Malware Analysis Report

2025-08-05 11:54

Sample ID 241015-12ks7szcna
Target 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
SHA256 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
Tags
credential_access discovery persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35

Threat Level: Likely malicious

The file 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35 was found to be: Likely malicious.

Malicious Activity Summary

credential_access discovery persistence spyware stealer

Grants admin privileges

Loads dropped DLL

Executes dropped EXE

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

Adds Run key to start application

Network Service Discovery

Enumerates connected drives

Network Share Discovery

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Permission Groups Discovery: Local Groups

Unsigned PE

Browser Information Discovery

System Network Connections Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Gathers network information

Runs net.exe

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Gathers system information

Discovers systems in the same network

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:08

Reported

2024-10-15 22:11

Platform

win7-20240903-en

Max time kernel

140s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"

Signatures

Grants admin privileges

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
N/A N/A C:\ProgramData\Application Data\wmimgmt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmi32 = "\"C:\\ProgramData\\Application Data\\wmimgmt.exe\"" C:\ProgramData\Application Data\wmimgmt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\ProgramData\Application Data\wmimgmt.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ARP.EXE N/A

Network Share Discovery

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Browser Information Discovery

discovery

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Application Data\wmimgmt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Application Data\wmimgmt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ROUTE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ARP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\findstr.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
N/A N/A C:\ProgramData\Application Data\wmimgmt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 3052 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 2656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2656 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 2556 wrote to memory of 496 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 496 wrote to memory of 2152 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 496 wrote to memory of 2152 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 496 wrote to memory of 2152 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 496 wrote to memory of 2152 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2152 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2152 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2152 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2152 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2152 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2056 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2056 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2056 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2056 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2152 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2152 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1168 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1168 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1168 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1168 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2152 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2152 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2152 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2152 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2152 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2152 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2152 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2152 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2152 wrote to memory of 1776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2152 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

"C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

C:\ProgramData\Application Data\wmimgmt.exe

"C:\ProgramData\Application Data\wmimgmt.exe"

C:\ProgramData\Application Data\wmimgmt.exe

"C:\ProgramData\Application Data\wmimgmt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat"

C:\Windows\SysWOW64\findstr.exe

findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt

C:\Windows\SysWOW64\chcp.com

chcp

C:\Windows\SysWOW64\net.exe

net user

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user

C:\Windows\SysWOW64\net.exe

net localgroup administrators

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\reg.exe

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"

C:\Windows\SysWOW64\find.exe

find "REG_"

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -ano

C:\Windows\SysWOW64\ARP.EXE

arp -a

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -r

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print

C:\Windows\SysWOW64\ROUTE.EXE

C:\Windows\system32\route.exe print

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\net.exe

net use

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo n"

C:\Windows\SysWOW64\net.exe

net share

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 share

C:\Windows\SysWOW64\net.exe

net view /domain

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "------"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "domain"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "¬A╛╣"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "░⌡ªµª¿"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "├ⁿ┴ε"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "completed successfully"

C:\Windows\SysWOW64\net.exe

net view /domain:"WORKGROUP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\\workgrp.tmp "

C:\Windows\SysWOW64\find.exe

find "\\"

C:\Windows\SysWOW64\net.exe

net view \\ZQABOPWE

C:\Windows\SysWOW64\net.exe

net view \\ZQABOPWE

C:\Windows\SysWOW64\find.exe

find "Disk"

C:\Windows\SysWOW64\PING.EXE

ping -n 1 ZQABOPWE

C:\Windows\SysWOW64\findstr.exe

findstr /i "Pinging Reply Request Unknown"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp

Files

memory/3052-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2656-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2656-4-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3052-3-0x0000000000400000-0x000000000043F000-memory.dmp

\ProgramData\wmimgmt.exe

MD5 98b94959187e33ef4fdb4116cc2aa1e2
SHA1 4df59ac87cfe2d6b88490452e5eb8abfc16ee167
SHA256 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
SHA512 32bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8

memory/2556-15-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2556-21-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\ghi.bat

MD5 8c6085bd713786647b4b4d9d14a14f0f
SHA1 6f6d5ce899e8ce5ea36662793ad768f7daf466e5
SHA256 a805b09be4a2503d73876264fa7a489e1efee619bbf7197c4ee8b084fbb1afbc
SHA512 c5e1a18fb945015746dcff969ea5dfe91497cdc756e3d8193518645ce7cb51de816338ba6a514f285bc1794d84e416b76485222e49409e5554a416ca29c5de10

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\INFO.TXT

MD5 ede1840193bbfcde47e2c985ca40fbfc
SHA1 d243a17049d1c43c6acc5532ccac339c756b54bc
SHA256 6b5d4ee34ccd135ff6f2ae63118e3ed46223b584be51ea34bb6d225b48777df9
SHA512 bc096f3ec15c587871f03148a86c663d9480887eedc71d57d7bde18fa07dc094e991f79805b10ab5338d5d9926e1919d466c1d1dbf20eb0f8cfdd53cb2a9955e

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\INFO.TXT

MD5 d201284d6afc7144777cb22959679f8a
SHA1 67de29a0c0ee94dbe794ec2b31f3885961cadf8d
SHA256 c201f4be0f5a1c560e581a79d38c99d520f22304247651e858404af314d9515d
SHA512 bafd4d49c66b4f569c9e987d1305e6628dcf63d2964597268900cc45c662bf4ceab94a863a729c2f82a40f53d27779e5086f08da1436342fae1c4fc13e1ec2e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\INFO.TXT

MD5 5f903513ae55f527e57f4d2e6bab7abc
SHA1 749c9c7039a4f741a31cd82ea3e59f9e68a6cd10
SHA256 6caab0d7e574a4a3838f6d13e9ad44c20b2feb0ffbbfbf7e01eb14aeede6fe12
SHA512 896042b9fc47d6c61e9d3932340f7dcbb12395ebfcdcd48d0d46146d6455b7e6b5e669038e0ae0b642f40d86b82e7384e00ee9b87c26b05cfa42ab61bdfc4c3d

C:\Users\Public\Documents\Media\line.dat

MD5 9a183fa5decb55ccafeeef2bc2c2338a
SHA1 048c8b157d61f5364c678a966045224b70b355d4
SHA256 6979a9d011a33426a574e41ccf15560e00af3c6975a48586fea43c3c9ac3ca2e
SHA512 b3aa00454b915928844af1a7836f2c088a202aa0ae3604cc511c5571ca20a4ed5c2a4c907f3e4a0d1dd8b6b329ce653a8f96d2c83ce91f64a899d3006f845e4a

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\s.log

MD5 b256c8a481b065860c2812e742f50250
SHA1 51ddf02764fb12d88822450e8a27f9deac85fe54
SHA256 b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512 f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\t.log

MD5 59f2768506355d8bc50979f6d64ded26
SHA1 b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA256 7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512 e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\s.log

MD5 e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1 acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA256 8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512 f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\workgrp.tmp

MD5 9f514a9a9be8c276f087b96c5672793f
SHA1 1246bb423354f1d2933b6ba349afc4cdc9081d7a
SHA256 1bad6d563fe359f1efab71d957041f1dc000b35b324a77e60e0d5333b3790107
SHA512 8fee0279266c8e27a3d4970881bad1767f7a7fd2ee7424b2bee5c5e2d2298f17788fd55ccbe874c076772c25f8a787b74b5c9256d6ed189ba77e7112640d7f1e

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\drivers.p

MD5 4ff8e80638f36abd8fb131c19425317b
SHA1 358665afaf5f88dfebcdb7c56e963693c520c136
SHA256 6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512 d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

memory/496-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-80-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-82-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\INFO.TXT

MD5 e8e0931ef541816dc7aefa60a4bbc5ca
SHA1 5f98a9f99be4248900c73378e2374f077b013584
SHA256 a93f4af109bdba7184d0342c4297ca10798248477b271a7edb68dcfa2e5075d7
SHA512 8337e604573a645028ab45dfdf801478e92b1ed137de6018321c04a74ebfbe5f826268bc021ab340298f003e9640fbca419b21e6598f1e75938d96224f06f872

memory/496-89-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-93-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-96-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-99-0x0000000000400000-0x0000000000424000-memory.dmp

memory/496-102-0x0000000000400000-0x0000000000424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:08

Reported

2024-10-15 22:11

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"

Signatures

Grants admin privileges

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
N/A N/A C:\ProgramData\Application Data\wmimgmt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmi32 = "\"C:\\ProgramData\\Application Data\\wmimgmt.exe\"" C:\ProgramData\Application Data\wmimgmt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\ProgramData\Application Data\wmimgmt.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ARP.EXE N/A

Network Share Discovery

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Browser Information Discovery

discovery

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systeminfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Application Data\wmimgmt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Application Data\wmimgmt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ARP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ROUTE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Application Data\wmimgmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 4728 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 4728 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 4728 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 4728 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe
PID 4416 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4416 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4416 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4236 wrote to memory of 1608 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4236 wrote to memory of 1608 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4236 wrote to memory of 1608 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4236 wrote to memory of 1608 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 4236 wrote to memory of 1608 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\ProgramData\Application Data\wmimgmt.exe
PID 1608 wrote to memory of 2344 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2344 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2344 N/A C:\ProgramData\Application Data\wmimgmt.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2344 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2344 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2344 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2344 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2344 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2344 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2344 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2344 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4156 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4156 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4156 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2344 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2344 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2344 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1168 wrote to memory of 2320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1168 wrote to memory of 2320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1168 wrote to memory of 2320 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2344 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2344 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2344 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2344 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2344 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2344 wrote to memory of 3080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\systeminfo.exe
PID 2344 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2344 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2344 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2344 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

"C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe"

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

C:\Users\Admin\AppData\Local\Temp\5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35.exe

C:\ProgramData\Application Data\wmimgmt.exe

"C:\ProgramData\Application Data\wmimgmt.exe"

C:\ProgramData\Application Data\wmimgmt.exe

"C:\ProgramData\Application Data\wmimgmt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\ghi.bat"

