Malware Analysis Report

2025-03-15 05:01

Sample ID 231218-wpqfpscagj
Target 6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
SHA256 6f4297025fa48f5f412dd305ba5a03560c1ee83e32e94a461b788c3b42575155
Tags
dcrat djvu redline smokeloader zgrat livetraffic pub1 up3 backdoor discovery infostealer persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f4297025fa48f5f412dd305ba5a03560c1ee83e32e94a461b788c3b42575155

Threat Level: Known bad

The file 6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu redline smokeloader zgrat livetraffic pub1 up3 backdoor discovery infostealer persistence ransomware rat trojan

RedLine

RedLine payload

DcRat

Djvu Ransomware

SmokeLoader

ZGRat

Detected Djvu ransomware

Detect ZGRat V1

Downloads MZ/PE file

Loads dropped DLL

Deletes itself

Executes dropped EXE

Modifies file permissions

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 18:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 18:06

Reported

2023-12-18 18:08

Platform

win7-20231129-en

Max time kernel

34s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2bafc7d1-384d-438c-b996-9a94b3e2e8b3\\8326.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8326.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\916A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\672C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\672C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\672C.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\8326.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\8326.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\8326.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\8326.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\8326.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\672C.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 2984 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 1248 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 1248 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 1248 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 1248 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 2560 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\672C.exe C:\Users\Admin\AppData\Local\Temp\672C.exe
PID 1248 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 2616 N/A N/A C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2616 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2616 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1248 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1248 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1248 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1248 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Windows\SysWOW64\icacls.exe
PID 2816 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2816 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2816 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 2816 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1784 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8326.exe C:\Users\Admin\AppData\Local\Temp\8326.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe
PID 1248 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\916A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Users\Admin\AppData\Local\Temp\672C.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\68B3.bat" "

C:\Users\Admin\AppData\Local\Temp\8326.exe

C:\Users\Admin\AppData\Local\Temp\8326.exe

C:\Users\Admin\AppData\Local\Temp\8326.exe

C:\Users\Admin\AppData\Local\Temp\8326.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2bafc7d1-384d-438c-b996-9a94b3e2e8b3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8326.exe

"C:\Users\Admin\AppData\Local\Temp\8326.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8326.exe

"C:\Users\Admin\AppData\Local\Temp\8326.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:800 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build2.exe

"C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build2.exe

"C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dE8pB2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dE8pB2.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe

C:\Users\Admin\AppData\Local\Temp\916A.exe

C:\Users\Admin\AppData\Local\Temp\916A.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 2432

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build3.exe

"C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build3.exe"

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build3.exe

"C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\22E0.exe

C:\Users\Admin\AppData\Local\Temp\22E0.exe

C:\Users\Admin\AppData\Local\Temp\259F.exe

C:\Users\Admin\AppData\Local\Temp\259F.exe

C:\Users\Admin\AppData\Local\Temp\3E8C.exe

C:\Users\Admin\AppData\Local\Temp\3E8C.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-T0IST.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T0IST.tmp\tuc3.tmp" /SL5="$3061C,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218180725.log C:\Windows\Logs\CBS\CbsPersist_20231218180725.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 pki.goog udp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 216.239.32.29:80 pki.goog tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
MX 187.204.30.133:80 zexeq.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 zateghar.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 store.steampowered.com udp
DE 212.224.86.103:443 zateghar.com tcp
FR 157.240.196.35:443 www.facebook.com tcp
FR 157.240.196.35:443 www.facebook.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
US 3.230.25.105:443 www.epicgames.com tcp
US 3.230.25.105:443 www.epicgames.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
DE 212.224.86.103:443 zateghar.com tcp
US 104.244.42.193:443 twitter.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
US 104.244.42.193:443 twitter.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
MX 187.204.30.133:80 zexeq.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 8.8.8.8:53 community.cloudflare.steamstatic.com udp
US 8.8.8.8:53 store.cloudflare.steamstatic.com udp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 static.licdn.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
IE 163.70.147.35:443 fbcdn.net tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 151.101.2.133:443 www.paypalobjects.com tcp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
GB 88.221.135.96:443 tcp
GB 88.221.135.96:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
IE 163.70.147.23:443 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.46:443 accounts.youtube.com tcp
GB 142.250.200.46:443 accounts.youtube.com tcp
GB 172.217.16.227:443 tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.147.35:443 fbsbx.com tcp
IE 163.70.147.35:443 fbsbx.com tcp
US 151.101.1.35:443 tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 store.cloudflare.steamstatic.com tcp
BG 91.92.249.253:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 18.245.65.219:80 ocsp.r2m02.amazontrust.com tcp
DE 13.32.26.76:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
DE 18.66.97.82:443 static-assets-prod.unrealengine.com tcp
DE 18.66.97.82:443 static-assets-prod.unrealengine.com tcp
US 44.207.215.94:443 tracking.epicgames.com tcp
US 44.207.215.94:443 tracking.epicgames.com tcp
US 92.123.128.144:80 www.bing.com tcp
US 92.123.128.144:80 www.bing.com tcp
US 92.123.128.167:80 www.bing.com tcp
US 92.123.128.167:80 www.bing.com tcp
US 92.123.128.147:80 www.bing.com tcp
US 92.123.128.147:80 www.bing.com tcp
US 92.123.128.194:80 www.bing.com tcp
US 92.123.128.144:80 www.bing.com tcp
US 92.123.128.144:80 www.bing.com tcp
US 92.123.128.147:80 www.bing.com tcp
US 92.123.128.147:80 www.bing.com tcp
US 92.123.128.194:80 www.bing.com tcp
US 92.123.128.177:80 www.bing.com tcp
US 92.123.128.177:80 www.bing.com tcp
US 92.123.128.138:80 www.bing.com tcp
US 92.123.128.138:80 www.bing.com tcp
US 8.8.8.8:53 play.google.com udp
GB 216.58.213.14:443 play.google.com tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
RU 77.105.132.87:17066 tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
GB 216.58.213.14:443 play.google.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:80 api.ipify.org tcp
BG 91.92.254.7:80 91.92.254.7 tcp

