Malware Analysis Report

2024-11-16 12:11

Sample ID 240715-lghe1ssdqc
Target b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b
SHA256 b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b
Tags
xworm execution persistence rat trojan neshta spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b

Threat Level: Known bad

The file b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan neshta spyware stealer

Xworm family

Detect Neshta payload

Detect Xworm Payload

Xworm

Neshta

Command and Scripting Interpreter: PowerShell

Drops startup file

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 09:30

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 09:30

Reported

2024-07-15 09:32

Platform

win7-20240705-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\schtasks.exe
PID 2860 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\schtasks.exe
PID 2860 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\schtasks.exe
PID 2332 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2332 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2332 wrote to memory of 1600 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2332 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2332 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2332 wrote to memory of 2244 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe

"C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DE0A77D8-4E83-4361-8C96-E4F7F92F8D3F} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 edition-ages.gl.at.ply.gg udp
US 147.185.221.21:14076 edition-ages.gl.at.ply.gg tcp

Files

memory/2860-0-0x000007FEF65F3000-0x000007FEF65F4000-memory.dmp

memory/2860-1-0x00000000011F0000-0x0000000001208000-memory.dmp

memory/2860-2-0x000007FEF65F0000-0x000007FEF6FDC000-memory.dmp

memory/1692-7-0x0000000002910000-0x0000000002990000-memory.dmp

memory/1692-8-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1692-9-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2604-15-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2604-16-0x0000000001F70000-0x0000000001F78000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVQC3J58U3XUQ2TPI5PI.temp

MD5 ade88b1489a94d2a0ae7c27f98419d2e
SHA1 934d340bf22d64d488ca998282224ec78aa89ae6
SHA256 5e5ec5ee7838e1e3a0ae649c977b041f872b7c246216e93f3df31ea697e6cc24
SHA512 6571dead0265f573fe6ac6939b9bdbbe3279f2d26b6e72cf3999e8ece048ebd0535167d05dcc5d78db9f672f5cba214babe96ecda7f9d7c56b1f03087facf304

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2860-32-0x000007FEF65F3000-0x000007FEF65F4000-memory.dmp

memory/2860-33-0x000007FEF65F0000-0x000007FEF6FDC000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 f9cf3c741b2aab438659db28ff3dcade
SHA1 abea5f0af31f38d2df86735b0ac57a508eb36b68
SHA256 b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b
SHA512 ff86f97a2bb44b001367655afcbb33b928c07a5ec7ce0c9449d9997c4f2b0550363c5bbc8f0a3615dc7cd6aa9f04d018b81c1e98338575bed0910a20fcd9a6eb

memory/1600-37-0x00000000011E0000-0x00000000011F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 09:30

Reported

2024-07-15 09:32

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\wevvgf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\schtasks.exe
PID 3112 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\System32\schtasks.exe
PID 3112 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 3112 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 3112 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe
PID 3112 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe
PID 3112 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Users\Admin\AppData\Local\Temp\wevvgf.exe
PID 4064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\wevvgf.exe C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe
PID 4064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\wevvgf.exe C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe
PID 4064 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\wevvgf.exe C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe
PID 3868 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\svchost.com
PID 3868 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\svchost.com
PID 3868 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\svchost.com
PID 3220 wrote to memory of 1128 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
PID 3220 wrote to memory of 1128 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
PID 3112 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\svchost.com
PID 3112 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\svchost.com
PID 3112 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe C:\Windows\svchost.com
PID 2912 wrote to memory of 3664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\klespl.exe
PID 2912 wrote to memory of 3664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\klespl.exe
PID 2912 wrote to memory of 3664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\klespl.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe

"C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\yqlcdm.mp3"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4d4 0x4a0

C:\Users\Admin\AppData\Local\Temp\wevvgf.exe

"C:\Users\Admin\AppData\Local\Temp\wevvgf.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\klespl.exe"

C:\Users\Admin\AppData\Local\Temp\klespl.exe

C:\Users\Admin\AppData\Local\Temp\klespl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 edition-ages.gl.at.ply.gg udp
US 147.185.221.21:14076 edition-ages.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 147.185.221.21:14076 edition-ages.gl.at.ply.gg tcp
US 147.185.221.21:14076 edition-ages.gl.at.ply.gg tcp

