-110-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2544-103-0x00000000004D0000-0x0000000000562000-memory.dmp

memory/2512-102-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/2408-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2408-114-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\BC3E.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/2708-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/380-117-0x0000000004580000-0x00000000045E0000-memory.dmp

memory/380-120-0x00000000003C0000-0x00000000003DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9D7.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\E9D7.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2296-126-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2276-127-0x00000000001E0000-0x0000000000874000-memory.dmp

memory/2296-129-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2276-125-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/2296-131-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f6d1d6365a63416ee865cf1d98b89c6f
SHA1 9307873be54c310d60f737fde6a5af9afa956779
SHA256 109ca39da7e3cae261dbd625c095a76bbed5d4ca9c7886e659ae6f6de2e0093d
SHA512 7a6d8b9fa283e5a93325805e85793e8e4a03226bbfcbf1328faf81f85ed05a35559a7ff33142595fd672b5e5162d22be8ed9366159e8be8b716c44c2932b3a76

memory/2296-136-0x0000000073210000-0x00000000738FE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

memory/380-137-0x0000000073210000-0x00000000738FE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9fd6f8a28c9e099170ebd7cc2373b0d0
SHA1 03e906f6094e75dd31b1bc61a2bb10e7facad443
SHA256 7308125fa8e7f6a33df657a5fcd9247eeaaed20c3558f24972aa576d72d9cd7f
SHA512 aeb6484063fafd7858e48ec79af47ae8c2b35ddfc87f285277a14fea0c154144153c5f811688d49999b09b6a58a4e5841f181c3ba225bf01810aa0f6c9764bff

memory/2296-138-0x0000000004C30000-0x0000000004C70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f35d18d12b8628c544ba21a9b268000
SHA1 8791199797b38f58a816d37a1d9aa169f2c2bc07
SHA256 041c75b72cacfef163abad8598734f08967bdc0a2f762aa8e895d51c9df04b07
SHA512 20a603bcd184703f43250ed9217962d4152b87171cdbd86a6febec0755ac6a0262cd8dd7fcfd7f5a8ac3701471fda0936974b492b5c5cb4b89d4156ccad73c25

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1268-160-0x00000000FFD70000-0x00000000FFE12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2080-172-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2512-176-0x0000000073210000-0x00000000738FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2088-189-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2408-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2096-188-0x00000000042B0000-0x00000000046A8000-memory.dmp

memory/2656-192-0x0000000002170000-0x000000000226E000-memory.dmp

memory/2088-185-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2096-193-0x00000000042B0000-0x00000000046A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2080-171-0x0000000002700000-0x0000000002800000-memory.dmp

memory/2096-198-0x00000000046B0000-0x0000000004F9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2656-201-0x0000000002270000-0x0000000002354000-memory.dmp

\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2196-207-0x00000000008E0000-0x0000000000A54000-memory.dmp

memory/2408-208-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2656-206-0x0000000002270000-0x0000000002354000-memory.dmp

memory/2656-212-0x0000000002270000-0x0000000002354000-memory.dmp

memory/2276-205-0x0000000073210000-0x00000000738FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\C1DC.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/2096-213-0x0000000000400000-0x0000000002985000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2248-223-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\4379e296-cf30-44b4-a9da-b376b19f4b91\B97F.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\is-UJA2A.tmp\is-UUKOM.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-UJA2A.tmp\is-UUKOM.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