Files

memory/2984-2-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/1124-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1124-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1124-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2984-4-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1248-7-0x0000000002510000-0x0000000002526000-memory.dmp

memory/1124-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\672C.exe

MD5 70220c50bb4d6b5c323ad3322eef8c80
SHA1 f5ac79382662f6f08512ab6c6d702450dae29c52
SHA256 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
SHA512 f058538a8728a720a34929892fd7abb15d73cab3c97a89bc1780828c78b0532d08f259a1baaf289aba3bb65d46c65eb9bb7b8998f5dfb47e53c7cf4c925a970c

memory/2684-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-24-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/2684-29-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68B3.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2684-40-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1248-39-0x00000000032E0000-0x00000000032F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 13580d89dc01ddfabfa8663ee550abb3
SHA1 6154aaed2f4b3eb571896b8220fe498b45435890
SHA256 66326aafba3afe95e9026a3e0077efbb15ae62c6be2a1fdeac658fea84d962ca
SHA512 2163197274e3746c61e75f7008dac119cadd2dbe96241beeb1de2f3b80af5b8575317fd71fff4223db3a7f64bdf4fde3f506c2ee61f13c41ee5f31657d65ba8d

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 2b0846bc7d5cf5317afebd096fa9b73b
SHA1 b4c7f4f6caa546a83b46a37e4d7165f42d672bdb
SHA256 28df1155ea658f770e003b3cda8b09d4126d2475211599818b9eccf51bd914ea
SHA512 3f36c753d535bd3c10b20c3ab795349d766099469101e56b731882b1717eb4d1c5dbf4e7202c20d2aca1007bc85bb6917965260705dbb304fc99b24f5a9bfea5

memory/2504-50-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2504-53-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2504-59-0x0000000002240000-0x000000000235B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 cc056fca47b227374486c9ec7c75d4d6
SHA1 992f2b1f1dd89029ce82a889ba93f053545ca6ac
SHA256 905f41a0ada4865f1234c5a9dd874ec5b1c14d18f791a1eb0f91f9335b3514d3
SHA512 c7f52045be62b275c545c131405b222db468c6515b166e5229443c3d7316c078ba3c4f9a3b4ea8dbdca4812abd95ce529460a436f63dd9b9b02cfd88c0147b1e

memory/2816-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 4c46ac5e3b536997b91410fe10e62ffb
SHA1 e751be342d4f03e431667db7a5430b2554faa977
SHA256 a1b6867eeb759a5fa4d1326d7809f201afa8ab2d80c0268706da0a0f97cee6e9
SHA512 66f4134ddf88be76267b809bf5f5cc2c0f596b58c5f22f6304a387dbeaf8baa1179fd5967bdfc0b3d56cdaa2b8e0d1f9bd4ca4dd0ee03f22f35918dffc072b36

memory/2816-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2816-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\2bafc7d1-384d-438c-b996-9a94b3e2e8b3\8326.exe

MD5 1519d5f76500e328886d0bc420d25ec4
SHA1 e2c155f9f7d889ee2a87e37001f5c74c300d0f87
SHA256 5cbd8ca7929dcb9ce7316a3049d778fe2c0b7f13a03df98b6eccb5f37bfbedf6
SHA512 cb3f822ec73f3eb601e5e2ed3df6b1e296fda003a4bccfb7983e55d4e818e68bb007e1dea3438b685e2259d4f79b25d0ed0b6ad9ced3408bdc65a778952f971f

memory/1784-104-0x00000000002F0000-0x0000000000382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 c82d977c4df04788d5917b7f7f3f6d99
SHA1 4ccd5f5475b6b79b1faf8baea78ce2d375ad250d
SHA256 9fc3cf9ec2b16aea6f5302c7ede1235eea49fb4afc14d548684e3da082b51e72
SHA512 89001c9012d9694d43d98f7567948490e2518905e95e2cc26f209fae7658bde24a8b017aeb0219b664d7bf90fb6e29f278b9edae6cf113b3a405a99ba77010bb

memory/2816-102-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\8326.exe

MD5 22a88af02cae3a3e8fb79a2daca4137c
SHA1 7b49441b7da2f17dcd6064fc4bab8ffac531c852
SHA256 fc2d8e806d156f901850f335c9fd1adbd55e7b6263cfce2e049af4d62f1b62a4
SHA512 8bce1cb619f4f4217d9b2c1ed950278fbebd52249c35e0255fd1029cdc6dfb1557bb1eb7570606df750ee125ff383567594c68dcce4fb7460a017a40edb05c9f

\Users\Admin\AppData\Local\Temp\8326.exe

MD5 160bd44f2bf1593ea8c26341c0b11ff6
SHA1 b8748d5ef3da95726e294ec394549abb439cebc7
SHA256 82e96459903c3c945afb174afa967e49fdd5981bbc65b2b343f674377ebf10c8
SHA512 a487f0ee7196ad1b8783f7d86b6664607d0b35d449f0910c311c63aa4b0b170fe37628f415bbc2d05041680f0d596de4f235609dfa7a6f211db5d4f6f2f6fe07

memory/1784-106-0x00000000002F0000-0x0000000000382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8326.exe

MD5 5b625ebab98a1001b5309e14b68923a7
SHA1 a3bd9ad87e0d3eb09abeb8f1aa41264376b0c501
SHA256 eb0c482399fa57b1c577545ef4a87a2f5f03f20b553c0e72ae69f5c3c2189ed6
SHA512 804641b954e05553e468e667a0f5b8f0360f3371e7955565d49fede958b51c3dab862b68b7fabab89a11e56d85f949dc7871967a592eaa96d625691bc274ce65

memory/3040-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3040-112-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\8326.exe