C:\Windows\SysWOW64\findstr.exe

findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt

C:\Windows\SysWOW64\chcp.com

chcp

C:\Windows\SysWOW64\net.exe

net user

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user

C:\Windows\SysWOW64\net.exe

net localgroup administrators

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\reg.exe

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"

C:\Windows\SysWOW64\find.exe

find "REG_"

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo

C:\Windows\SysWOW64\reg.exe

reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -ano

C:\Windows\SysWOW64\ARP.EXE

arp -a

C:\Windows\SysWOW64\NETSTAT.EXE

netstat -r

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print

C:\Windows\SysWOW64\ROUTE.EXE

C:\Windows\system32\route.exe print

C:\Windows\SysWOW64\net.exe

net start

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start

C:\Windows\SysWOW64\net.exe

net use

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo n"

C:\Windows\SysWOW64\net.exe

net share

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 share

C:\Windows\SysWOW64\net.exe

net view /domain

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "------"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "domain"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "¬A╛╣"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "░⌡ªµª¿"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "

C:\Windows\SysWOW64\find.exe

find /i /v "├ⁿ┴ε"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "

C:\Windows\SysWOW64\find.exe

find /i /v "completed successfully"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4728-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4416-1-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4728-2-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4416-8-0x0000000000400000-0x0000000000424000-memory.dmp

C:\ProgramData\wmimgmt.exe

MD5 98b94959187e33ef4fdb4116cc2aa1e2
SHA1 4df59ac87cfe2d6b88490452e5eb8abfc16ee167
SHA256 5af56489aea173ceaee85e59ff5d93dbeb6c28e7b9a109a93e28261b1bef7b35
SHA512 32bfa406fba20266d90021be706d4691d9f9725a761c4ff57fd0f490bfd3e9cb3a6f929f1a143e0ca83931f3335960d18c4b7ca98a4a1a538e4ab5145c244ab8

memory/4236-11-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\ghi.bat

MD5 58a64905608130d77188e612e3972897
SHA1 fd2c205c16330cbd77bf3c4ffa8db0e0f245db49
SHA256 1ebd7eae014cf21830a64f251bf768e2935fa3de5223dcb86f3e69dc88c384c8
SHA512 288968fbce883e1ec8ba764ed9e82aa9712d1390a8aa98c9f4c7a45247be59825b981c3236e309c5bbff5d075998b406e0a1c049ecb035b58668a1f3354020fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\INFO.TXT

MD5 ede1840193bbfcde47e2c985ca40fbfc
SHA1 d243a17049d1c43c6acc5532ccac339c756b54bc
SHA256 6b5d4ee34ccd135ff6f2ae63118e3ed46223b584be51ea34bb6d225b48777df9
SHA512 bc096f3ec15c587871f03148a86c663d9480887eedc71d57d7bde18fa07dc094e991f79805b10ab5338d5d9926e1919d466c1d1dbf20eb0f8cfdd53cb2a9955e

C:\Users\Admin\AppData\Local\Temp\AC#9357.tmp

MD5 fa4d93b8f638aecd78d981edbe100bdf
SHA1 d367ff29300d54b0ab54bea8961c1422d4d5769b
SHA256 77bf5c8eebea10eb0778114d981a8b4e1021a143823ec641d22f0bd3d179b01e
SHA512 b12c77370c573c15d8113708b9dfd0366a71d01a83c0ad3991a91096681ec6d952843146c07dd9764eb5009361f64a165ee11a0c567d42546cf0f796270036cb

C:\Users\Admin\AppData\Local\Temp\AC#9377.tmp

MD5 5b16de20aeb1bd3cb29eb8e39a8b8e6d
SHA1 f333a8459d4964d79c59d89ff4bab147da71fc48
SHA256 54b3d913d8bd5f156ab980df88c5ee8ed8cf71a13d9fe28b13b4b7e9eb32298d
SHA512 b34c69356038b460f84683eb3152bec09645dcc9f189e3189d424eb02ffa39152cbee376a4e8b9dad54d8e5db2f3c6cb0e81a7c7255441d3d952e230f81fdd41

C:\Users\Admin\AppData\Local\Temp\AC#9398.tmp

MD5 0203a6796f0744e5ca6e26343117b74a
SHA1 f7d8971ddf284fdeb30f3391a15c3885e3a8e071
SHA256 e6aa39caae752aff74c9bf8233bd4cf8fa5a0fe2c71e26574f358b8a3e98732d
SHA512 f537defafd02ebc7764dd99b66727afb8b6ec28033ed1ba9395f99946aa85beb9b4a6b75f816cc7e2eed8ada13c5d6f5662743b6a25a6c33c27011409328924e

C:\Users\Admin\AppData\Local\Temp\AC#9397.tmp

MD5 1331a08b212edfdebfbd9d065a5574a1
SHA1 979f1b4939aeb7eba0acb6b13796922181277d02
SHA256 6b9b91c8207baabdb1266242f82230a0ebcf730f49342af57d4b54137c3ef96b
SHA512 437fa675bc7eccb052aa8e5f4602b9722f8ce8b4a43f3997fdc30cb222a6f5db34c7535954114d864612cf9d2fdef04cc2e13b9c6db207c381629d791e979d1d

C:\Users\Admin\AppData\Local\Temp\AC#94D2.tmp

MD5 47708914ce4b087a3b39cae6a3e5aa65
SHA1 7220140b83a8f52d312f331274fc850c2da97565
SHA256 6db0436bc64f484b30295aab1cd478b57df8c7991f9bb052c38539e58888a4f2
SHA512 6a3c8c44d5617396abce15fdea30545aa13c6aa40b2fafad7bedd892e7aa305d8b5bd3a2e7dc31b4102353bcf6b9cd0c6b93395f7090e579c9d81d6e20948ac2

C:\Users\Admin\AppData\Local\Temp\AC#9540.tmp

MD5 7b823e3d867ca6731a9a150d8d48dee3
SHA1 dbe629e64511be98e83ef7b4b08d5508a27fa247
SHA256 732784eae941c3c34c1ab3ddea9b87885147ad72f944b32b6d1330465779a668
SHA512 3281f2005e88707cda7421affc567e052b9d1db9c913d1fef0b7962a3e4671f7636fcb627aa6a74ea439b681e6f152b85b18bb66728c0633a8c0d6cadbccd5e8

C:\Users\Public\Documents\Media\AFA21C6C.db

MD5 964da1e43e836de29324af0ca7f27fc4
SHA1 96586b3a9d65e68e2ef5920a8b92f65617d57327
SHA256 afd4b140f9635e050fa92a0161481d8270fa2ccccbfc3d19300ff63e1815e46d
SHA512 ca03e7733135636b126405c8e06603c7180d1531185b6634bf11311f54946a37c1f9a2120706232dfc435f16084c070542a731bf7fc1dbaa086fc6b1d426edce

C:\Users\Admin\AppData\Local\Temp\AC#963B.tmp

MD5 004dbeec4ffa6e354e5ebad72c191004
SHA1 5d04438acce29ac822c2fd7a532f0b15dbc9a2b9
SHA256 1112d0aad234784ca6eff51c9a59903318ed6fc406d62866a73f12d234270a82
SHA512 fe03812cd22e47d9f43449fa91c218c0974d23941a6aeca24d57ff8d94d162f87b2538edcc48d334bde805abb6a6f7c106780d4d71292bbf89fa4c51787d31b8

C:\Users\Admin\AppData\Local\Temp\AC#966B.tmp

MD5 9f9e0c8a895f4833c6433de680c2765a
SHA1 607cc1f7fad3db21ad0f79bc3e2eee6723a5b5ae
SHA256 b38bbc91581d54128f8933a0411daf95ece2bb94f4395ed7ad55f7d04410be16
SHA512 b912d5bf17cf5e75c6a20b667067381c81497ea4a77417bd52cfd3077c9cda546492d22f9ae96987429ed4509a6a6dbc5263e5650f5351de4d5a24211be31051

C:\Users\Admin\AppData\Local\Temp\AC#96EA.tmp

MD5 58c73c1123fdef3dc008d0f25e89d2f7
SHA1 378aee54db3e6995e86a17844484cf2bbf39c5ea
SHA256 187aaa866e964cbfdb8b166f515eca38506781c7cf1bac1486e1dbe0c87391d9
SHA512 0297ead82bae718f34e5249434094f1a364531f431b9a6e34acc408df1a81db96d7c7ebec576945f673423814cf1539f2d3283d9325523b02b66c015be5fe9ee

C:\Users\Admin\AppData\Local\Temp\AC#9729.tmp

MD5 d2ec2b1b91ed34faf4a3c24f5bc8a920
SHA1 48325efdf73e135183ff87d49a5adbc60dac841e
SHA256 3050af6427a399f251edda3a00083a4ee782be52721053a566a08b765c4419c7
SHA512 62bf78411b0c743cf7ee0f2231412bcc3cc981eb8c93976ccfab6dee5e2a9aa13d51459d4a424835731243ee1663aea0304cca6a740127e18069e7430bd3e18f

C:\Users\Admin\AppData\Local\Temp\AC#973A.tmp

MD5 5e130cab51e52b6a70330211672ef339
SHA1 857f7cc812247251e8b232ae604d62364d7c8c90
SHA256 7254e1986b885fdaa11c9b4d5434016d0f333641fd34bdee05632b4b4754e2b8
SHA512 7174316d5cba1350a91e0ed1174ec143f3b04d80f722f1a1ac1d59ed38d0ae12a0ac401232a72d39ce892ff1374494fd2598f1a2366477b4cce90f7c0bda6881

C:\Users\Admin\AppData\Local\Temp\AC#97F6.tmp

MD5 7ff6ea3a9df1dc20a5a2f4aa62fb7619
SHA1 844b3f511a2a75a74929d1d57d96f11af9b7e075
SHA256 7458f0ee9b9dc6b66fc0ce3ec51f79bc2da37843131294a4e2bc17140a129eaa
SHA512 fb848789e1a368be1d08b7633a089b1e0fa0c9bd5281c40df7638e573421bfb63c8b98a3eb1750e2001746cceca876b2808c7e65e6354d41fef9c3cd943f419d