\Users\Admin\AppData\Local\Temp\is-UJA2A.tmp\is-UUKOM.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2196-238-0x0000000073210000-0x00000000738FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2284-249-0x00000000709C0000-0x0000000070F6B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 406e049b6a88898822916dd3d589c574
SHA1 2a5b0bb48dd4f7d94301fd33eed0647f8a1a6ddc
SHA256 35d03a891ab4ed2fdbab350c691071b22167ef92d4f7818e56e06f5dd846233b
SHA512 b2b93cba17868ec53ca80fb62b2803da6b84b6472a1cd11543878b23c2c37e39eab42abf5168c8df172e1b12d076dee2bc8adc52b4aed749b7a46af2c8e7ad7a

memory/2248-252-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2284-251-0x00000000709C0000-0x0000000070F6B000-memory.dmp

memory/2296-272-0x0000000073210000-0x00000000738FE000-memory.dmp

memory/2284-279-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2284-280-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2512-281-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

memory/2088-283-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1428-282-0x0000000003960000-0x0000000003976000-memory.dmp

memory/2296-312-0x0000000004C30000-0x0000000004C70000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33ee3e40d33eb56281eeae1e07e5de2f
SHA1 eb53c1c78655596b8803b73e21b2e1e07129fbaf
SHA256 6a5a320c4a3900bd3af1366d2871a3405936942bfde4db2995b0177d74ee3c0e
SHA512 729c58aad276821da0647ee1eb38eed8a0e8f158348e2e163bdad120dbc9ac2600be07c75f136e8ac59f838627799a8737d5bf6f4d556dedad67558b0aa65f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33ee3e40d33eb56281eeae1e07e5de2f
SHA1 eb53c1c78655596b8803b73e21b2e1e07129fbaf
SHA256 6a5a320c4a3900bd3af1366d2871a3405936942bfde4db2995b0177d74ee3c0e
SHA512 729c58aad276821da0647ee1eb38eed8a0e8f158348e2e163bdad120dbc9ac2600be07c75f136e8ac59f838627799a8737d5bf6f4d556dedad67558b0aa65f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25b352c316e4616f6a86a667472ac453
SHA1 86b3e2a7de9724baddb3f355e654a394099a93fa
SHA256 ed2cc711d08e73d52e184c7ef31a140607117ae57aebeae495bbed679cd4580e
SHA512 faeacdfc59a05ed29e778f954a71217206d1a015a0537359eccc7fe32af03f29fc66049834e21f8ec4d753b1e5c72121c8f9c15f531b52670d58d9c99c247fa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25b352c316e4616f6a86a667472ac453
SHA1 86b3e2a7de9724baddb3f355e654a394099a93fa
SHA256 ed2cc711d08e73d52e184c7ef31a140607117ae57aebeae495bbed679cd4580e
SHA512 faeacdfc59a05ed29e778f954a71217206d1a015a0537359eccc7fe32af03f29fc66049834e21f8ec4d753b1e5c72121c8f9c15f531b52670d58d9c99c247fa5

\Users\Admin\AppData\Local\Temp\is-U8PQL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-U8PQL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-U8PQL.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/2776-402-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/2708-435-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1680-444-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2776-478-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1680-479-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2624-481-0x0000000003700000-0x00000000038F1000-memory.dmp

memory/112-498-0x0000000000C50000-0x0000000000E41000-memory.dmp

memory/112-499-0x0000000000C50000-0x0000000000E41000-memory.dmp

memory/2776-500-0x000000001A540000-0x000000001A5C0000-memory.dmp

memory/112-501-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\Pictures\ZpXpBjx8bl8ZPZ2uzDD4wrZO.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\OpvefWE2dsSW5FTr20DvRCP3.exe

MD5 1e3b5ed6d625b4afbb90cbb3184a609d
SHA1 307163ba4ee846eb29aa1388e28b9654f62eb2cd
SHA256 1dbd2e1842f1f005b34ec9aeedbc96379fa53137ba394135ebad1843682dfd15
SHA512 5f0b9c2ae703465f5882605fdfbc4000ae26a57138e53c6a78ed85a60602b0bab5afeb0e59125796dd31b95be4869cd51321f4afb6583d0460b8fdfa260c097b