MD5 788393d032a5cc91a67e3ba902fe13c3
SHA1 3ed8fdbcbd2f5a6a256bc2ef0136b09e539733d6
SHA256 32e4095a1c4dee34cb2438f3273debf29987c6215780727d15bb848b71cfa5be
SHA512 0f88be13848f89ace593ca9e3718f73bd65a7d0d5d6690577ac550dd35684ace442d88aecd65d354d12e2d8e3bcd41c28866313224a6304d6b9e8928b8c4c226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b68cc9858d3ac35c01bca2b53d29e5f0
SHA1 b54af392736ed601a599d023ed1cc31c3908a899
SHA256 c9de443f7f2e3d044a2d0488b49c98daa83025556c30d589bbd6302fb0c2b079
SHA512 7f60bab3f1a518dd52c96c0880faf2e498ef79420c504ae697ed341a6f40d2182cdc4af5c803b36338f3e690d9851e375578b83c9c61d74edbab04294bd9dac1

C:\Users\Admin\AppData\Local\Temp\Tar8C88.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6f87ffacf7e915af14a79d2f7cf0b7d
SHA1 817ada6228631def17aba70cab872fcbbc102819
SHA256 a3c577a3f6bcc0459cf6a88777c9b65cc09ccb396a7a640d74d14ddb5ded983f
SHA512 3a19ebcd5df83381f043e4583b1111139f146204a2de13abed2f02269e290da435f98581e6df396cb6509f4b1de3e04fc97ccbcdad3181159539f3779a3fb387

memory/3040-132-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3040-131-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 79045451d3bd3cbea37310af8a73ef97
SHA1 beff122d11bbacb6f99930053cbfbd1bccacf923
SHA256 63511bdd5879e3fe8020b952ebdd1c8e35b9817edb71e04c81dbddcef10a77c7
SHA512 7812e40876bfaeec83a3258a25ed36b1e61a6bb14ad2ab21a9a47e5ef0ae7f4e7ccb81a01e456c25d013d987413eca43530f7f71cb272e683a804ae28ea891c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fa296d9722e9abe1dc739628de9527af
SHA1 b542534a2eba9e88f32f469f08e52546262b511d
SHA256 a9426b7ecacb84eb91fe027a68f00d0ff61c78cfda79ef35e1bde2d0d178c411
SHA512 3ded14d170e6148a9ae7ebcab7119e097bc9477f49a4fc68a65bb8a9722bdd2df9f56f9001bdb3617a441f2808f53750850c4ce8f17938c2a5cb1fb922f73657

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f1da3d5585520f78ec824c4dc0720225
SHA1 86e394cc8c4139f2334f6e7be9e936e4021c6e46
SHA256 df7a14a90d82a5f2dccf7a7e327456fb60a19dce40ba3cd5e5954b213ad1e5ab
SHA512 4d4c418b674304c07d957e061eddb205335ea76504591520b25cdfe379707da87b8400239f7dabce4f06a462efad9378ff428d807160c7277de3f18ab8e7d407

memory/3040-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3040-138-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\916A.exe

MD5 a99e2d910e398614e1664e0d348e675c
SHA1 efbf07bf0613308d2fbb074d2aa2769ae6c78c16
SHA256 2a419a21397f2b422a350197828bf6d7fcbef1304ad40f1ac5b3c779acf56f2e
SHA512 d49325dbff0c3568b21dfffa27c585c1dbaa7a3e2b78d4db8cf81bfd54e9daad0077cde64be6c2bf39f2f75ca790225af9a3b92db302c7bc4b65b4f8fbc584e2

C:\Users\Admin\AppData\Local\Temp\916A.exe

MD5 e55f9d879c09c292003b377c9bf2b352
SHA1 e9eb4d6c429fe47b0660f4d3b990ef98a0de1192
SHA256 36afd3db857b4dd4e24db1d69f1f12a685dab98fcaefc308feb69153d0a70bad
SHA512 2132f0d762a063576a3977a91a5c7cec9066fe449d10b99a0f97c305835ea0d436def76b288ba1f540c6692a0cc980be6a13f420a4cdce13423524300d08da45

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

MD5 b7e0032dafbd637bcceac10b63741374
SHA1 b62a41dfddea8f401710743e34e1e40804ff257d
SHA256 77f0d3c9ce9a031f1450698511b60ced4eb65f144910614b629aa6305c6be2f5
SHA512 fd71065fb7c9751cc2cd4fb50fae2215f0b289caf433262cfff2fc6e7232b7fc63c11b78fc95e9d2977cf46d487970bd1790641a5e3644ce0c185161d462a51a

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

MD5 a68f75d0192225699a4f89ee8039dab1
SHA1 2178af5f04b81a30ac78e5f5a168a84317030083
SHA256 8628c8a715024870a8d8fc7ec87e741f887394f95508bac5cc6bf5997f7a3cf8
SHA512 e3da43cc61c6cf254ecf067af704ccde1ef261e254f03ad08d8dea5ae47a2fb6f34ca1d210fe6d536ee2cf81d3790d5702519886740326a0d385b0d1175190c8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 069776b568f1b1c20a60a05ffe9b6bab
SHA1 a1c89cc9232746b8f1898a78a03803bd14136f64
SHA256 9baa5c7aece0e8e24d620cec7bc348c055564428a39ef962038ce12b3a954d17
SHA512 e66a6380b780a4ad92482cdd20a6c158da7e7919ce2bbe150d37370d15d6b0867af84b102f7707be023f85f858fc8e7cbc4dc6296366e75d4485044d86537862

