Malware Analysis Report

2025-01-02 12:17

Sample ID 240715-eh9sbszcla
Target VmAxisSetup.exe
SHA256 07e659bded3498b1a977eddff446b43651def5c833968aac55873034f1e67eb4
Tags
evasion stealc default discovery execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07e659bded3498b1a977eddff446b43651def5c833968aac55873034f1e67eb4

Threat Level: Known bad

The file VmAxisSetup.exe was found to be: Known bad.

Malicious Activity Summary

evasion stealc default discovery execution spyware stealer

Stealc

Sets file to hidden

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Modifies system certificate store

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 03:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 03:57

Reported

2024-07-15 04:00

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 1596 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1476 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe

"C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp" /SL5="$400F4,4870747,84480,C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c 4554.cmd

C:\Windows\SysWOW64\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"

C:\Windows\SysWOW64\cmd.exe

cmd /c tar xf 85.zip

C:\Windows\SysWOW64\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"

Network

Country Destination Domain Proto
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 88.198.89.4:80 88.198.89.4 tcp
RU 77.91.77.145:80 77.91.77.145 tcp

Files

memory/1596-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1596-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MDO8S.tmp\VmAxisSetup.tmp

MD5 14f29fdcfc65d90882b6df14b8e06a67
SHA1 013090f6c05c53a84de1e0e0eb2546b3667244f9
SHA256 201cc918188c6759265c527258e1c86e33b656a2af925f88f8dc4ef5cc8324a4
SHA512 99aa8955a314ee9b88643f456c20ced83d29460d378350fd94851f7d2b81fc3883b62f62f0b9793890b1fe05f1ab055cf317a5a2c8d4660f342669e84fd8ee46

memory/2184-11-0x0000000000400000-0x00000000004FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-K2KOA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-K2KOA.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\Cab4710.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4742.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1596-54-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2184-55-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2184-73-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\av\4554.cmd

MD5 4f34074a29ba1ae2c28129025535ea31
SHA1 5ee217c5f30a75cecaf44693a9d6665897ec40a6
SHA256 332eede52a3b7b19a25d808a44f2136d2c4a3a9913abe6e8153627b436f122ba
SHA512 6812eb9d6f3d4427f47ef765a69c45bcc5f6ff13775a0b49fd95e7c5e043b9d6cec278cb715c22d747ed4919483fd0b4a42dc18652c9219e47114fb26e2d74ed

memory/2184-96-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1596-98-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 03:57

Reported

2024-07-15 04:00

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

Signatures

Stealc

stealer stealc

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 812 set thread context of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks installed software on the system

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp
PID 2368 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp
PID 2368 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp
PID 1864 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 4640 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 4640 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 4516 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4516 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\av\201\201.exe
PID 4516 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\av\201\201.exe
PID 4516 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\av\201\201.exe
PID 2748 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\av\201\201.exe C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe
PID 2748 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\av\201\201.exe C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe
PID 2748 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\av\201\201.exe C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe
PID 1116 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1116 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1116 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1116 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1116 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 1116 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 4940 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4940 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 220 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 220 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4592 wrote to memory of 220 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1116 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 1116 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 1116 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 2244 wrote to memory of 812 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe
PID 2244 wrote to memory of 812 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe
PID 2244 wrote to memory of 812 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 812 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe

"C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp" /SL5="$90052,4870747,84480,C:\Users\Admin\AppData\Local\Temp\VmAxisSetup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c 4554.cmd

C:\Windows\SysWOW64\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"

C:\Windows\SysWOW64\cmd.exe

cmd /c tar xf 85.zip

C:\Windows\SysWOW64\tar.exe

tar xf 85.zip

C:\Windows\SysWOW64\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\av\*.*"

C:\Users\Admin\AppData\Local\Temp\av\201\201.exe

".\201\201.exe"

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe

"C:\Users\Admin\AppData\Local\Temp\ZDA2MjFhMzg0ZmYzMjBjZTVkMmU0ZDZlZTM3MGFiZjA.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 145.77.91.77.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
GB 23.214.143.155:443 steamcommunity.com tcp
DE 88.198.89.4:80 88.198.89.4 tcp
US 8.8.8.8:53 4.89.198.88.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 77.91.77.145:80 77.91.77.145 tcp
DE 88.198.89.4:80 88.198.89.4 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 85.28.47.101:80 85.28.47.101 tcp
US 8.8.8.8:53 101.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2368-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2368-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q2KQ0.tmp\VmAxisSetup.tmp