C:\Users\Admin\Pictures\AzIWuBf6UDYyMTSyCcszZvQ9.exe

MD5 0f9af5ca5f393004291993e41cb854da
SHA1 dc77c435859721b28fb1dc8dca3196df89e9847d
SHA256 acba669274340612bcc2de0c1ef92fa91cfbf47b95ff0dea2d8dae5a6c301e5c
SHA512 23c5c7f7fe388b0b78bc8e88a30dcaf31c64a7fbd92a7c19fd75d73cd65f4e74229feaf5a3fe04b14c6866389c9d73f7c3e968b02537c04dd66997192557ed77

C:\Users\Admin\Pictures\fXqAq51rXcsNJ6fUlwSDPhmP.exe

MD5 234a5b808a50c44fec3da20ef549c5a5
SHA1 c7c9543c217c7870ba824bdffdeb6be2b549dd72
SHA256 c228765aa9bbd10b357be858bf0b43dff7b8767dcf22a0754ec485019b57285a
SHA512 f28874eb8ec94f0273d52c731e37b0bbaf5ea96af9f88ef7de33cd6e5d2b9aef65180c2f04c5956ffaffbf5fe249d1e2a89111d52bbde05088e73c0fcc52dddb

C:\Users\Admin\Pictures\3ds9w7c0DLtCttuvYQN37f3V.exe

MD5 f4529924681747db2dd1ab5bda3a7d24
SHA1 fdb46faee47cfe33d163079c04fbde15fd42a8a4
SHA256 f5e3af92357dc7c2d8cf05aba145f338cb29d9ba50a7cc47093be5fa5b5444d0
SHA512 8ca1ca5f1c48f91daa75110576fdd3af3a0b26c17c09727e408cd024970b689e4cb7e1407b1b4645412cf9c1f96a27899b0fadb76ee4436c57cc235d77d60768

C:\Users\Admin\Pictures\quXfjEThODk3QFvuYeaSR8mR.exe

MD5 67cca2e9c441622b7f07851808cca1f1
SHA1 b153877bfe18d1995d686a227c9d9e5c6f019afe
SHA256 114c0db1450c64efdedfe1de160ca0e042e5f46809d5e6e716a4e18d3e96a7b0
SHA512 da57e13ec5f1d0fea55bcc7b17ecf6eb7aad8e56cd6bbd1d04058b0f35edaa6ed6aa90284e00891ac20ebdd912c9b8e6d1da7e50c96a1f6bf9dfebd2092647fc

memory/2296-539-0x0000000009E90000-0x000000000A3C5000-memory.dmp

C:\Users\Admin\Pictures\429Bhekx4gKyd79O6KdoSMgU.exe

MD5 e9ef33bfe856755c139e4105f3f35d3e
SHA1 82730a1da0be3d9d67680c0bfe50f3c0e24fc36c
SHA256 4be7753578798f812b7554df37d193a31efb2b4157b1322aba403681d75c8eb7
SHA512 b132bcc05d4c0071c8d0ff1a3fa974c4be452c115257dec02f4cfed80b8d7b6e37797749b6b440cf10f22931219e78f59498c3c60450288fce6383cb08f25a45

memory/2096-520-0x00000000042B0000-0x00000000046A8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33748551bae84bb80aac7db6691f1a7a
SHA1 03a0d05596008624cfe427266f4524a456ccc602
SHA256 7b1d53974fd78fda2e4ca71d6e08dc6ec311b422b28af91d905f087f1b9f982e
SHA512 2df5ac967792529a5bbb9eaab2fb601c9516f6119945ad77feccb4eb4938a73a4541710c365d7724baa95466c0c90d194a5f7e3b0a37c5339215db247dc822ea

memory/2096-542-0x0000000000400000-0x0000000002985000-memory.dmp

memory/1268-543-0x00000000034D0000-0x0000000003641000-memory.dmp

memory/1268-544-0x0000000003650000-0x0000000003781000-memory.dmp

memory/2288-545-0x00000000001F0000-0x0000000000725000-memory.dmp

memory/1136-546-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2096-547-0x00000000046B0000-0x0000000004F9B000-memory.dmp

memory/2284-548-0x00000000709C0000-0x0000000070F6B000-memory.dmp

memory/1052-549-0x00000000FF380000-0x00000000FF437000-memory.dmp

memory/1392-552-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2512-569-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

memory/2284-568-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2284-567-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/1392-566-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\ZzFMwtT2QyHqSQNNuEL0FkaG.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\is-5DA1N.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\369c1671-d9f6-47ee-b9ea-06ad4302b246\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\Pictures\dVwskRfKYiT9EtzS9uSNsuUy.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