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 81d5d0390bb5fad28d23f090aa51ce99
SHA1 87499d0958a5cc166deae450eddd1a2564209fd9
SHA256 644ecfb7dc0d749a183d09bcf13d38cbdbd7420f440744febbadf8428f5b410e
SHA512 370ebc91d30e5da12fe304b023fde20bcd77f3414c2c010490589257344045eb55d4383954e633d920ec956e64f984063817aa5ca00458852fc534523e43298a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{300553F1-9DD0-11EE-9CB1-72CCAFC2F3F6}.dat

MD5 1fe279be1da086861a9bf60559d6b642
SHA1 9dc8f288867e3ac21cc922efb12da3439565004c
SHA256 89c4796b43f1d9c1893eff2bc7d1e23f5d6a832ffa6087d0075e320b1b926ee8
SHA512 a587b39f25507838a81b079de63a6c72252ad6065f94f7185735985ddc05fb976acc643b68a189ff2ff5752a38fe9da6f8dfcad63b4c51804b046bb82d20e6ec

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30052CE1-9DD0-11EE-9CB1-72CCAFC2F3F6}.dat

MD5 7e1ea41a29a49fa830367c5e93451784
SHA1 55ad84dc1000a384774029fad4c03065296a22b5
SHA256 b8b7cab00fa8a14d3826f3c2bb11b2f5f45c9dbcc871098558aff452d6e1f4a8
SHA512 48a6619ec80a84ecba33b599b29937b43fcbf03b65250d0adc8a477c6f12023b5fb854b00c8956a8b68fde71087f686da6c2b3048263eb2c387311ca2640695e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3002CB81-9DD0-11EE-9CB1-72CCAFC2F3F6}.dat

MD5 4b7c5b1206d610ed0e4e16aa126768d6
SHA1 1ba40bf3eb53ac699866b42afe59ccbdbc587ba0
SHA256 6c69ad97ee08b93421f95cf3014912223a19f5896f9f836b9970f6534282ed1b
SHA512 d16766404421f38721fb9e8ce85c9979609575577d28725f33e49ab4a00f8d38c31ea52f54aba04a3bee6c2fcdbef0a5ed9ea5c9b8d9e059d2b6cb2a3ab32ce3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 fdf710e11a4620072d26f44c4caa3863
SHA1 5ffe43818a4d1339c5d32851a8c55e9f6128f2f4
SHA256 85f9032dd8cc91a9d508bd7899ed8516450e4ec819a7443dd10814c7dead337f
SHA512 e160974a947725847610d0694c43ac57022450e1f9560e83b98758561a0e9c321fd977b0a328323a260b411152d957054fb34acb1781959037a4267f4985ed75

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 4e27e0f8812d284d5c1b3057a65d7d03
SHA1 b2913a9d9bee9f864dfeb45677dc834cf723926e
SHA256 0c908c3f66880dbba4740b2801248bc21ca6894777441121ba47b47628dd768a
SHA512 fd9b43ed6b0cc5d1ffc047c4adea41a432972203bba86fc457d06f74c00f85940b2123a380d25bd0394ea35bc40e29d9726e6a5a18e98be2355703a10b1b0aef

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 a7f880bc20df8c8e58021d0c219249d6
SHA1 c0913940737b1da9e1c4c08f9facef7d0b13c6c2
SHA256 308f860266ca74b40a4ef1a634286e3af103323a5a6b731bf64ae8d258688883
SHA512 1d3c27188790a5ed9947f94b269f94e936ebf6c20b3890976b6285abc384b041ff357fc2265a77d57ae60efe308819fe1b838e4a35b190d9daf0861faa039a25

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ko673GK.exe

MD5 5b878de3fa181c5ecbc63906236dc632
SHA1 57550e23c21be2851729e640674d004807f8f552
SHA256 615eb2e39805a441722bbf68ecef0f9f7351495b27cfb03e39e321796df366ab
SHA512 f76edfc3f3b59f9295d42bcc9bf9166f1db8aaabb39d62a01fb60932a329cf27b029f0706e62393af5c7be4c76874c65e6f3d4320e60cc0baa78eea3b2d96a3f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2FFE08C1-9DD0-11EE-9CB1-72CCAFC2F3F6}.dat

MD5 e77a048581494549de30a885a24cbca0
SHA1 7c3ac9c7936b10871eceee2b8eeb88a58f593601
SHA256 ed2b210d065e3c6a3bfd2f16a6629dcacd4997482403665e040e7149a51f7590
SHA512 1158a734c9ba9b671c76b79594ff42a1f3e2130548ffb6231005959097affa4d1600f6415855502d0b40cc75f4c077befefdd4a76476219958bc6b8cf7c94851

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

MD5 55641577de71ed6b2f60a31ae021a653
SHA1 9e84425d32faf7aa17a76455d35c6f9e959cda18
SHA256 1f7bb949631a29d4207fb483effd1b300cbd9ad324b1e711f4f3c6cf24f7cab6
SHA512 3074d3b77be808e8462ed313854a806ed85040ada9708a73c9fbfd04344556dba542eed01f0b3f2b9dd838a8185720e1f15d65f9c0e1bf3086efadcc8b559d43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 6f86e74a1b41fb7da2e8df9e679deaa0
SHA1 85cbfded0b3106e77c6360aac08ddd53e824acea
SHA256 4b55f8f2a596ed3e128749432c05665e8e393778f8836e6a7341ab746e464581
SHA512 c08c2dfa4e18a36fa12938068671118963c201736e6d43d5dc797826860a8096478ae4d62e39ca6cdb58705acf511cc738969112802fc7ab4d3e9fb5b19ed636