MD5 14f29fdcfc65d90882b6df14b8e06a67
SHA1 013090f6c05c53a84de1e0e0eb2546b3667244f9
SHA256 201cc918188c6759265c527258e1c86e33b656a2af925f88f8dc4ef5cc8324a4
SHA512 99aa8955a314ee9b88643f456c20ced83d29460d378350fd94851f7d2b81fc3883b62f62f0b9793890b1fe05f1ab055cf317a5a2c8d4660f342669e84fd8ee46

memory/1864-12-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KC9GK.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2368-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1864-19-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1864-24-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/1864-29-0x0000000000400000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\av\4554.cmd

MD5 4f34074a29ba1ae2c28129025535ea31
SHA1 5ee217c5f30a75cecaf44693a9d6665897ec40a6
SHA256 332eede52a3b7b19a25d808a44f2136d2c4a3a9913abe6e8153627b436f122ba
SHA512 6812eb9d6f3d4427f47ef765a69c45bcc5f6ff13775a0b49fd95e7c5e043b9d6cec278cb715c22d747ed4919483fd0b4a42dc18652c9219e47114fb26e2d74ed

memory/1864-95-0x0000000000400000-0x00000000004FA000-memory.dmp

memory/2368-96-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\av\201\201.exe

MD5 5477e0385dc1e8abaf39b2d254d90be3
SHA1 222ff06cf14df3c5c6d0826599445f0977660786
SHA256 e4e37335a1452965b1808f2842553d2202a534831772e028cfb13aced89dcff5
SHA512 aa6f80c5cac52f49cb69db7c833c4165cbd7765b51082ae430da33bccf9bd690564fdcc0353f943989fe16676a6f698743829e50bba7c2cc8898e0feb0e06d42

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/2748-286-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\AppData\Local\Temp\av\201\lib\activation.jar

MD5 46a37512971d8eca81c3fcf245bf07d2
SHA1 485de3a253e23f645037828c07f1d7f1af40763a
SHA256 ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
SHA512 49119b0cc3af02700685a55c6f15e6d40643f81640e642b9ea39a59e18d542f8837d30b43b5be006ce1a98c8ec9729bb2165c0442978168f64caa2fc6e3cb93d

C:\Users\Admin\AppData\Local\Temp\av\201\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\AppData\Local\Temp\av\201\lib\dn-compiled-module.jar

MD5 83297d0b4f83ebd3e96ad8ce3cd2c5e5
SHA1 4f03688f9d8b07b2dcc98197ab5a15c6714291e4
SHA256 5ef5c59a731c09e861e2ba3fa19383057d369bd2a465e84f1f4534ecbc564bd5
SHA512 34693b96074a7d284d092c5e96ab6a087cbb6bd985463736eda488935911db1caf07063b0e24960077bc72628b90aba054fa37170ba4f7975970a2f837dbed71

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jkeymaster.jar

MD5 21a017201cbb16ae0546069d4371f1c2
SHA1 9f1e8c9341a8a0c51299b961c4f6c7661c822756
SHA256 a2d68aaf08f15ff1c3b9b224641e8b4c35ee30b10f655d6420571b0429f19c87
SHA512 6c65740c17de72ba7b0df95aa29d095a1502f298924c63f364328f6fbb38920e92e0246d28a642f7c9fe3ab582341e607b0ae01515d470b4595d698ce81363d6

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jfoenix.jar

MD5 6316f84bc78d40b138dab1adc978ca5d
SHA1 b12ea05331ad89a9b09937367ebc20421f17b9ff
SHA256 d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17
SHA512 1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

C:\Users\Admin\AppData\Local\Temp\av\201\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Local\Temp\av\201\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Local\Temp\av\201\lib\commons-email.jar

MD5 f045afea3cb27ead50b0c59fc3f0dffd
SHA1 c1a7133db9008fa1eae082e6158c3f4c128ec27e
SHA256 268253139a8936afa68909df8ced52a9d769665ee9373a60e19a93f254fd54b5
SHA512 0e2d2cbef9d4c19310748e37ad909e57aa37490a7dfd41557b1914857fe7235e434a6fdee00f663688941da3e70fe882b5c63df10ba8c7ad18936959f906722b

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jna.jar

MD5 8d536ddbe44d1500d262960891911f91
SHA1 fcc5b10cb812c41b00708e7b57baccc3aee5567c
SHA256 edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb
SHA512 0ff97f158d1b1fbbef35813a1be2cc9f0c2321fa66e47af3276d3cb93178e668a652bac8a1aee82986dbf86e6db34518045eddfdd10ca827f3e4762faaa814f3

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-desktop-hotkey-ext.jar

MD5 22acc05e1efc1d4c5faa0359ce725d47
SHA1 458e7f911d024a3d786e76f256b017b0901f48f8
SHA256 c55c267d954ec9f24226780ee49fa7e1bc2baec3af6bfc0caa6cc1b49d8ca90c
SHA512 b11754f5337a73d317ae311fd4c20c0b548e1163107b741cc9e6d4d9027a8f99551e3184a83f9ad20098092e87ef1741c1e437058b7cac92727124589c303ef5