C:\Users\Admin\AppData\Local\Temp\AC#98C3.tmp

MD5 7a57618eff48eecedee15a8a466d04b0
SHA1 88cf806d55b13a45f8c26e9b8e6c89d282b32c2a
SHA256 0901bc5b3fc68cfab11b8bf92c0787f29070a5795b4e276815e1b4246a187ac0
SHA512 898c2737beaa36c12da848dd7a5a3a0eed42c1e759ab8d84d67d6cd7f7a5de12b19853f03ffde940661fd80f90ec21d012ef48534f046b4bc593566e588eb85a

C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\INFO.TXT

MD5 43e49b0bc80bec9ea7a6ac7ce68664d6
SHA1 b898dda7a69643aca259ead30d1aa21d8e9c3cd4
SHA256 85ebe0c5310d476745fba4b909e332f05905241125533c1604c9165aab2be4bd
SHA512 b3820307a5380766561ce912943ed84870ad67033aec01350ab14004b1bd19115395431d1f5c91f8a6fecb6534626a8558288b239c18b34c9d6d81f91e492f10

C:\Users\Admin\AppData\Local\Temp\AC#A815.tmp

MD5 6f6c7900c4feb6892245bec271916a4e
SHA1 6833e288e14fb55396c376fbd0f97064dadbf5af
SHA256 3b65da5fbf74a5e0f270ebf8039569816a7134e1bbae4e30aa4f0820aa549a9c
SHA512 f1f3a26ddfe218ef4c84910a97bc65b3f212b558d8a63f47baa6476a2394a88ec94ea820c332e671633a1ec87b7e274c1cff52fb054561000e678e94426181f4

C:\Users\Admin\AppData\Local\Temp\AC#A9CC.tmp

MD5 d1ac5ad91330f5c72d6434305eb3b6e8
SHA1 61dbda86dd653715944a210db79508f4041da7db
SHA256 85a9a5cf6e062fe733a2696137d103784bd7495f9f9224d2d663e2ce41847977
SHA512 880f9b4ae8a7bb774a3354349922e45637215b3a31955029477d06c50560002128795c6c62ebde7947f9ebf2509894a11f639868a84dd912984de9e6733f79c6

C:\Users\Admin\AppData\Local\Temp\AC#A9DD.tmp

MD5 c742ca2c3e8253f41679b4f814d00967
SHA1 53b14400b30949946fe793ab39305ae59d5bdeae
SHA256 aab239db42105b5e3912cc1417023efa39082f2585b24da616fc26c2e723b96c
SHA512 5e7e34a8d19b711e4b3c7c9beef0b47cd011629d2f50e8876be348faf80e72630cac7074da8f8411967b5d8f1dbdf648b49b3a432182d1a715791a34adaa745d

C:\Users\Admin\AppData\Local\Temp\AC#AA0C.tmp

MD5 7144bd8c9c08ba5bc13fefad20470884
SHA1 dc95e2f9df3fe7f2915a0ccf96fe0990588ee035
SHA256 510599834c1b6dd4b18ec4781e27233b250fd268a4f1685090cd78ec0e6fcac3
SHA512 8aeb68ce298f73555380b9d39dace901af7493e98c13c12cff1f0f46e5218936dcce75443fbbb7160b46a7d0e6ed9689e33f4abbba08c116e42d910e0ff9ed9f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\INFO.TXT

MD5 957da11aa00e90da97f07a3631f8f1f0
SHA1 06b242273e93b2a1211584bd9b782896ac27b06b
SHA256 e63dacf82ac03e5f38aab0c8cbdee968b330705f6b7456dabf284cd39355e376
SHA512 0a63ca460014105761633f85b53b9f8bc2f4df34e615691eaeb9b5dae70d16b93b5052cbe2758607936ac1a13ae6d912b3e6faaed2f5e1e64292cb14d3d9f334

C:\Users\Admin\AppData\Local\Temp\AC#AA4C.tmp

MD5 ba6156b662587d5b85896896bb2d70d9
SHA1 f515afdb6bbcf168bfb6799c755e8d4f33884163
SHA256 847224384edcfe9df6279fdc11a0abfc649aadc8947c2072212d1aa406b153cf
SHA512 ebae40a82880f751338f21ffef1a502ac7903e134b70fb07989992356afc9e1e855e107c4d7d9728e7dd543d2548ffd22e91da4d79c066b24599241e601f5012

C:\Users\Public\Documents\Media\line.dat

MD5 e86e72f935042f845a6d8b81aa7394e8
SHA1 b087484cfd1afe4a749c0a2f55bb48f7ce147bd2
SHA256 79bd38577c3a76baea02583c6de4fcdb2c820f4a82d54e2cd31949e8abfb24c6
SHA512 67b5efac1d5c9479bdb1309525e3f6a1a7d042a08c10aee946bd5d36bfd2a2e8affd79b61fc38a5d74fcd4abaf422f1930fe0c5b764ab620829452aba4e96be5

C:\Users\Public\Documents\Media\line.dat

MD5 18a20a19c750a2c1626cd19c738c86c4
SHA1 a1aefc142415a6abf3ae77c637bdeec7e93803f7
SHA256 a51e959888c13f4db8420d70c17e85db97407f710f34cbd3b03e5d424fbda966
SHA512 62525a40b9fffe047eb51b922683c416f933b7eef5114b1794d141ee337318a063a6e9439afb2358ce1876d3d5e85cd066571e3ab5d11c153d5cbf1b3e088d91

C:\Users\Public\Documents\Media\line.dat

MD5 91555150f24fc9fa33d5b0fff7b5bccf
SHA1 324f5d2710101bec4dc4428bc1d081b20453c103
SHA256 d3b40ddb055ae69c083a82cf143e8c9f94e4683bd6f2d0d554ce211abee14091
SHA512 9e19e7043277b814e27c3fc1af990a1beddfe76742827fc2603d7c969b426ebb45d0f846958cd7fa446a8296b6aa9273f0f05f0de8e14eccbebedeadd029c147

C:\Users\Admin\AppData\Local\Temp\AC#ACA2.tmp

MD5 5f2da7f6fec9f025a990caf1f76585de
SHA1 65c06ac404348c3a4107b4e33de6c5e0a9829b88
SHA256 9bacf817393e597fe0c3f9d0c821ca8bff64f656078d5023af8d9fa48d434449
SHA512 ff89cfc28d27a841719dba372608632fd89a9e4769b0fea3cf5fad65c9022cca5ad46bfa71309045ae3e57256b631a9b78af75bb378a0099cacc974d390a9097

C:\Users\Public\Documents\Media\line.dat

MD5 53e343a147527e0b2bd28b98568f10fa
SHA1 041fd87bb80e8353a8dce22eea67c44fb054c576
SHA256 30059343ca13b426c9740414cff2437319fe2b13772334338eed603b141dded1
SHA512 e866a4f209e58f2eeb867b03f74cc772a218a8db3ac974d08fdcd078446c05507787bbca0a7eaeeeb72a291ce5e4865ab0e6f3f05a253dc8526798df95e21493

C:\Users\Public\Documents\Media\line.dat

MD5 4e063ab639ead6b965d577ff87ecdeb2
SHA1 70b5f243fbd1e472b412566c4d908cbf33a32023
SHA256 2a5bea4cc4dfd8ab9bfd62facb81248c5ddc07a31b878e551063dcb7d863b8b1
SHA512 22fc0f4ab442b01085b75d48a9bcad376b3b5306afd28c6ed026b31e895cb81fbd698d9fc8c759ba039740a618fa474e4f7fe5309f23f5e2b17a782819db4193

C:\Users\Admin\AppData\Local\Temp\AC#AD8F.tmp

MD5 884f7d370f0ff308aafbe2f2fc732ad1
SHA1 0d487ec968e41ca2b783f568ed3b0c7e93508dcd
SHA256 c0126d7699755544bc1cebb64eecce031e4015c9ed7571e7c88778ed5c9d0ea5
SHA512 6139be8d861fe4b0011459e8a6e99cebf514a8ffc95043d70c227b82033426b027eca35d00a284d62aaacd91c35254b1110c65288f4f74312b10e15deff46494

C:\Users\Admin\AppData\Local\Temp\AC#ADDE.tmp

MD5 220ba9d32a6d14e81ba9b41b4be27966
SHA1 666a938cddf565a41fe5d59f94468cb0473314ba
SHA256 8d38fe9b2e7e70358f7a8ab1c58256d8c26cdb220c689f0baf6eeff81b554e00
SHA512 ade207faa68a9516a5d126acf8e55ac7ea063f8b9d547fe6286f64d68311a2985467be04e45008a710984bbb61c4971dced445d9bb0e7ad313a7644d7ec0e37c

memory/1608-281-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1608-280-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Public\Documents\Media\line.dat

MD5 0dd48c5f58d6382348e2bba350b238d0
SHA1 c00e498416c6024c198b8154aecbc930d1ff3c46
SHA256 82e8e34497e5baa630239163cc307780e38f7eb94fa3412c0604d70e916d63af
SHA512 e1504bb8d8b65d208d145784d36aa613bb21d62b9edad87acaa3e42a01585939986d49d839af05fa01c40cc2751da97b88aafb378527a97d0a11eb61fe640915

C:\Users\Public\Documents\Media\line.dat

MD5 a45b79d07fca5434ec3ac8f6ebdca02d
SHA1 323de5967511f775fa0c062fe8ee19ca7aff1008
SHA256 cfbd7cc19b2dc0d2fd650c717efef8fc56c9b72510b4c6d8fd1fa530e1f7d05c
SHA512 685da33803b6ffabbb613831a0677360e7af3a05f129794eee9531f7f16bb5a8868a6cfa97414c6d811c21b0561931e418d3505adee1f79d6152af978f7831bb