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a43c77d785b62987046fe18f92de00c2
SHA1 d08d76fc7f3699c3996b0944288d4b7442489e75
SHA256 e6c6313e146c3a076a78bcf72033bed5b80918656d41f5815a642b87a60a970e
SHA512 9366210beab555e6179492c653e45e28e5e9adbd69f2cc8ddf4b77ed963a8924c6bf35180679361934ae3a305eb305b5790211bbdbc692222e48a368f523ad82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d849cdd35f103eb4a5435dc66eee3d65
SHA1 fcba6158ed04ee0aa5088fc053aa4dacc1bc48d4
SHA256 ade6fee163ea01a6d8942b092247a42378a11c99fc22d05b9f1f309ac32a42d5
SHA512 e4449e241c475f06d37b3565808ff52ebfa2b2606a89dccd6f43214b8ab3d03aa41cfb83ebdaf8ad779f61b7ebbeb9a7ae2a6754391a638ab67072c61e05b921

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93add8242756b8209d114955d39d3ca1
SHA1 7811ce54afc06dcc900744f50f88d719b36c986e
SHA256 bcc262fc9e499a7732c7fd98f4dda5604893e633d4c870db06da1a75bc900ac4
SHA512 f156bcaf24a9ceb1cce645c610c5f25bace40df34a24ec3d9479c71381700f482bd2e7ef323b496232902ecfd0f7d451e2cb2b086a892a6ead3beb742a5b0f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1801A0BFF52C676E5F51CA71C5350277

MD5 f648f28ba217d775ea2bb82779da419c
SHA1 afa9d6d06efa5a34ef97c73bcb095f9fd4ef8017
SHA256 1fbc8cb1aa3635024c76bbe4f3702b35a3b90eadddf39ea72be6b276522f1113
SHA512 81d76af47a7f2fb5bcac9f869e511f09e055f0aa34dc9871dd1339dbad013062ff57e3be9753cba5169248dbaa72219a64124f8d2e15b8d76fe15942520c8652

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 7b66c11026792629a266aec8217f8c89
SHA1 6d21c755514989e59a2a534092d2ef6ad7bdd7b0
SHA256 928a3593ef1b9c259547a587b0bd8cfb0a9f651954180a691f0198fa56787b3f
SHA512 412e98ec884e4b691b2664462b5066d7377ebc72fe79c45ea6405da8976fdb102de7549818e5a8f9357cfc10fa1957f46630537d37a7b60ee2d42d49a45cf751

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 cb10b95c390f6c5666420bc134132319
SHA1 f0ea698230a2c8e0a1b2ed5bf0f5d98a330fb7b0
SHA256 b53cf5b044a2eb78bbd7a689545bedc0f4688a5a683766a1243d0f97994af67a
SHA512 5ad53fb648bd1b3fbfd99d5f604c726ce2841fb87ae33f5fc8198ba0f850d170ab24630a4e01f6c52c2e6b85eb608e310162c90f50a08373ec5ffdbf183f632e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 6660dd85e4ddfc84383432712c649f96
SHA1 fc6debe6f7b2c2955599d9de6caf0fe7692d3118
SHA256 382eea3fe4379127709aa281eb8b4322eca04fbe666a90768bf252f00306c738
SHA512 0ddafc9d4fab6465af69ae4de8ae7beb0ef4ec211281f1f37b5c38d4d3f4fe03fb0d9d3c2aba780e544daa52e626a92de6d7c5b31fdb1b3bd4b6baebbe670bcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

memory/3040-808-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 88a1db4547aaff89ac171ac919e43c3d
SHA1 f8fbbb397c13524737c66f7d2a1b53369cabd0e1
SHA256 8065a0cd3212ffe792bf73ab10f64b8120236e1bf09aa1c4da912743d2d5e211
SHA512 25fae21fce7d1cc4ba5108eca556b197a04c72a4ea53254ca8286951fdf646c729779412aa86d89035eb8da65bf70aeaca91bf8a062cb19922e0754e90294f7d

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build2.exe

MD5 4d53effbc3371456fffaec2e5c9ae452
SHA1 13c5782a19f788a70e9b3455fe9c2440f7e6b062
SHA256 615ddf34bf0f518c8176532c71b4a150394d42e3b87e2918a6df3c47ffb3a6d6
SHA512 ea213b804aeed22535d09056e881f7e4651ea638784ee8aa2992ff2723a8524fa66eef2e695db5e96692bb89f0320d1e3271cab6dad442ce2522d71a9655dbff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

memory/3108-922-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/3760-933-0x0000000000400000-0x000000000063F000-memory.dmp

memory/3108-935-0x0000000000220000-0x000000000024C000-memory.dmp

memory/3452-965-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3452-979-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3452-982-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3452-989-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3452-992-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1801A0BFF52C676E5F51CA71C5350277

MD5 79e4a9840d7d3a96d7c04fe2434c892e
SHA1 a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
SHA256 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
SHA512 53b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7

memory/3452-994-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3452-1026-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dE8pB2.exe

MD5 d672bf8ddd3bfaadab10318e4e8a4526
SHA1 ed22710a02cd6e576e3990117a732b9865e3f159
SHA256 fc508280d762d16be2c17088c286a2e5b3d22eaa24f094860251448e08ea3702
SHA512 7ecd3a838f16d4a194ee418911368010d8120258efb3ea58cb5a4d18c4f781a9607c2786d630b5a43e49f90f4c43e92c8c8fae7f181c3905d39265f0c2ec4bc5

memory/1580-1045-0x0000000000180000-0x000000000018A000-memory.dmp

memory/1580-1047-0x0000000000180000-0x000000000018A000-memory.dmp

memory/3424-1049-0x0000000000020000-0x000000000002A000-memory.dmp

memory/3424-1048-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aaf84750e5d4974dab1f3b5cfaf0846
SHA1 d7caf8025b9e3a62ea9c1b79fc5ad5c1ad464806
SHA256 75a0206e53ac65d5dfc70627c90f935e3e12e3100296202df51f258f8b3181f8
SHA512 028148d5f33621aa2841859f5ba7e0889b5d716d0f03c501c294d2d01a568f123a48e1b7f31fa1b9dab6fc5f84afe4028c1adafd39778feab3b2b9a865194506