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-gui-jfoenix-ext.jar

MD5 d093f94c050d5900795de8149cb84817
SHA1 54058dda5c9e66a22074590072c8a48559bba1fb
SHA256 4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba
SHA512 3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-mail-ext.jar

MD5 405861c5544a92fb345ebca30dcaec2d
SHA1 f8fe5dcb597fff1bf6489f1283a0157be1a313c3
SHA256 fb206af4ddcc568eb1f7b38b7266be683167c95befef797b0965b4533647b17d
SHA512 f1330e5b39a2af8cf378172d9311a50b65aaa7d0c793b354efbcaa3c843bddeffb756a50f1cb9adaf974c3bb3fa6b5ef4b779e1efeeeb1b3946605f47053fe03

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-jsoup-ext.jar

MD5 d963210c02cd1825e967086827da8294
SHA1 26c4d004b5ffdb8f81de2d6b158a3f34819faf01
SHA256 7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96
SHA512 756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

memory/1116-350-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1116-353-0x0000000002E30000-0x0000000002E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-systemtray-ext.jar

MD5 acc229916e4c7c666b45072b525041e7
SHA1 36f508f20347fce608130806a26cd796daf5dd20
SHA256 91ed39e83199784b0fb359a9e2b319572b2ba1b1f4492e82a590bf488650f7f4
SHA512 c537c442874c63103f5ae934b6fdd03834e62b7374070efcbcd05b606d02274679078c38437cb1de79e3284f39fc2981c79274d93b0ba4afeb7c6942cca54235

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jsoup.jar

MD5 36145fee38e79b81035787f1be296a52
SHA1 33ee82e324f4b1e40167f3dc5e01234a1c5cab61
SHA256 6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a
SHA512 3b00b07320831f075a6af9ac1863b8756fe4f99a1b4f2e53578dca17fdaf7bdb147279225045e9eeeba4898fe321cf5457832b8e6a1a5b71acff9a1c10392659

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Local\Temp\av\201\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Local\Temp\av\201\lib\mail.jar

MD5 ec6e4e5ebd85a221b395b8f3b37545e6
SHA1 85319c87280f30e1afc54c355f91f44741beac49
SHA256 17bddec86cfe01092bd358c249b7c2ce4295c13cdad314d8eacc8426fdbe3034
SHA512 3e3e406542676f27b5008a061ceaa90580e2f9fd78b31576c99f7612033f2dd0a14824e7bfb16e6f1a12ad96985319fd6f1c2706230019c76ce22da8c7dfd181

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Users\Admin\AppData\Local\Temp\av\201\lib\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Local\Temp\av\201\lib\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Local\Temp\av\201\lib\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\AppData\Local\Temp\av\201\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Local\Temp\av\201\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

memory/1116-414-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1116-432-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/4940-438-0x0000000000D20000-0x0000000000D56000-memory.dmp

memory/4592-439-0x0000000004E70000-0x0000000005498000-memory.dmp

memory/1116-440-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/4940-441-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

memory/4940-442-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/4940-443-0x0000000005460000-0x00000000054C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjtp40oy.hi3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4940-462-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/4940-463-0x0000000005A80000-0x0000000005A9E000-memory.dmp

memory/4592-464-0x0000000005D50000-0x0000000005D9C000-memory.dmp

memory/4592-467-0x00000000061A0000-0x00000000061BA000-memory.dmp

memory/4592-466-0x0000000006C60000-0x0000000006CF6000-memory.dmp

memory/4592-468-0x0000000006210000-0x0000000006232000-memory.dmp

memory/4592-469-0x00000000072B0000-0x0000000007854000-memory.dmp

memory/220-478-0x0000000005B70000-0x0000000005EC4000-memory.dmp

memory/4768-493-0x000000006E800000-0x000000006E84C000-memory.dmp

memory/220-492-0x0000000006700000-0x0000000006732000-memory.dmp

memory/220-513-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/220-503-0x000000006E800000-0x000000006E84C000-memory.dmp

memory/4768-514-0x0000000006C90000-0x0000000006D33000-memory.dmp

memory/220-515-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/220-516-0x00000000074B0000-0x00000000074BA000-memory.dmp

memory/220-517-0x0000000007650000-0x0000000007661000-memory.dmp

memory/220-518-0x0000000007690000-0x000000000769E000-memory.dmp

memory/220-519-0x00000000076A0000-0x00000000076B4000-memory.dmp

memory/220-520-0x0000000007780000-0x000000000779A000-memory.dmp

memory/220-521-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/1116-539-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1116-548-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1116-550-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/3308-551-0x0000000000400000-0x000000000063C000-memory.dmp

memory/3308-552-0x0000000000400000-0x000000000063C000-memory.dmp

memory/1116-556-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1116-557-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/3308-558-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040