Files

memory/3112-0-0x00007FFF68583000-0x00007FFF68585000-memory.dmp

memory/3112-1-0x0000000000380000-0x0000000000398000-memory.dmp

memory/3112-2-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

memory/4600-8-0x000002E16BFC0000-0x000002E16BFE2000-memory.dmp

memory/4600-9-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_datdflpi.iw4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4600-14-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

memory/4600-15-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

memory/4600-18-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd1d0b083fedf44b482a028fb70b96e8
SHA1 dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256 cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA512 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 110b59ca4d00786d0bde151d21865049
SHA1 557e730d93fdf944a0cad874022df1895fb5b2e2
SHA256 77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f
SHA512 cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

memory/3112-57-0x00007FFF68583000-0x00007FFF68585000-memory.dmp

memory/3112-58-0x00007FFF68580000-0x00007FFF69041000-memory.dmp

memory/3112-59-0x0000000000C60000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 f9cf3c741b2aab438659db28ff3dcade
SHA1 abea5f0af31f38d2df86735b0ac57a508eb36b68
SHA256 b7f8446df81a5d91809436661acf8ee4fdd1c897312a494ca01fca94f5352d5b
SHA512 ff86f97a2bb44b001367655afcbb33b928c07a5ec7ce0c9449d9997c4f2b0550363c5bbc8f0a3615dc7cd6aa9f04d018b81c1e98338575bed0910a20fcd9a6eb

C:\Users\Admin\AppData\Local\Temp\yqlcdm.mp3

MD5 252aa41c33ca6b10fcff6b38015910fb
SHA1 f4e4e24952d3cc09a2054fc37d0ba00a56fb3253
SHA256 5f5283baecb6ed6d7a1b6162c5d0aaf5676312f763d6ddd4cb226b7db8a0128a
SHA512 79c86b3f2b207b51eaace69092ede5c7ca031f5c381c27c2423f1882059aad60f44d9c988406a82bf10bedae675078a645f0e6ce7e19c137112ad631e1069855

memory/116-78-0x00007FFF77710000-0x00007FFF77744000-memory.dmp

memory/116-77-0x00007FF6C14A0000-0x00007FF6C1598000-memory.dmp

memory/116-86-0x00007FFF77280000-0x00007FFF77291000-memory.dmp

memory/116-79-0x00007FFF62E60000-0x00007FFF63116000-memory.dmp

memory/116-87-0x00007FFF62A60000-0x00007FFF62C6B000-memory.dmp

memory/116-85-0x00007FFF776C0000-0x00007FFF776DD000-memory.dmp

memory/116-84-0x00007FFF77C40000-0x00007FFF77C51000-memory.dmp

memory/116-83-0x00007FFF78110000-0x00007FFF78127000-memory.dmp

memory/116-82-0x00007FFF78AB0000-0x00007FFF78AC1000-memory.dmp

memory/116-81-0x00007FFF7BAB0000-0x00007FFF7BAC7000-memory.dmp

memory/116-80-0x00007FFF7C5B0000-0x00007FFF7C5C8000-memory.dmp

memory/116-94-0x00007FFF76BD0000-0x00007FFF76BE1000-memory.dmp

memory/116-93-0x00007FFF76D90000-0x00007FFF76DA1000-memory.dmp

memory/116-95-0x00007FFF627B0000-0x00007FFF62930000-memory.dmp

memory/116-88-0x00007FFF5E9E0000-0x00007FFF5FA90000-memory.dmp

memory/116-92-0x00007FFF76DB0000-0x00007FFF76DC1000-memory.dmp

memory/116-91-0x00007FFF771E0000-0x00007FFF771F8000-memory.dmp

memory/116-90-0x00007FFF77200000-0x00007FFF77221000-memory.dmp

memory/116-89-0x00007FFF77230000-0x00007FFF77271000-memory.dmp

memory/3112-96-0x0000000000B90000-0x0000000000C1E000-memory.dmp

memory/116-127-0x00007FFF5E9E0000-0x00007FFF5FA90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wevvgf.exe

MD5 fd9bf75ac73a8bf45ecc30e8295a2fb2
SHA1 1db0272ab7fe06e1a72da664c28383a01399dd77
SHA256 fc428ad56f858b0a0f1afc8f51c8697b07ad298e4b4da0cdf1692e2aa4c7b1fb
SHA512 6d29382b6bddb3d726a2d0336bfd0b970b31b1fb174cd3e4e5e6e7f24d12782e8a66615518317d3d818f960c64ee31c8c1876c9ce1d05422cafaefd712bf1a57

C:\Users\Admin\AppData\Local\Temp\3582-490\wevvgf.exe

MD5 aca5de897ded006dbe68ffdd1a597aa0
SHA1 101c83d1f0da85b1881b31c0df18a53dd0ad7bbb
SHA256 e3818399c39d50940dadd841fb5e42340fd5bf488c9fdae746b1b08de2ee643a
SHA512 eb2ad24e64cd3800c4ad2932ed251831fb913ef7aac95827ee2d15a431e5461df346da40219931b0601384733ceda2b48fe5f7d4877e16e35abdefeb5af672dd