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1YO81LQ9.exe

MD5 14379aa8dd4c2570cef76808effac415
SHA1 af7562cef2ada632e6869ad31b323c1148c0d9ff
SHA256 2db0c36352c727ccc5f9510cd64743ffcf642a4ad1cff406d95558462a02311d
SHA512 88cbeb9285555652e615dedbda3a99826839fdff71892c1a036898f909aaf9c1acf8435104f443e6417f638b2b5d5d5e59c279100bdb6d5092d656576e84309a

\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe

MD5 bd37d943c768f7833bd2d34fb2063182
SHA1 6564ae396f3f49e390708baddf04bd30198d1a4f
SHA256 0391647d53f0aa4f0e2855c37d152a1ef3d7add1529af56c51b842376fbe6a44
SHA512 d5e12ccc625c61d0161aba9e9323421a423942effb9e9f8d94d7fa939422377530d63aea1463898ee05dafea8fa8ec37defcd35d84f8c66f78ec1514b4db3e59

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe

MD5 e2bbf97be0f997b79e3edf58b9a81edc
SHA1 4e25ab42cf9719e651219fcdeef2f3b0cb75256b
SHA256 3c81df55b78c142e3a9fcf08d7c2f31ce95ebb2ae1b7e2f0ba5d7cf723c6047e
SHA512 b6ae278f67324e085df7ca0fc3ab3758f5d76fe8fdb5982c7775ed72c8b5609d4c1708e7a1fe7d76717def932bff38e2909384a573228cbcae72797650dd719c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN5ul52.exe

MD5 2b226c0b7e8b1dacb38438a51de1e060
SHA1 4b7361cff6d3daae902a4bb5274b9810c9883b82
SHA256 eee83577a1ef157d58f5319371c374f27f506420d9a15b1340e1ca3f2ab731fe
SHA512 63b7f7d7460aa6b5fa56fc634284193f64c33bbbc90c0d01dc35d0042f2fea6e92ce86dc58056ce470cdd179a71daa776e688d0301e5cfafb06699b947ca31b6

C:\Users\Admin\AppData\Local\Temp\916A.exe

MD5 126d9a48f7f8d98a7dd64cba33dfd4ef
SHA1 d5a4b96ff9ccb7211c08c55e49895ff81a9972d7
SHA256 8894d9fa48f4ed7ca8f4a204a9ccca537a4fb06a86030dadb2787488e5ebe352
SHA512 9a7d52b4df620356448646c3142f6dfb730fd0428948db11cb278845eeb31899d1c8a1212d050f7de2ef7b8e9ed29b1f39d7cb32a040e691612847137c9a18f3

memory/3040-136-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\favicon[1].ico

MD5 b2ccd167c908a44e1dd69df79382286a
SHA1 d9349f1bdcf3c1556cd77ae1f0029475596342aa
SHA256 19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec
SHA512 a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

memory/1248-1312-0x0000000003DC0000-0x0000000003DD6000-memory.dmp

memory/3424-1313-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 7d4b3ed900662ceea56f9a3967f12196
SHA1 fd708295f939848999424e437eb9edf8ba9fdcc5
SHA256 c51e0fb416dee40103e27825975516e173adada513f8d94daf076bf32ba7aff7
SHA512 b6562021ffe0b76ea5cd5acb92d0803c41b16e00678cf3012f603b2e9702fa0c2e52fc9169e87aa9be984934e14858082c3732fa5279139c4566f4e7f427519c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1801f4156e3f8447d0a369f758fdfa40
SHA1 24bf82a74b89e6351794a1f17e5d3629da9c50cb
SHA256 3ac403d5de7ef0dd51940e5f4a5e6e9875b761123492c087c9e504f3288fbfc3
SHA512 c56d2052073cb716f28e85e7a899e0a2aa6514f40cb99ad6852503562ec4b004e88e1097cce5623c6b043e95d15a15e93e7458a93d1dab724896ae197db83901

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 945fc6893ed8e756298fea38f9c10af4
SHA1 53e28ebd00aa6ce1acbda45d13b6750846150c13
SHA256 fb8575a4e8a88caa0124c76359ccde9b05dcc1c8c01eaa92406374874c55c167
SHA512 070d352ae39f82f0bdfd5c54b863b70d17d743fead63785cfbb19565190c16869a1b029230c736318075f2620bbbc96f846b41e2686f14fd41c43084fc56dd0a

memory/3452-1473-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 937a44d09a4ab643dba59e179b301883
SHA1 0a714f4da61196b48045d0ebaca3a5d94d58fa22
SHA256 41d05f79e0e1fd2b9803fdad411b3c8d8456f14b536d33eb81358b3a845627b0
SHA512 4e60e4dca7aa7e3bfde1d763f67da08846b75e7181c20cdcd1bfeb93461fba0455438c84c5441fa1df17dc9c87728fa0b3eab4ed2b892b0db89df67727b91397

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\n7bgnbu\imagestore.dat

MD5 03bf2a14f2b5665739efd629e590622b
SHA1 70ce65104dd797fd2364af77d855ab2fc2557658
SHA256 30af40ee503f17210c61d300f9efddfacc4591a029d0f8a7fcc1e87545061cad
SHA512 ae067065ec672ce79cbbb9362fc173fdf230dafc4f8b26633a4083e850cbff27f378ff7dc74911692ba9ba5537cc65b24c7c0838cd3fee75f12ca7df7cddb4d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG6ARQ2Q\favicon[1].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQFRL44X\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQFRL44X\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG6ARQ2Q\recaptcha__en[1].js