C:\ProgramData\09402239926367072783977735

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 13701b5f47799e064b1ddeb18bce96d9
SHA1 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095
SHA256 a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa
SHA512 c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 4881eb0e1607cfc7dbedc665c4dd36c7
SHA1 b27952f43ad10360b2e5810c029dec0bc932b9c0
SHA256 eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e
SHA512 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a

C:\Users\Admin\Pictures\360TS_Setup.exe

MD5 8bbe15baea3c8bf99c92dece24231d92
SHA1 dd42cfc7417ca99c890ff5373296ed6c9f4f3734
SHA256 a4d1bba4bf604f46a79039d25833d6c12e1191653917063790e28b3c0a7e36f5
SHA512 cde5187559ec9c6cc71ddd25aa0457da085fb6409a716dc38e192acde007f252472ab1b2bea011387fd22cd8b983a1c04392610642a8a5f90c66326b0d6f62e5

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\1695832548_00000000_base\360base.dll

MD5 8c42fc725106cf8276e625b4f97861bc
SHA1 9c4140730cb031c29fc63e17e1504693d0f21c13
SHA256 d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22
SHA512 f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 16:33

Reported

2023-09-27 16:36

Platform

win10v2004-20230915-en

Max time kernel

37s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0FC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D216.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Uses the VBS compiler for execution

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D216.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0FC.exe
PID 1084 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0FC.exe
PID 1084 wrote to memory of 3588 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0FC.exe
PID 1084 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\D216.exe
PID 1084 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\D216.exe
PID 1084 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\D216.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe

"C:\Users\Admin\AppData\Local\Temp\5aecfd145020845cb448e25cc896ce62b5359c01d1ebd68cfedb7385374a9cef_JC.exe"

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D4C7.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D4C7.dll

C:\Users\Admin\AppData\Local\Temp\D610.exe

C:\Users\Admin\AppData\Local\Temp\D610.exe

C:\Users\Admin\AppData\Local\Temp\D91E.exe

C:\Users\Admin\AppData\Local\Temp\D91E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 148

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D91E.exe" -Force

C:\Users\Admin\AppData\Local\Temp\ED73.exe

C:\Users\Admin\AppData\Local\Temp\ED73.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7e65c0b3-9a46-4cbb-964c-aff2b2449e50" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 172.67.216.81:443 flyawayaero.net tcp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 172.67.180.173:443 potatogoose.com tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 188.114.97.0:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 188.114.96.0:443 jetpackdelivery.net tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 188.114.96.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 lycheepanel.info udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 74.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 10.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher3.com udp
US 172.67.187.122:443 lycheepanel.info tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 122.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 www.ccee.org.pe udp

Files

memory/4168-1-0x00000000025A0000-0x00000000026A0000-memory.dmp

memory/4168-2-0x0000000000400000-0x0000000002599000-memory.dmp

memory/4168-3-0x0000000002720000-0x0000000002729000-memory.dmp

memory/1084-4-0x0000000000F30000-0x0000000000F46000-memory.dmp

memory/4168-5-0x0000000000400000-0x0000000002599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/3588-19-0x00000000026C0000-0x000000000275C000-memory.dmp

memory/3588-20-0x00000000043D0000-0x00000000044EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 91bcd7b719ed166914dccdca25b28e14
SHA1 2cc7758c97bbe851cadcdbd6a3158358b690d97f
SHA256 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b
SHA512 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0

memory/3568-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3568-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4C7.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

memory/3568-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0FC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\D4C7.dll