C:\Users\Public\Documents\Media\line.dat

MD5 f9a6263cfe4e7be96e14a6f156001009
SHA1 691c01e1125c59f56c4cd7f63b7c7494451e9001
SHA256 08070cb26e4adef6fadff320f301b96caa6278edfcbda740d2e128f859a494b1
SHA512 65b7bd2955a0fa3caeba9e8f9925ce89744627ace4d80404b45bb2c77fc86bc8de6ed493ddac478748a64af914cb410d4000af48194dfa75b3294ef5970aea55

C:\Users\Admin\AppData\Local\Temp\AC#C478.tmp

MD5 0450ebe8ad701c3d526f4d5dda35bb73
SHA1 3240d8103d3d5f586151a74acaf2b2fffe43ce91
SHA256 0c469609510fcc7acdfa1b4efb7c116c8e24e48b5fedb64113b5c60a94ad4f06
SHA512 1652b07aeef993d4a60a43f336ea66b5605d5577cef33107a36b2d3bcac2e4c74e650b412a86652a682297e494d862699bbf690a5e1be7f11a69f3ac7c1e3e05

C:\Users\Public\Documents\Media\line.dat

MD5 a49ae6d39104ff820ffa8ccc716b68b5
SHA1 1d46525ce6ae01b5c780a6978f36fbadc4ed560e
SHA256 44aeceaad5d43cc4b65cd82d603bc063178032330fcc4771a4fc47c9ee05198f
SHA512 1a520ebcbfd824611ae55c3327c361e4601656479c186a37692ba83fc375bb9fbd8ce003bd978366f3e6f734a5025d3286c77f2d22cf0cb7b20b44d81cb16c64

C:\Users\Public\Documents\Media\line.dat

MD5 85ab8ce1f905f1d7a60317365a9457a8
SHA1 2a8634af0127a3f25cd83849010b1d2af3156eb1
SHA256 b25300a0752d49ba31ead4323be812654e2fe8f01de53d00acd0e2a4e8b1c43b
SHA512 69809f4e04d10440bd0961464aa1acc69cef2250f21d5957a1cbdcea294fe4572e766f0e7f38f3849cc93f751c8ffe496fd57ba245009c3bafea74945f91695c

C:\Users\Public\Documents\Media\line.dat

MD5 b8a2075dbcad6cb339b7106c662780cb
SHA1 7704c3cf0da62be54c8185340eb46c9cd9c53674
SHA256 434243f4a523825ef28512857b67951eb5d1e2c1f54b91c4f9e1c2b7e79f66bd
SHA512 c6cdfe31cba4f463fb24cf5f71a943d64a93b1672b6a64ab3f969a6a4aa1e9355f69e323ea1de699c5ab1d2b07b8e56af2ec0d3aed83e0244380eef0be367086

C:\Users\Public\Documents\Media\line.dat

MD5 2aeaee54ee20cced8e3d070188053e45
SHA1 95297e4e5a4fe931b09122c0b01d8ef8edf8a444
SHA256 d64d245dcd4846210676f289da97ddb1ba76f30dded7ae6283103986124be521
SHA512 0b947e801fff32bf4a9d36f31e6e431739b94898b3e45d04db548d145a6a50dbcb320c13864a0ad90c6822507d681f2338629d84e8c03d9bf1737ca99a3391f1

C:\Users\Public\Documents\Media\line.dat

MD5 063c0d0659923186788aff836dca2fcb
SHA1 7e124788e47f878ca6933d47e4b297d8090ecb7d
SHA256 26c1f279b863f7774969962529cb390fc1147c0ae5734f740cd8dde023e49319
SHA512 885940e678e252c19318d5e33789871b9df853fe273c8ab102b75762d8db0c3b5feaebd61bcc5cd1da4da03a2c2bdaff01c77699dce1c88f8174f719c7147c86

C:\Users\Public\Documents\Media\line.dat

MD5 36882fa3929a696d7dd02fd0fba3a75e
SHA1 17cd21988e2f8d1f341028a6eac1dc2d133894f2
SHA256 939e304aafcd437b8708ba9872a124ef7b8b4299ed95bc40a7fe1467fa569653
SHA512 291877a34394a3ce823f9a8f746b5802f784e50d2ad334d997a32d0cf42a148f71e7e3f3383e63f3a1643257f69621e9d4dc7ade252d18f4a338303c6f186ff4

C:\Users\Public\Documents\Media\line.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\Media\line.dat

MD5 4c6e3e2354a3c0332b5850ad5452be2e
SHA1 e0636611c70a09c0d1c112d4c104dc9baae29aba
SHA256 d002e1a836ab7f9c8e83eaf5b0d64a1c988f7854b0846f348fb1af19b77c14c4
SHA512 dc80708ae78e13148a898a54c587087680dc4a5aad3125c998f21847368b257b5cfeffa768476e2e831246443ec9f4202928757a51a73c325191a41d73eef076

C:\Users\Public\Documents\Media\line.dat

MD5 cb6d0d33ab721121daf3d5aa441aebf6
SHA1 c8ea13331d7f655f3fc921654c6ebe986d8d7983
SHA256 1d460cb2d17751b7efb2237a0566bdf320f9cef7a5adc5aafe0b96fb00aa1ded
SHA512 3e9cd3728722139db975bf6db40db185022e252bbd4cd343cdf483e12f2e88bf636e071fb5f029660af7cf7bbdb30cc481ba57446c916d41d2213879051362c9

C:\Users\Public\Documents\Media\line.dat

MD5 1dfed881b2558e842794a326a180c005
SHA1 341ab36eaf53899cb93fe1ee5df6ca8512076841
SHA256 058b158ff45434b01434d08620d4a45bfb4ecb141b97c24cb90ea76a2dab3b1f
SHA512 acbf7f9c737c4304cf507f6c7f54a5da716e0fdb91ac9435d7d8cf3de65d692da4834440001d428b5c106eea817dd4183f161338125bd8a2180496fafe6bb803

C:\Users\Admin\AppData\Local\Temp\AC#C9C5.tmp

MD5 d7631248a4d26e0735131f91acd435f9
SHA1 0c2de198d8bab47efa1cc30bd3430bd7a2c7d200
SHA256 de4f65e7c92ea340f9b5eaa7d437dc109f95082e9cdbaf5d0537d949e50a796e
SHA512 cfc025949778185d9ed6d5f5cd2dc46ac066712c5dc4d32488f8f5ca7269cdbbc1a719e71b23d610d2fa797e91138bd60302d07c501e28aec44be215a35eb8d3

C:\Users\Public\Documents\Media\line.dat

MD5 f37e03f74576c53fda5164837a5fae01
SHA1 db7e9cbf91035096f0182a7823484e5813bfbe91
SHA256 e48783451cfffa909b2c92ddb2b4c06b836aaa56f16aaab96349e8e9074d45b8
SHA512 ca8139437afdc447110f732f64f161be10da4751f6e00f3da7927ad4c190c445b2159487343469a84c3b305d813042b43874f2925455f51e9d6bc2a7ee69d924

C:\Users\Admin\AppData\Local\Temp\AC#CA16.tmp

MD5 250ba8155b376d6a02059056f38d305e
SHA1 6d61c7aba09cdd824d95abb1d87f5468be987e89
SHA256 b4dddc37292a541872b2785f550c5cb7b98a1949f9c91bba3472fd60bddc97ca
SHA512 5d06ed19f48e6bfd318c627ce226cd922b8b1df24b9814f54bc6dbeb027de1bf7ebba84b450f7543d6d84a732284e11f8beeedab163ab49bf7dcb2f5318fc3f0

C:\Users\Public\Documents\Media\line.dat

MD5 f25d042df215a489a9e523448e5d86dc
SHA1 b84e18844cced8b67cce976a2d8a85fd0cd9a2de
SHA256 0870848ced980dcb9984ab0846cf685edfbb5f0b2a526b07e2bc4040269a3601
SHA512 0aef415dc20de3d6a8dec92b76f6989eec2f929f045bfd579bffe7985fdc43722ae49949ac4b1f08b3be9d4d6c8b03e5b7fcd9aa0711e31fb99b0bae38c59c7c

C:\Users\Public\Documents\Media\line.dat

MD5 d7be080f0d650c4a7ca288de4a9e5a95
SHA1 d8855bbc7dc187414f141d0ce1e7be88fdfcc2c6
SHA256 2ab6992e430f740c4a6a7aa2bb933c7af3b49780c9516017cdaf7124ae5ddb80
SHA512 4cbef1854bbdad0790e61c1b6dc071fb6cb9e32bbaa062f3c7775617edd68e623a8562f46e86776d2bb6fe5cabd7a418fa8ef07fa54cbdbf4617e54b8f750aa3

C:\Users\Public\Documents\Media\line.dat

MD5 7864733e19d6f018364c1b882a8e0107
SHA1 637ed5bf53b0273c8b5bab578541573f2bfbce03
SHA256 6354ba7dabd9c77c890a63a5d27ee2f9a373fc8f6ff414a57a855d9baf53ea2c
SHA512 ae0db3ed292ba95fd8c1c3eebbd9a8bfe2e0833a2407579df703aab2df9006519bce91f9780bc05c5511008b8a8ad79916b092bd9da049f3ef8e97d157327860

C:\Users\Public\Documents\Media\line.dat

MD5 44029558ca8223330d61c0fa970443dc
SHA1 2ead0eacc3c315e8bdd8bcc737a2523ed98d96ca
SHA256 00e8c02d496839e5136ba49dd82a82d88e37427eaebf4b8aede3e3143f4975cb
SHA512 8eeb2014a8f9f2080f4c849d2a7c8c6bf95ead7c7255b4c8f345df728fd8434c70b62a67f7f3381e2617ffe8cfab15d7916f637c52ec1e93612391dc0edd7ec4