MD5 37c6af40dd48a63fcc1be84eaaf44f05
SHA1 1d708ace806d9e78a21f2a5f89424372e249f718
SHA256 daf20b4dbc2ee9cc700e99c7be570105ecaf649d9c044adb62a2098cf4662d24
SHA512 a159bf35fc7f6efdbe911b2f24019dca5907db8cf9ba516bf18e3a228009055bcd9b26a3486823d56eacc391a3e0cc4ae917607bd95a3ad2f02676430de03e07

memory/3084-1888-0x000000006DA80000-0x000000006E02B000-memory.dmp

memory/3084-1889-0x0000000002D30000-0x0000000002D70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/3084-2091-0x000000006DA80000-0x000000006E02B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 d55c227b3572ba8548a33d22a80a3a95
SHA1 14b51fc8915ea9277470d14167c0170c2e94ae66
SHA256 475be95ab6c717711b41cfab47e031531aa6f7c4119eb7782f1167778cb91929
SHA512 fbbbee09c191d4919b7ad61f9fc8a3e113241bc3d853d0752bc9ed905cda4ef4bc77e30d7eb89aeebfe83ebeaacc43fcfee61c29e6338ff2942224d9e51523ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 51981838d57f818cd361f29ddd2aa9db
SHA1 b275f0265892c4f097ec1c66cca227939e750784
SHA256 fe952eb51dd79c22b6d71d4000e9abb774f6c7528f448b14052dcdd6808822ec
SHA512 7deff82132f8ba5defac42bca0a379569ef49b0a2f59f57bdc23dcbb05f37656513cda1f8d5088341bb76b8dd5d3fd4e2e3bfa90b29b97d211cc7e766cdd3cfc

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 783cdd62ccfa8805723283ef69c8751d
SHA1 8da2187ea6d2fbd9f28135e31c39724f9e61a4ef
SHA256 fc2aef521bad44e0714c3c8369729c3fdbb4c1dc1db05c3d8ec6d96034e9fee0
SHA512 c852f30bf62dd8d1e91991b23d85177637b8ea37c1875d23525d6e9938353d14329c772503e350fa21b15e8127b020279735fb65ff581d87e182d9bf7f39e95e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\buttons[2].css

MD5 b6e362692c17c1c613dfc67197952242
SHA1 fed8f68cdfdd8bf5c29fb0ebd418f796bc8af2dd
SHA256 151dc1c5196a4ca683f292ae77fa5321f750c495a5c4ffd4888959eb46d9cdc1
SHA512 051e2a484941d9629d03bb82e730c3422bb83fdebe64f9b6029138cd34562aa8525bb8a1ec7971b9596aaca3a97537cc82a4f1a3845b99a32c5a85685f753701

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\shared_global[2].css

MD5 cfe7fa6a2ad194f507186543399b1e39
SHA1 48668b5c4656127dbd62b8b16aa763029128a90c
SHA256 723131aba2cf0edd34a29d63af1d7b4ff515b9a3a3e164b2493026132dd37909
SHA512 5c85bb6404d5be1871b0b2e2d2c9053716354acd69c7acca73d8ce8bf8f21645ae11f788f78ef624444016cb722ecbd6213e771bda36717725f2b60f53688c6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\shared_responsive[2].css

MD5 2ab2918d06c27cd874de4857d3558626
SHA1 363be3b96ec2d4430f6d578168c68286cb54b465
SHA256 4afb3e37bfdd549cc16ef5321faf3f0a3bf6e84c79fc4408bc6f157280636453
SHA512 3af59e0b16ef9d39c2f1c5ccdbd5c9ea35bd78571fde1b5bf01e51a675d5554e03225a2d7c04ed67e22569e9f43b16788105a0bf591ebba28ef917c961cc59e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 36d2df5595d40440a29253517f423450
SHA1 3080d9b9f31bb8cd6f817a6a0b74b4bc862acc14
SHA256 adc4dcea4086de90f64466911eba0957255342a6cc7eab3d2c5ffd9a9a473ee4
SHA512 4fc408ddd8e5ad146cbb143fde6403df6174fea8ec882426ce62e2e97d1ff048d8fe1eca85a7df4c95f3ec6a9acd3a503f05bfa7509ad7e6db242f6b69c6b7a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4S7YUKH0\tooltip[1].js

MD5 72938851e7c2ef7b63299eba0c6752cb
SHA1 b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e
SHA256 e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661
SHA512 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG6ARQ2Q\shared_responsive_adapter[2].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG6ARQ2Q\shared_global[1].js

MD5 f94199f679db999550a5771140bfad4b
SHA1 10e3647f07ef0b90e64e1863dd8e45976ba160c0
SHA256 26c013d87a0650ece1f28cdc42d7995ad1a57e5681e30c4fd1c3010d995b7548
SHA512 66aef2dda0d8b76b68fd4a90c0c8332d98fe6d23590954a20317b0129a39feb9cd3bd44e0c57e6b309227d912c6c07b399302a5e680615e05269769b7e750036

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\87J22SRD\favicon[1].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 21ab3a8f315efd66f8162f8799d25a90
SHA1 10e8c5d1662e1a6609a26af1fa21aa5042789d34
SHA256 9cc790ae3089129208fed66481443220e4fc4cc2e419bd922c3d519fa588d3f3
SHA512 ffb533dc45a2ad22b3e863b450a2cb6ff7ff984201d47890c018b3515d1b409206ad6f6b977f57b46e0c1c07788112179171e4264c8e3c2e8cd2d87258a9de5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\87J22SRD\styles__ltr[1].css