MD5 1ab6c1d7f480fa84080c5ea04328841c
SHA1 4e98a73776cdb17fcbef5d3c24c2c809443317e0
SHA256 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f
SHA512 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2

C:\Users\Admin\AppData\Local\Temp\D610.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

C:\Users\Admin\AppData\Local\Temp\D610.exe

MD5 e38e0c7603b34e1d6612412537f9ad60
SHA1 a5c64ee337b723f270912031d6b39a16e118b55b
SHA256 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc
SHA512 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c

memory/3568-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2812-36-0x0000000010000000-0x00000000102A9000-memory.dmp

memory/2812-35-0x0000000000680000-0x0000000000686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D91E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\D91E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/1420-42-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4860-43-0x00000000009B0000-0x0000000000A30000-memory.dmp

memory/1420-44-0x0000000001450000-0x0000000001456000-memory.dmp

memory/4860-45-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/1420-46-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/4860-47-0x0000000005970000-0x0000000005F14000-memory.dmp

memory/4860-48-0x00000000054C0000-0x000000000555C000-memory.dmp

memory/4860-50-0x0000000005300000-0x0000000005392000-memory.dmp

memory/1420-49-0x0000000005960000-0x0000000005F78000-memory.dmp

memory/1420-51-0x0000000005450000-0x000000000555A000-memory.dmp

memory/1420-52-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

memory/1420-53-0x0000000001440000-0x0000000001450000-memory.dmp

memory/1420-56-0x0000000005380000-0x00000000053BC000-memory.dmp

memory/4860-54-0x0000000005280000-0x000000000528A000-memory.dmp

memory/1420-58-0x00000000053C0000-0x000000000540C000-memory.dmp

memory/4860-60-0x00000000052D0000-0x00000000052EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

MD5 083793ec321325c2bc31cee060bcff96
SHA1 5e2a887a2f6baa0d7b4c4593842ef521a5edfbb1
SHA256 8d9ed22f1ac5a492c312aeb9f855b4462471ee00675e2273febe34848afb68fb
SHA512 8217f8439ca0807ee8026b8829dfe4992491f3d5166e19d083d15ef2b198e440759044a1e5b588a9d4c75a560976320c34e833cc93a603bff46fd5949e9cab6a

memory/452-64-0x0000000000550000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

MD5 0bdb748aa6ae1888a18513d6083f0124
SHA1 b97696e19c0b75859bf714eb78e0b8863093bd18
SHA256 75f6b7cbc10acc63c668ff660e68d1c7536a448d98ba68d50200a726164e2d52
SHA512 90b9ffd5556c53124c20c7f095572d17f78669e64eaf0aa88a57e3b7d9821a4d2de8bb0cc55dd3f7c7abe1aad85883edb1d4ee88c5104d6977561e2a9d466582

memory/4860-57-0x0000000005560000-0x00000000055C0000-memory.dmp

memory/4860-55-0x0000000005630000-0x0000000005640000-memory.dmp

memory/452-65-0x0000000073370000-0x0000000073B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\ED73.exe

MD5 31e61f5e2d57703e891b78c029c2a59d
SHA1 193e4e0c9ffdd2ba4caf17ab90dcdffa9134b5e3
SHA256 e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
SHA512 2de0a2f77c99ad2e807a9c92ec564833bc959654cc767b70284ff83b45ef1ae40195bb6798e09933296bb7f6f13229958045214eb72908848ccbe97f10cf22ef