C:\Users\Admin\AppData\Local\Temp\AC#CC32.tmp

MD5 17fb1f571a51a6005996476b8d8e7c42
SHA1 c696e58f571bb5edf37c8d2e537c6b80b2706c49
SHA256 ec2d3d0b8070704f2958ce323455bc1d6542f3ac8a80b918c715626e1dfd5507
SHA512 75e6b290664d7c48c85ac768f3524c812368c5e700d4a04015ede17d0b88f7727dad5c938791c44db0772afc1e1ab4df0fd82ca70f2df8e8102138a6bcc32521

C:\Users\Admin\AppData\Local\Temp\AC#CC33.tmp

MD5 413b2178704d187d4b69b626f392675e
SHA1 53573e7f737a5e44a71d8b8b6f9c9ed14fbe951c
SHA256 b42abe31cdc59e33da5ef7fae0e287ec5cb4b695e74f568bf20f9be580b4abf0
SHA512 004aa21d310e7e8b6b612ca23b8f60e59c9a225ce32b2c442d023d45e7c22c61a747555be1c20ee98e25aa6348d37df7080b5d809987be0b92094707d333dde4

C:\Users\Admin\AppData\Local\Temp\AC#CC43.tmp

MD5 e48a01b9e5e94ad79a5827c77cf4a736
SHA1 43d8766b01c684ea11210b90d65164a946baff07
SHA256 8e7fbce29f99ce803cb037d2b3f58c43cc06b39300de4860b538a34e42ba4cf0
SHA512 3a4d0df294fc75af4a77c1484dc3eb51b07b0dba87af50dcfad5e3ac804dd54bb1064a40676d6eca573d0e4e42ddc97f53297630422d4854bb0494306815ad82

C:\Users\Admin\AppData\Local\Temp\AC#CC44.tmp

MD5 7c76486f20f4d30ee50443718389cd37
SHA1 6abe619a3c776c1e706d81254234df4fc3c0fbeb
SHA256 55788c0884fd7afe453b2c32d8f556a1aeef66e0246399eb9eadbcfe79c987e7
SHA512 331c6ae807a559346fc80395130f76b291b8f8cee58615dc3764d51f96f65f545a7a610540be281034e2009c792875c6314d49e2c16a5a94e13fc689d3955ea1

C:\Users\Admin\AppData\Local\Temp\AC#CFCF.tmp

MD5 415996e9dbbca37ccdcabd0f44d5dae6
SHA1 467798534741b93c61359cc968d9ed5fc8fbd68c
SHA256 ccd29cc4c56f8a1c489e68e2f68e7e2787f3b5c861576864d552309aa3dccd40
SHA512 bba3bfadfe9d40cf78b3218e79a057989b7963084a9712ec2ec6ba6d6fbd5ca5821030b1826b618c5adc6557ba0d1a3dc48820db62676017266b165155a9db93

C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\drivers.p

MD5 4ff8e80638f36abd8fb131c19425317b
SHA1 358665afaf5f88dfebcdb7c56e963693c520c136
SHA256 6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512 d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

C:\Users\Public\Documents\Media\line.dat

MD5 786e30b1c495fe8ab01046b936feb6ef
SHA1 64aa383d9cfc4d4e14246f11108418ebb9134a89
SHA256 3d6c977ec2cb3deece8f43fd6cc5e5f4e58c76e06e5ddcb6f4d88db613ec671c
SHA512 ffaa1491636758064204ff5d7fe7f63bd4545a44e6bd6a87595faddc6955541dabe2716cea4698b2685eafbf8ffd07f33d06f75bd4b8386a4443b75df4f98bfa

C:\Users\Admin\AppData\Local\Temp\AC#D18B.tmp

MD5 5fbd1a82143110e7546c285aa019b993
SHA1 ce9053ee88b0313c96615b8d2c39f120d135780f
SHA256 3581288d872f23a303ef1b12871deb1df0f7d830b74fd0ed603f7a8b971bc028
SHA512 8097ec864993f8b029f70e472482404623a2c861afe3195256bf2af413dbe62c905ac6326da8bc2c63aff495e489b7ce0c7b22e0542016a7c4bc50bdfcf20ee6

C:\Users\Admin\AppData\Local\Temp\AC#D19C.tmp

MD5 8f8376cdab5fc8b9424ab04e0b211af8
SHA1 788f2587a452e8e93649554b41e4009e43566cf0
SHA256 2c45191de8139a5342f5ecc9d826445eb5aaee6cf2921a03b54806572454599c
SHA512 5e8edcca232aa4b9b64852dc9484f1193f727c9d1f9a9a4a9d50c922201195dfc22c5688f21a2abf4999837f03555e72489068a581a4902e7d2801a0b0942a81

C:\Users\Admin\AppData\Local\Temp\AC#D24F.tmp

MD5 110481c7f7eba11456a37bb37608afa5
SHA1 367854ec006ecce9288355b1cfc7621d87060662
SHA256 091becea21f5a0e0a5357c819eae3b5f61d61c2241e46f4e79138701eba3b021
SHA512 80fd76d8fb25c540d2d9419e00ba67dc637fbd21a63f2ee8ac78750d5d0c6f92325f94f80f3060b1d0a015003aad555d25438bdc66937ad4882a19303924b9b2

C:\Users\Admin\AppData\Local\Temp\AC#D260.tmp

MD5 157913e14f83f936d4ce345b3bd9d273
SHA1 c99165b47db29c46eef0e04cf342db32df412d1e
SHA256 413e18bacb50fbe32261381b8a16080ca8188ec6bd044ea2c37f08e63b98bebc
SHA512 37c04a956a38d630c7d7598224c77b0d94eea3e51d3fe166a018ff4d274ab2735ea2e72d8b860fba42ad2d9f4ef1e30d362ee2a8817a853ecf79da5d7c86d809

C:\Users\Public\Documents\Media\line.dat

MD5 078630eb36f81d33d3ce023d223a6223
SHA1 644cd405bc670f7517eed5097a802af34da644cf
SHA256 013e95915aa9382633c7b522d6ea059edf3d7ae77ed37dd3325bbdaa61e94845
SHA512 52342e5b26199563c9feb3993b73630d5fbbda1919f680c1a87851521a335417ffa431aedc37ac6e71bbf9f8b0dc59d54704dfb293c683d5b3992923e89edf7c

C:\Users\Admin\AppData\Local\Temp\AC#D3BC.tmp

MD5 54a3c0555b42c0d3d4b8b3e2a9ab0054
SHA1 274b948a92253eddd431e4975dbe815e1d50d1f6
SHA256 b376dcd66698ad326dfaee78060e3bb2965fe4632522ce4ba794b8583b2cfc36
SHA512 6487795c4e83764f8d89098e543e2774f17acd063dcbdf09426c6293519a29c575ce56a953931dd4729bd59bda085314d0873177774a77968081b3d94a7eaf47

C:\Users\Public\Documents\Media\line.dat

MD5 8d9029e355cc6dc5408c71b1342b5be7
SHA1 bcbdce5a6db3aeffc0b7ce4ebaef276029e17c5b
SHA256 3122078620b69245a1f3ef2a886576c50a33e53f416a3b37ebeb5177e6e52b7f
SHA512 59f6600eeffbe789a0d362468c9398f198d98547a442363e8e8bbc73b6617043a7ff05d933ed1bf5fab2888aa262f51b8767926c5ee855c38e21b4aaa3c1c2a2

C:\Users\Public\Documents\Media\line.dat

MD5 ac6290119d9137fe3dd5c189c34331cc
SHA1 77d9da6785e8cc96afaaa8dab30f5735274a8e18
SHA256 52327ed00b273c1981357067e7e79dc19304ac2f9ba48d220c6208f421a0e2c8
SHA512 49ac6f4cb4808843dc28e9dafcb34fe632b33dc64439b39d1f2bc5b1ce5780c90e60b0086fd5a369feb3786708f5f92154e381f86c986fb5831944239f5b84e3

memory/1608-676-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC#F0F3.tmp

MD5 8a45a82426ec78c513f78e14fd61da9d
SHA1 d8f6345a77a0cd0e3b3a6fd8625300ab6b1e3615
SHA256 efb591659df14110d249e5929809d05b60205de26f5cb19b91b8c08c9bac06d8
SHA512 7b2b96db570e6e4e218b48001409cd9c1d22b0965cdf28bfa6fc2342b49734fb4c59dae3ffe183340c8328b04667ca6bccbeb44042aec776a0788dd8c588665b

C:\Users\Admin\AppData\Local\Temp\AC#F0F4.tmp

MD5 c87d40b6acb087a8a6dbebc71b72dea9
SHA1 91e87661325b387aecdab3bd121c0e85bd4d4e2c
SHA256 f57e424da3853de04126772b279fb026732310e4e826d500d21669acf22ae333
SHA512 a97332c584e88475fcb398db9d5115b6b207ac05ba685bc43409329df2d708d1b8b493a0b3d9d14a52c429838279c8f4ba7bd7b24f616f40288225d0352bbe8c

C:\Users\Public\Documents\Media\line.dat

MD5 f8f9932ca15ba7403927ef460907773a
SHA1 22ffbb42cf8fc714ffefde062c30bf430295f4af
SHA256 4e202b7807f31cf02d06440c4bbaa85a329e41c3c3f163723543bfb30978b4af
SHA512 f010e68d837864e30e676d39445da59b9f0f7bb1f398ceca5e3a363d2fc1b63562982b30735440cd6cc9aaf7fba213f83e649af8f9ff0c83dbc29093ff8c33fb

C:\Users\Admin\AppData\Local\Temp\AC#F104.tmp

MD5 2802a1ef67d8bb37b38486b150cdfb76
SHA1 b1fcddb2720e37227874bbd0db171be391f62087
SHA256 d5f45efd85d415cfe371a9dd8945a751a127932866d392cf7e6080685b2a1785
SHA512 11257eaadd0eec819b1591a5c7331f88c477305f785774102d3038c20cfd1dabf956e8690d757188144f6683026cb0416710cbf6407fb1bc072e90b8052e1275