MD5 eb4bc511f79f7a1573b45f5775b3a99b
SHA1 d910fb51ad7316aa54f055079374574698e74b35
SHA256 7859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512 ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7DW40GJV\www.epicgames[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQFRL44X\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

memory/3040-4296-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f57c76aa-adbb-454e-971d-797685568291\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4312-4299-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/4312-4301-0x0000000000220000-0x0000000000224000-memory.dmp

memory/4392-4312-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4456-4311-0x0000000001000000-0x000000000149E000-memory.dmp

memory/4456-4315-0x0000000071380000-0x0000000071A6E000-memory.dmp

memory/4456-4316-0x0000000004E90000-0x0000000004ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259F.exe

MD5 8b5f21585e3f2f4dfa592f016aad5498
SHA1 113acc025afffa189e43415d55d4e47273c8b80f
SHA256 23c0ac3fbfdcd207167c704f343cb00e9be9c510d53abe9dfa1d688d79a66189
SHA512 6b85357c22a331fce70d5af064fd59b552c309061a0e014626569f70867dde316dca24bc27ceb46833d2609e8db409c42f26e03f3e71b8935542d5dde90e6f8a

memory/4596-4327-0x00000000000E0000-0x0000000000132000-memory.dmp

memory/4596-4329-0x0000000071380000-0x0000000071A6E000-memory.dmp

memory/4596-4330-0x0000000005170000-0x00000000051B0000-memory.dmp

memory/4720-4337-0x00000000003D0000-0x00000000011C2000-memory.dmp

memory/4720-4336-0x0000000071380000-0x0000000071A6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

memory/4796-4358-0x0000000000A30000-0x0000000000B30000-memory.dmp

memory/4796-4364-0x0000000000220000-0x0000000000229000-memory.dmp

memory/4876-4367-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 68678641adb711b83fe6d0839dd90f39
SHA1 f10fae072c96ef84d8e121d844e44f7fb3ed0aed
SHA256 7cd919f00f9101752b70747eb1927420fd98cbf8202d7b0cbf4a3b4cb5dbf80e
SHA512 84358d1813eb0e427839fed4e929153f650edb7ed1f49e2447637e95367ee2040ba87b67a2c463364456b581e84b5429cdccb1e96f03dda445d2d6a3fa8e90b4

memory/4912-4374-0x00000000026B0000-0x0000000002AA8000-memory.dmp

memory/4912-4375-0x0000000002AB0000-0x000000000339B000-memory.dmp

memory/4936-4376-0x0000000000240000-0x0000000000241000-memory.dmp

memory/4456-4382-0x0000000071380000-0x0000000071A6E000-memory.dmp

memory/5028-4385-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4912-4384-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4720-4381-0x0000000071380000-0x0000000071A6E000-memory.dmp

memory/4456-4398-0x0000000004E90000-0x0000000004ED0000-memory.dmp

memory/3592-4399-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst408A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 18:06

Reported

2023-12-18 18:08

Platform

win10v2004-20231215-en

Max time kernel

36s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\179A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\179A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\179A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\179A.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3548 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe
PID 3588 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 3588 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 3588 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 3588 wrote to memory of 840 N/A N/A C:\Windows\system32\cmd.exe
PID 3588 wrote to memory of 840 N/A N/A C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 4348 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\179A.exe C:\Users\Admin\AppData\Local\Temp\179A.exe
PID 840 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 840 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3588 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 3588 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 3588 wrote to memory of 4284 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe
PID 4284 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\2DA5.exe C:\Users\Admin\AppData\Local\Temp\2DA5.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe

"C:\Users\Admin\AppData\Local\Temp\6F4297025FA48F5F412DD305BA5A03560C1EE83E32E94.exe"

C:\Users\Admin\AppData\Local\Temp\179A.exe

C:\Users\Admin\AppData\Local\Temp\179A.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\18F3.bat" "

C:\Users\Admin\AppData\Local\Temp\179A.exe

C:\Users\Admin\AppData\Local\Temp\179A.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\2DA5.exe

C:\Users\Admin\AppData\Local\Temp\2DA5.exe

C:\Users\Admin\AppData\Local\Temp\2DA5.exe

C:\Users\Admin\AppData\Local\Temp\2DA5.exe

C:\Users\Admin\AppData\Local\Temp\3900.exe

C:\Users\Admin\AppData\Local\Temp\3900.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
MX 187.211.38.89:80 brusuax.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 89.38.211.187.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 galandskiyher5.com tcp

Files

memory/3548-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/3548-2-0x0000000000980000-0x0000000000989000-memory.dmp

memory/4968-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4968-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4968-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3588-5-0x00000000024D0000-0x00000000024E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\179A.exe

MD5 70220c50bb4d6b5c323ad3322eef8c80
SHA1 f5ac79382662f6f08512ab6c6d702450dae29c52
SHA256 931e4a0e4d35d2023956eb0f158fe6f7729a7b2f7c169f8d593524cb6e5b5363
SHA512 f058538a8728a720a34929892fd7abb15d73cab3c97a89bc1780828c78b0532d08f259a1baaf289aba3bb65d46c65eb9bb7b8998f5dfb47e53c7cf4c925a970c

C:\Users\Admin\AppData\Local\Temp\18F3.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4840-25-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4348-21-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/4840-27-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3588-26-0x0000000002970000-0x0000000002986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DA5.exe

MD5 13580d89dc01ddfabfa8663ee550abb3
SHA1 6154aaed2f4b3eb571896b8220fe498b45435890
SHA256 66326aafba3afe95e9026a3e0077efbb15ae62c6be2a1fdeac658fea84d962ca
SHA512 2163197274e3746c61e75f7008dac119cadd2dbe96241beeb1de2f3b80af5b8575317fd71fff4223db3a7f64bdf4fde3f506c2ee61f13c41ee5f31657d65ba8d

memory/4284-36-0x0000000000A80000-0x0000000000B17000-memory.dmp

memory/4284-38-0x00000000026A0000-0x00000000027BB000-memory.dmp

memory/3172-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3172-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3172-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3172-42-0x0000000000400000-0x0000000000537000-memory.dmp