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d75b86100db2d2976fda464c941825de
SHA1 289e469cd83d167b692975daf40ad4b57446d9e5
SHA256 e8e4fe782cad7c5fe1b6042248e871ffa59dec9d13fd76f86622dd1333c87df3
SHA512 13ffc6ae775ce3045a4feb25d83a3ce74133e8fb22719528e6fbe4587b3babe48ffef421f2244c6e79adb35a9504ecf33bc23dfed360d41564284adff61ad640

C:\Windows\svchost.com

MD5 8a4ca1550e01164613d588422d2ce0a7
SHA1 fe39618d5eab3e963f9ed80cdd9f5347b10ade78
SHA256 0c4da5fab16dc0e0cfd5e2cb3c7b63180a71e73b2ead39739415db98303e2c33
SHA512 e251dd0400727ac4e4416bb86da4eb10e8c6970e8657d161fe621e96c48e67b6cd01f5c03771104e4e9870e0bcfa30af740381dc5dbfb70728a24a39394ef323

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 176436d406fd1aabebae353963b3ebcf
SHA1 9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA256 2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512 a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 4ddc609ae13a777493f3eeda70a81d40
SHA1 8957c390f9b2c136d37190e32bccae3ae671c80a
SHA256 16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA512 9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 cce8964848413b49f18a44da9cb0a79b
SHA1 0b7452100d400acebb1c1887542f322a92cbd7ae
SHA256 fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512 bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 09acdc5bbec5a47e8ae47f4a348541e2
SHA1 658f64967b2a9372c1c0bdd59c6fb2a18301d891
SHA256 1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403
SHA512 3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 322302633e36360a24252f6291cdfc91
SHA1 238ed62353776c646957efefc0174c545c2afa3d
SHA256 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA512 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

MD5 39c8a4c2c3984b64b701b85cb724533b
SHA1 c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256 888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512 f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 3b35b268659965ab93b6ee42f8193395
SHA1 8faefc346e99c9b2488f2414234c9e4740b96d88
SHA256 750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb
SHA512 035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ce82862ca68d666d7aa47acc514c3e3d
SHA1 f458c7f43372dbcdac8257b1639e0fe51f592e28
SHA256 c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3
SHA512 bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

MD5 cdc455fa95578320bd27e0d89a7c9108
SHA1 60cde78a74e4943f349f1999be3b6fc3c19ab268
SHA256 d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9
SHA512 35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 7429ce42ac211cd3aa986faad186cedd
SHA1 b61a57f0f99cfd702be0fbafcb77e9f911223fac
SHA256 d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f
SHA512 ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 11486d1d22eaacf01580e3e650f1da3f
SHA1 a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA256 5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA512 5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE

MD5 5d656c152b22ddd4f875306ca928243a
SHA1 177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA256 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512 d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE

MD5 c7f7803a2032d0d942340cfebba0a42c
SHA1 578062d0707e753ab58875fb3a52c23e6fe2adf6
SHA256 0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb
SHA512 48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 27543bab17420af611ccc3029db9465a
SHA1 f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA256 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512 a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 eb008f1890fed6dc7d13a25ff9c35724
SHA1 751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256 a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA512 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 6ce350ad38c8f7cbe5dd8fda30d11fa1
SHA1 4f232b8cccd031c25378b4770f85e8038e8655d8
SHA256 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba
SHA512 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 41b1e87b538616c6020369134cbce857
SHA1 a255c7fef7ba2fc1a7c45d992270d5af023c5f67
SHA256 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3
SHA512 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

MD5 d9a290f7aec8aff3591c189b3cf8610a
SHA1 7558d29fb32018897c25e0ac1c86084116f1956c
SHA256 41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea
SHA512 b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

MD5 d9186b6dd347f1cf59349b6fc87f0a98
SHA1 6700d12be4bd504c4c2a67e17eea8568416edf93
SHA256 a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4
SHA512 a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

MD5 87bb2253f977fc3576a01e5cbb61f423
SHA1 5129844b3d8af03e8570a3afcdc5816964ed8ba4
SHA256 3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604
SHA512 7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

MD5 674eddc440664b8b854bc397e67ee338
SHA1 af9d74243ee3ea5f88638172f592ed89bbbd7e0d
SHA256 20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457
SHA512 5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

MD5 e4351f1658eab89bbd70beb15598cf1c
SHA1 e18fbfaee18211fd9e58461145306f9bc4f459ea
SHA256 4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb
SHA512 57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 452c3ce70edba3c6e358fad9fb47eb4c
SHA1 d24ea3b642f385a666159ef4c39714bec2b08636
SHA256 da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512 fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12