C:\Users\Admin\AppData\Local\Temp\AC#F220.tmp

MD5 24cf90e9971137adf5248271e7f0cf8d
SHA1 07a10e186be9412266037357f3cfc228941893fc
SHA256 c0738ad28c1283b84496fdaec702fce815c39174822ceea0000a0b4cbaa67a48
SHA512 0d55565be2a5f2acf8d576c180cdde2dbdeac1bf99c543820096a7f8bdc0fbda62cdba244e9dd5fe7aa6c6232fab3a9064806816a7b0fc1173298c397c939d96

C:\Users\Admin\AppData\Local\Temp\AC#F243.tmp

MD5 637046364620b40dc08502be0fe56ce4
SHA1 ccd9048d57a81d8719db71ed8b2eb80ffcd80b8d
SHA256 f5cf891bb4ab1334d4860584775385cf83f7fa187f7ca99f45f5b522f9ec9b73
SHA512 3b140c897964e8c09f94be913c6e8bb992334280582ca47236cc5b24ad0abddf3551fbbf10e9ac67a8c1bcd40ad02f1ec96386f35575c611c71ad6a4bbe62dfe

C:\Users\Admin\AppData\Local\Temp\AC#F244.tmp

MD5 76dadd0dfc75ef221e2548a735fe050e
SHA1 6c155d1bb4d7b5d12bb48c08f55ecd85a4815a44
SHA256 c76c768e42520f7304541106816c6e3a86465e523488f6d836f5743f51310660
SHA512 39fcfac8bf0459d0ecff2cc93e5718eddf6af44f7d65c47211e9921e2dbe714e3aaae2717c826b07d184de1706c8a27f33ee9815384593a17aa95900c31fd997

C:\Users\Admin\AppData\Local\Temp\AC#F254.tmp

MD5 9ff94a0e32c50de66b7acc605134c593
SHA1 bf0f97f2eab6ac8b3b6b102d60830accb0445731
SHA256 2d5dd109c64aeb8d88c9872d2df2b888f95ee0df1d5bfbdd690be1a014e6b9d9
SHA512 4fae2023bc8b5810260dbf21b445d77ed7f8bfd7f0609ee2e47171fa563026d50ec19e9a874fb17a08bf64999a031c6056249a157f45315990393b71eddcf34d

C:\Users\Admin\AppData\Local\Temp\AC#F255.tmp

MD5 e8fa582c7dadeea14f662f6ce4ba32a3
SHA1 794ce97ac881571e635c0fc933b93348e444e40e
SHA256 ded8a28a861728fa4f721fd5cd2ca62e9f9fb2e2feb4caa37fa83d6a76d60895
SHA512 0b410c99723d057ca2f832f52213cffe5bf7b94dceaa1f1bed8013642b143e9ec1254b4ca8ff4d9d3412cd0a4d6b0c9da36dfb542d6ed4d6b2ca1e963a561510

C:\Users\Admin\AppData\Local\Temp\AC#F266.tmp

MD5 f70b91be7d8dfb0d3733473b3b5d2fa4
SHA1 dba5369f0c0a29b3dfac33a4b9c6074eb73948fc
SHA256 6dd200dffb8db04ca15dc752a1cd13ecd5c0b141c1e797fa991ae88541cc693c
SHA512 d929f6b9d9578830c40565af5bad8a6918a25f41e6e9204c027ab25c1e49a667f76e859df89388798b68574ee6803bd978e76766d2f21b5410677867b9fd26d0

C:\Users\Admin\AppData\Local\Temp\AC#F278.tmp

MD5 a1ded5a2eb67fcb9c9bc0b45b5342a90
SHA1 8d6410384ec7a90d798f670d15d3c767d377e2a4
SHA256 331000b4c4285fca3bc28cd54c28f2c956f3a5f025a700e7e5121076620b64c5
SHA512 803598da1b7d145a9f7589e32f696ed03cd48a11d1125adb0c76d4ec3b7bacfbb5d6bba4b2690fd6b439ad569ea5d50a9de6190b74f037c567a6e724e258fcd7

C:\Users\Admin\AppData\Local\Temp\AC#F288.tmp

MD5 2bc59863cd3af60cfea21fb21e0c63bf
SHA1 23b5d21e481a042f9069c2ac788f474fb8a24e8a
SHA256 53f5e320ddfb55aee220f19b886b4c686b0d43ea8ed4c86bf0ee967fbc71f376
SHA512 bd23d8e44140d39ce431209c54737174f21696044820027ab212a9367eec69523f03022fa5baa6d46d8b3a2830a67f543f8145e1b04fe3802992b9bdb1e2c328

C:\Users\Admin\AppData\Local\Temp\AC#F29A.tmp

MD5 ed80125fd1240f208ba6ca7bae1622bf
SHA1 e0b9dcad673d3012ce736675f98e0d6bf44ae8f9
SHA256 b06990ecdb3131e4a287043a4c1a5768633ac874159664b1961c68a5ce0b4439
SHA512 b2fe7b3716be18ddb51299c767ab1caacafe99f5b697f1b9e4dca86ef700b83dc83ad819bd662eb9227c4b00cc32455190155417312557a340f1ecb53ef5256b

C:\Users\Admin\AppData\Local\Temp\AC#F299.tmp

MD5 9f5ff1cedbdbc2a6f897b9b58a8f75bd
SHA1 6711bd21379571408f535070fc36323d1a552f54
SHA256 6075665406ecba4b638eedaaea1278cf957a2bc9b90834f53069c2ac6f183100
SHA512 a7be07a4fc9612db4dee8ab0e380abdb5c66a0acef4d03ac9fcd3e5fcf8894f4c2e44ef0f0b8838898ff0d45a3b15b6910ec937315842acc8d08453c2d6e0866

C:\Users\Admin\AppData\Local\Temp\AC#F2BB.tmp

MD5 ef85e316068a721c41c61063fefccc01
SHA1 6835469125469ef7da16b74acfc6dc305aec7a5a
SHA256 9189ddcce2445e7ea6323981d3af0687b3a2798777f5a2f6039f22629ef2a818
SHA512 865a83957b315597047237a90a6be294b394b789b5061703c956bc80fc71fb5639677a835eefd10599e8bfb1addec8baec567480e26d08407ffe0d251d3ef0b6

C:\Users\Admin\AppData\Local\Temp\AC#F2BD.tmp

MD5 fb47f07561af38affd6d603ec5d8f5c2
SHA1 502d5263e55c013e76f31389074f99b0bfc2116e
SHA256 ab68646d41cddc77ab4ef9a2e72811e48311b592200bd98f2ef049be6d35dba6
SHA512 d7f9b9f9be275ddf146d155c598419bbb976ae120c7225afc330ef963fd53eaf8e43e9d645b214e30446fa8b9e1773d62dbe7a80c4d6858ed32ec5c2db719124

C:\Users\Admin\AppData\Local\Temp\AC#F2BE.tmp

MD5 60103799fa0272e91018cbafbdfb4d31
SHA1 a4b50b1bd92d5f8a2693a0dbf498e6f7ecc2b5ae
SHA256 31bf986bafebdeb67ae56b608b06b983287d1787974bdb13825d820c2f5c9dce
SHA512 d633005293fe55880b4a3a0107b63a829664dd577732e0582ba0ae5ce2b5daad25c68f2876c21810bd605f0e15fb7799b5e68419d1e02988d3ca3643d6addde9

C:\Users\Admin\AppData\Local\Temp\AC#F2CF.tmp

MD5 53282c8246c30840345db021fa3ebce9
SHA1 693ca3a081a9b5bf5ee18f6fcba48a894b87475a
SHA256 68123c7f826fbabf5c3ffae9c94634c89bdfabe74e49d5c40d5a7096365292a8
SHA512 189c4e699994b9e799e2379a4d14735e34d7bcad0133d3b9871c1839d78d5da1b35f7d6b412889c78389bc8c19c2b00f632dd7785e09ac218854932af4ef76a9

C:\Users\Admin\AppData\Local\Temp\AC#F58F.tmp

MD5 d6de58db6279aa99ee68e60146672880
SHA1 b91f34db75b8c8f4081181cf62a3fbdc8a591746
SHA256 0e7ca61463c88e46d0b11f33e638e12fe9b872215b122bafb1911963f492799d
SHA512 5e28db59ab9387b1868f24b77312e383ec37adc418e64f4a9d1d8d8cb74eeae86eaf7f401110e42606059f618eedd13c347a729d72c49b78f71350fac7874f6c

C:\Users\Public\Documents\Media\line.dat

MD5 5407d799f8a1ef72a1570f605a2a5da9
SHA1 9b117613669b8d9a3c45d60168f768ca3795c9ad
SHA256 c1240fa995f9baad24c6057e210409bf2f98db3b296f1694b727d610fd1308df
SHA512 5b394bc34dd6095ccf9b7be4e2349e55ff834f93824d204fdb35b434f9880daf326864098ba9f124fbf2522fbd653b5a74312f7a29a54f8a9fa5519f01c5c254

C:\Users\Admin\AppData\Local\Temp\AC#F64C.tmp

MD5 b05d2448a0aee6904bf272b2d5e3a17f
SHA1 4fb342779e926af174018c1675d65e3cb3dca7ed
SHA256 97b4c04a2ece4a74188fb8c33ece770c4556c5e9fae2d950bc59e655625fadf0
SHA512 a79b9dbd6eee3a243e7d86b576d002810304f107532433b5d2d21820395cf60210d24ef4ac9e224a2242a1ce835fa4c3aba8bf4459b8db0c1db90daeea98a624

C:\Users\Admin\AppData\Local\Temp\AC#F65E.tmp

MD5 fa9e37fb0b96d95646d031d7ff2d20b9
SHA1 be7bc1572be56f531d6278d782d482bb2f92b645
SHA256 b33abda847687b7d6d04e70083ea6fbdd63ac3b17917be96a50e0a193671b91f
SHA512 23cf41b7be69801c75b39467b79998513417abb1bf35995f6b78596a179ffd2c5f0a768b988d77f050d25409efb59c96ca8dca967e03395c9db13e80cf3198a3