C:\Users\Admin\AppData\Local\Temp\ED73.exe

MD5 31e61f5e2d57703e891b78c029c2a59d
SHA1 193e4e0c9ffdd2ba4caf17ab90dcdffa9134b5e3
SHA256 e31e7dac8306f497a88a1c6c51677a08e5b772f38a903abf7029dc907773ccec
SHA512 2de0a2f77c99ad2e807a9c92ec564833bc959654cc767b70284ff83b45ef1ae40195bb6798e09933296bb7f6f13229958045214eb72908848ccbe97f10cf22ef

memory/4112-90-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4112-94-0x0000000073370000-0x0000000073B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4112-99-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/3904-82-0x00007FF6136D0000-0x00007FF613772000-memory.dmp

memory/4860-100-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/1740-102-0x0000000004B60000-0x0000000004B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9b9222c5fa5999c48a057a906caccb8d
SHA1 4563b048164c82b8a1cd1331a76437a8aa2b476a
SHA256 8ef97d2b6f30533ec11c629b598ec26370af2ea214378e6cbb78a1c5cf266d47
SHA512 35aaab2332e95e6ac838c8cd3c32393a06fad91d31da6a05e1a9d7643b250cd65b9382dce572087c12e55f321ec9f9661ec3d4166dee8d61d71f8d31a100c9d3

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1420-110-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/4928-114-0x0000000002710000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 708c80992386f443a00beac0d104b029
SHA1 67c990f1b6912eac88291c385c5cff24cd7d26ad
SHA256 f75d45b106a46ec75072cc4163baa010d44d59b2406f5219657c5b0ff7fc602f
SHA512 6a15106b2a09228a214870683f908d770b74c494a6db4d34858c61e59abe1a12e9fd253bd1e2c82b2e3bd8f303d8a278be87c578eb60bf9f0c0fe41717f8671f

memory/2780-118-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4928-131-0x0000000002620000-0x0000000002629000-memory.dmp

memory/2780-133-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1740-122-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1740-120-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/1740-117-0x00000000051D0000-0x00000000057F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f12a42ee7c5bb8e81a62074e5dd7b1d5
SHA1 316d288aca6c549ce2e385f884efaf1826833d7a
SHA256 a2c4c6a32de7457b4eac021d3bc8bff232607f050ca0ef1b5686753a1c2ad829
SHA512 09640b2d29a90a354a1ea1278c4a5efd8538c776e6d80e34a9061c4c887be980c4a0f68a64c0b57a818d7e157fbe180a718b303ac13294a3472a061d9732233c

memory/1028-138-0x00000000001D0000-0x0000000000344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 946f0ad121a1c0831f4d600f6e4ccb02
SHA1 328efac0d9b0835e31ea5f6d717e5a25fb5b7175
SHA256 fa137f453c1d328074c15828e1cb6402e040e29caccf31260f2cdc12063650f4
SHA512 efb74d4b19016b19d73e3d321e23e60da0a611cc6f12c225b54040911b68ae21d34f78f987ed5526d13d73de09b875d32ac1eeab7b0dd3f1ec3450bd067a580e

memory/452-141-0x0000000073370000-0x0000000073B20000-memory.dmp

memory/3568-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1028-140-0x0000000073370000-0x0000000073B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1740-134-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/4400-144-0x0000000004B70000-0x000000000545B000-memory.dmp

memory/1420-145-0x0000000001440000-0x0000000001450000-memory.dmp

memory/4400-147-0x0000000004760000-0x0000000004B64000-memory.dmp

memory/1740-146-0x0000000005930000-0x0000000005952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 1842e7f511b23e2ee1e1bf2a1c2b8896
SHA1 bdb39cf76896f67ae7c2c7f99b5afd6669fb547f
SHA256 6ee8c2ed9769d819e523cefa15b88dc864a1caaa3bf31944932c9954a3ee417f
SHA512 c33065520aaf344199116f7007a63ee30b6030db48f2ed8de6013ac8a107e7b1c457147ceebf01d54b93e8b2ff5b7823ac45d5b59cb26901d8dce59cb2b89a8f

memory/1420-157-0x0000000005680000-0x00000000056F6000-memory.dmp

memory/1740-164-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/1740-171-0x0000000005C50000-0x0000000005CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyqa1wtl.eox.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1740-175-0x0000000005CC0000-0x0000000006014000-memory.dmp