C:\Users\Admin\AppData\Local\Temp\AC#F66F.tmp

MD5 d01e510c43c4b9949c854f96f8b974a3
SHA1 d91fadea1d69009e690127790117c9cad042a884
SHA256 31b827f2e1b2ac7fc993e770f0ed78bdd873e2f54ddc0e7907ca3c7e19b4c614
SHA512 913021caa15bc3de189205c5782534520c634092afeebd6088d92880b6ce1565e34478f5bb6007d397f90b5384bd86e2fa7f54b84e82ef1664c6869c8559bfe7

C:\Users\Admin\AppData\Local\Temp\AC#F680.tmp

MD5 d003a834bc19d984cb4d15444f98e5f9
SHA1 5976fa0ee5019052428386167017b6eff0d6b979
SHA256 c93f9f40950ebabbcad583d8442dfe101e0fba200c409661aee470fdedf6a111
SHA512 4ee4fb257ae87b4c3054e4ee52fa818b2193d39df9e35d02d842c299d510b34a7bbeaa4ff973258bb8784dfc277e2059269e31ffcc70ce10289c6801c7f6676c

C:\Users\Admin\AppData\Local\Temp\AC#F691.tmp

MD5 22e8b112f6ff0c82a04660f115dee9e8
SHA1 49e8ab97d5d5b459c73e5cc3bc462af82f67e5d6
SHA256 b179c3bb92d42b60e34e319258cede9e085e749acfbb86a4f7ba7fd0fab23b18
SHA512 fdcc31f698c8d8d0faa5d2d37140a83246316bf801afb06c649133b5ca6be69aed0b2b0b2a2cc24c1efeec6b7cb5d5094ad147482dbd5651a07ab654f582e39c

C:\Users\Admin\AppData\Local\Temp\AC#F694.tmp

MD5 613d00d9b452d70e2a00f9e0c37a61db
SHA1 6437260ba40ebc9da6767cbb546aeb9f678c9279
SHA256 271b9eb92d90fd6608fad7d756dba5ac98721f11850351e880524b1be9f18421
SHA512 1d6e97e40b7959a8953bdec78fb0c26b007c1bc7f9b64a58342fb84b42ed9278ba1648eb1c18644497b7bf31c2412ccf0acf0f083b3af0693bc070da8bc13e61

C:\Users\Admin\AppData\Local\Temp\AC#F6A4.tmp

MD5 29011013e76e2502e2f52c9f5044320d
SHA1 c47cf97a04cda3e65e2e3241e3efda91152e61c0
SHA256 ea4f22fab0766bc02131f515c479f4188dd96d3f32e6728ddb20b1ebe440d402
SHA512 5a782f0d231dd5c9613d6e14f18d8f2132d9301c057f3ab9bd931a834751cc39bbc62694b42a515db00d93f35774c04f867de66c3d5f1727b099546ef6967ca1

C:\Users\Public\Documents\Media\line.dat

MD5 7e818ed8dc63666239a3c147a0fb21ca
SHA1 9a2ab766cb5457781b860ea964157a4bcf56d446
SHA256 41875a08091eea3c54e45496deae3dec3703c45045df6ba9571957f2d7e3c017
SHA512 7d73394f5b042b3f584aed9be1559747127ba483976b2e26029181474f3e1d422c63b64691451a6ce36c9c7182ca71f04ae334c724c92c3c96606c36c60bf7d4

C:\Users\Admin\AppData\Local\Temp\AC#F7A1.tmp

MD5 d9b80e18e93fb306e1b60e45be5090d6
SHA1 6bcf6944f71ea25dc6e173c285a6ae2fab5e93fe
SHA256 81322d57bea294ccb994375cd0fac74379f8d2b49d93089fd5a0d1d4da54551e
SHA512 7458658c5518b08ae0dfabf01428eb74dc06dc4c82040efe046bb843fa1b316afb062781004fdb68580885e6a439e37490eb9c45f684ec44ddef876a972cb096

C:\Users\Admin\AppData\Local\Temp\AC#F7B2.tmp

MD5 ea8cffb63b18f52b4cb4395ff5520b07
SHA1 20b1f65808b7656cdaca9d0d567774a3d0558172
SHA256 a425c28b85759713f00862be34130d4e40b4a39f70ae876134410038c72c6fdb
SHA512 4291ed0a9096222a81c53e11fdbb197307944033020a4b28648d0a873979f1f1f06bcb40c4ae9c0d9c1707acc1f6177ca16bc3b3901ddddb5761dcf9aaf96645

C:\Users\Admin\AppData\Local\Temp\AC#F8FB.tmp

MD5 77e51c2b0db29ea6af6783d6a4d62d6e
SHA1 59c5b76e5cc938a5f065a265c84a7ef88b10fd42
SHA256 3cfb0788780d5efa81c5f028bedc76ac129d6c6ee3590b50066dd01e2c646e61
SHA512 cf33296d5114b0bce83845251105c19462700fc779225799d74fc8c7d4fea699f6eb1236ab09d7b39605aa27fe12645743e8721d04b7cbe86605fc9b64b944a7

C:\Users\Admin\AppData\Local\Temp\AC#F90C.tmp

MD5 4d5004d612fa362fe3bd9bb69160b242
SHA1 ea77a11ea78bc0a78430fcd429c4e64b89eb7e43
SHA256 1c3823d6fb5efb4624445f5c25db1bf2223187d51d1a76d9b308cf9504daa8e9
SHA512 3a5625289a0d43cabcbdd85bd076a0ab47a7d23d90a58f2c67f61741ed6f2ab1a3ad48f8ea7cce5f8cf6df29cb20ea829370f5621dafee8bd102152e2981fd13

C:\Users\Admin\AppData\Local\Temp\AC#F90D.tmp

MD5 e55514f2959b5740f99931ac802ccd25
SHA1 d7f32ec6c67bc4d7df550349bf6082919e07df64
SHA256 381b3fc1e88c8d9659f719c47a34bc3159b52e912bb093626c027cec05e71a4e
SHA512 d953db82896b24483ad5773a2b833226eb813b0493fce8cfd714e2dac5ad44c0052e98a201f18500aa36af88960e69f7e1252aeafb3ecc7600e5df5cc71423c5

C:\Users\Admin\AppData\Local\Temp\AC#F91D.tmp

MD5 a7f03cc012acabac359073126936b558
SHA1 7359866a6a0e7444a3643fff1ea3f2dde83b9a48
SHA256 e6d79185c25d77bd60b8eb207bc8a93982941338def4b680bfbc2b5f7cd82efc
SHA512 d2cb38beefabe58f95ca875cfca9dc3137d82a22b12014db7bb9b1914343f189eb98c220edb35de308d399a5e994cdb0e6438abe5e0073dea06126f0af22bffb

C:\Users\Admin\AppData\Local\Temp\AC#F92F.tmp

MD5 baaf4acaf209fc2e0338007cf44ac9ac
SHA1 71f2217fa5872d42aebd2760738e8b8203491358
SHA256 e283c01c38797c3365342411543ae2fd8c563c96e958ec8f574fef4d92a93989
SHA512 d5a4a0066e929bc411789b63cbc9d51bdd7aca8351bec96e4893bee6e50d68fbe2232ffc4a6ecc2dc513dca9367609e7f4a5942f950ad73721032c31e870fc0d

C:\Users\Admin\AppData\Local\Temp\AC#F930.tmp

MD5 ff982708f603f999d130a013b7e4269b
SHA1 adccd5516805c74144cf2163aaa69ac276219f28
SHA256 65ff535f1824d3b82ca25929fddae645de1457da8bc93de372574ebf1f6c128a
SHA512 143e24e8e8ed183afeb796cce7882bd87c30dbd2de267d0c85f06f12628273e174066e0a041703c11c494dab7f11fbc5657fd860611f84c5e3bbba04835690a5

memory/1608-977-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC#900.tmp

MD5 522df1951dd76935887372e7990d59a1
SHA1 06e3c6c9350d29901de621b81e6274f2e35fdefe
SHA256 ab6775744eba44f6358d6836a611791cb699ca81cf71a608119408a2c2090b15
SHA512 9cf4051bf2f589dde5244e62e1a1574402bece907030dd9fea4947951b6fc733761bae3b7c60fb2f0fa6238ae55b860258e0d986aa7b33a6b8cc8543dfea629d

C:\Users\Admin\AppData\Local\Temp\AC#901.tmp

MD5 b45af42ec39e72a86d56a63c5bed864f
SHA1 b6d30378d1b88b206aa550f7effe215530710bab
SHA256 067cee7f0cee280f8703d0a2621eb0e567de1838a981e6bfbb5cd798170258fb
SHA512 1c3baf91d63fb95190df00eb5bc84a566dff1d3994e505ed0fe8f566f2e870d374ad296327f61c6247420401557393da3fbb28e21546e99ed14e8c09b75359da

C:\Users\Admin\AppData\Local\Temp\AC#912.tmp

MD5 71f273097f9b18843da3e32186fb1545
SHA1 2871695e5435b740122899149a5c40feea5a05c2
SHA256 700de0aa0771b7f8c737ae42d61b3c7bb3e6fab82089e8c056d351d285630a0f
SHA512 35606e8e50e8e1b075e8a50de615c3049337534d2bc98fc675aa6cf519367c701a969672c414082a5b2429c99d92ae0ff0251b0cbf54dd82b44cb9bda1803abc

C:\Users\Admin\AppData\Local\Temp\AC#913.tmp

MD5 66e16ea2ea44f3ae659f2d64d5c2af1f
SHA1 975de48cd1155e0f438dbbc075eb769ca1d9c10f
SHA256 bc1426e0f2af9c1220bf7042049551d70c3d2fbcdfd003ee4d5a01f90ed1b2be
SHA512 0130a314a31c0ea435428f6acfc0e8f82a866f14d13c9044fc567ee66e7ca82687097912abf9ef831e3b370dff89f39a402fa8f316f44b3bdd7840e66aa50f0b

C:\Users\Admin\AppData\Local\Temp\AC#923.tmp

MD5 e3372b5141a76a5b47d48e53aaae502e
SHA1 a4344e3d1452feff54aaa0678006770c33b0c3fe
SHA256 e6859b9a2271cb674cdc38af25cc02215f3d1b1cef0d282c774101acf24f7878
SHA512 016f8d8606acc52c26e74ff7474590e8e699708cca13bd07853e1e2473efcdf54cbc9b524191e43d2e2915cf352b0036f4dc6d684a2cd2638c60d16c912d3926

memory/1608-1008-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\INFO.TXT

MD5 0c9b60442a1bbe3e3416ef83ea55e6cb
SHA1 8a13470d7cd539cfdb8e4af74a1d4b401e17f5f9
SHA256 366aa7c7bc3d3e7e58f1ba08ecc7018263de84696300bc8022e3a70c089ecd9c
SHA512 d35d6a9dc39ff113b56eafb44d7d99b3be9f7c95937202a7f8796fd18ca4c209b27b300200c57dc8b5bda91f41716b488e637a600418d7c06fe9427d1624c6a8

memory/1608-1015-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC#5D7E.tmp

MD5 16eb7e786c1709818d4109d2ca0eb1c6
SHA1 07359106694a6d07e363e0e1766a7d214bbea2fc
SHA256 f8ef7366fbaaa61f4161b37716f2ca1d03fd7cf160af87bc5cefeb9d33b2b10e
SHA512 aed736ea3c1d32f7dd32beb3f9c8c52e35edb43fadbc01c7bdd2c529f9827b36cfbf05faafd90ea9c51806ec621f65c34be02b0675e265a818aa1998f2b22183

C:\Users\Admin\AppData\Local\Temp\AC#5D7F.tmp

MD5 576240b3c38c150269b7a03a3eb12eda
SHA1 1de664cf6b1d4f535cb3521b65dd2fbc6aa4d813
SHA256 af14ec988adce6530c333492c5dee12adb31931e1777b3d451e6675ce16081b4
SHA512 ce664c1e4ae4dbd89bc10d6f68a5829d6d003fa53d5b2de6abf998259687f2eb771fb5a323e1b0dc0483178646fc48a71b6ce86d41bcb24c11f7d1931f3f908b

C:\Users\Public\Documents\Media\line.dat

MD5 dd9e31ee72df7fff7060250e303b2553
SHA1 7768a2963dd8d239a9bfe6ec805e6b611e525f8f
SHA256 1e47bd274245d596179a71c1d9e6298b876f3f9bd73c8ac7583053b9a52d37b2
SHA512 fababca15dcb054e27257fc36c4ac0d6cd1303952e11c8bf4f2f30fccaf5d4dcf083385a99558f6d32a7c167193a82cd1183ffb2cb9030d6c60a4dfa1793f7c7

C:\Users\Admin\AppData\Local\Temp\AC#5ED9.tmp

MD5 3594e10eb20aba5de0de38e2c408f54f
SHA1 a324240d9a4908268bdb4710dd9c3ea08f89b4d0
SHA256 6b86df56617951f3ca768df8cd9992dc3e1457b8c78c832aa0e60bea01d70f1e
SHA512 368b71cb19db13df2fe48adf1acbbc43935ce03669458c879c562307b026690802166cf6f0f4db74273121b426e33441c10e3b234d360b24acf1f77a7c7639a1

C:\Users\Public\Documents\Media\line.dat

MD5 e97005cae5beb71f3b4e559e63eebab5
SHA1 def2dbdd55bc396898c68adb4ee3f091c72c0994
SHA256 7eee12d9916be5b03cfc1942bcea6df637f3307b0e65123720e2aaa13c3b6a37
SHA512 74a0123b4964f72f0e72c767c103c839af971e8f784efd73db76a28484c645e5755410c17dc1709100a32bcd188d3f41aad706c93956017058a49883ac9c8a93

C:\Users\Admin\AppData\Local\Temp\AC#5EEA.tmp

MD5 d4a0ef3e71f850b1714249d55f1a4809
SHA1 cd0eb30647f599e39d2eb068a52cd5d98de4db35
SHA256 98d942987626eb6ffc2d8ff3a61b0f64aa8722d82208d342c8253b9655765243
SHA512 993abf6a4493aab1a81540991bdb49cfa8b2ef8c195b51d85cec7b65aa401fcbdb108070397406593161ad567d2b9186edaaef0b8c25cb8b4675acc5db3d8fb2

C:\Users\Admin\AppData\Local\Temp\AC#6083.tmp

MD5 81f46978142c97213ae832b0e42bfc47
SHA1 751b41f769c66b6223eeb483bfb0b13acbd5edec
SHA256 ee89ac7079de9173025b2811363f12b750ae36561578e24ce9ce4c34fcedf5c2
SHA512 409f012184d06e0d951aa6bc230ac2646fe22590e55cf3d1f4ec295aaf8703bb205132a0e3d617ed4de02ec296b2269c583de73dbfdf29b74187a1d293788fdb

C:\Users\Admin\AppData\Local\Temp\AC#60B3.tmp

MD5 b54dd1770c7bdfce476b550398b7aba0
SHA1 25bb2ad78ee19f77c5197adeb08ec6afc2b62664
SHA256 7c7a1858c41bbc68dc8d0c85be3dacc4b1710e7c4c536f56c6d2d6638dcd27cb
SHA512 bea86302e58780ddfadf2aeb68974502a54941865357c574f7d1670bb1bba3f8cbd3d5d6796a3161d0ef95953659a8ed825f5c0dc87e831cb152e08b59256296

C:\Users\Public\Documents\Media\line.dat

MD5 f3d38746f7c6051934f42286b6a881b2
SHA1 cd59ca7b5a7e4ce6b80db8acbd2d479dfe03fc12
SHA256 b9aa2c4c000a4b0d91e5f6371f62ca00058d72bfdc1580b849ce969a0653a200
SHA512 1dfae793b97365e9ef738905158ea69f1ba3f912759337f3fdbc592bacfa0923a774628dc3466c1365c90289d88f8bfbb0a790aaeed5bf896611f7901cd2605b

C:\Users\Public\Documents\Media\line.dat

MD5 1ee084151328c284218f00fd82130321
SHA1 a93f5b2355cd7f91b3d7636716b64b8ef9a0c376
SHA256 16cda0f98c70afb3a246c26e363761bb27da36fac7f811fde81d3e9705a2f54f
SHA512 9782ef09f23e53c8dd439c7d397aa77955013c3a8f22d08de622cd609ec8b4dd30e4c4e7bb2bf4ad9405e412928dfb6dd63f9941b426809dbd750811e050d2f1

C:\Users\Public\Documents\Media\line.dat

MD5 62ae5d061fefd1fa8bd0e5814aeefe62
SHA1 c465e676473b7c7ce0cf6427962bd18569e49c68
SHA256 f84d49396c9b44384de4dc14c0ea0a80c57d03a2cfb5bb34c62f6355dac55714
SHA512 f06cdd7171e066801f226cd3946f22c5aa69969b3e2adf5971bac4f964f1212540417f1a538dcc762aa2c7e8ea440d42ab44c1ece63b56d41706b2a194488e08

C:\Users\Admin\AppData\Local\Temp\AC#6762.tmp

MD5 bb490dec639237ca529f715423254dd2
SHA1 b862bf5be62fda462556dc5a2f5ffd9dbecdab15
SHA256 fbb2337d85ac664a2df56cf5cec86ab9bcd0b0971173f7fa4deaad3cd70d3889
SHA512 fefe1d3601c55bf5cca15051cd5af2f9c52d2400e7d066dbbcee01ebd478fec361a1b00a97893288bdd43570ee13c19e2722275cc36754721809d44922677e08

C:\Users\Public\Documents\Media\line.dat

MD5 c7832c1d9d6968288c3a96226257f0d6
SHA1 6bfd68b383328c269f231db9f5b8870f0db3b44d
SHA256 e9f59e5024ac8da8dbf749128765c16bf040578bfb3960894b5a2204aa7c8a0b
SHA512 d4d1b2ecc9a2ad5023602f55cd308aa50f43fd2480c0213243aa789f06ee87fccc1a94417d55b55d04677b5dbb1b53e6a650d455995ef455ae9fca1624b2cc4f

C:\Users\Public\Documents\Media\line.dat

MD5 ec8901e6c2e3fde99440e7113e91daaf
SHA1 4056e613c8877d9a75ccf9b8272a3a1aa3775a80
SHA256 9ab8d69dd99f37cb332cc38f6d8d6190d0732b98cc935607b17e558010fea4c5
SHA512 40274eb12304497fc3848821c12a0942d78f81aaf91e1e567b06026b19b5c94b0920f33493e2b05850ec10fcb8e431edca2d4222eda55550b8b9fbd283c4d543

C:\Users\Public\Documents\Media\line.dat

MD5 a84e07008514b4b39000c8843bdaaae1
SHA1 2808ecc131e26e6012bf94b100c73d9673c7889e
SHA256 6ab690c8aa48a366f488af1e99624568d335e7d19828bac2826d16745d5ed275
SHA512 a4fee711160414f0fc6a4659e443c9be7dbc13b6cdf99d1e08e852e7104825da27ed0ffac005279464a8d656e061b879139b9ec812a4d9661e0dbb5953962654

C:\Users\Public\Documents\Media\line.dat

MD5 5cb4ef0da800fb8eff0d584f586807fe
SHA1 d6afedde48c584d79ca0606e3cbe41cdd4ddcda4
SHA256 62344b7624396d56ea26b30cd61411b0744b4ffeaad786230fe97144e36bd22f
SHA512 cb45787f9977330e2cfd900cff4bf74ef2735c69bad38e480b3f7e711b091921dc7748c1d790524ee3c2202b628c96da6c017f7af9d784819bdedfe4c599524c

C:\Users\Admin\AppData\Local\Temp\AC#69DB.tmp

MD5 73d649ea70c39359061cf5095f234712
SHA1 b3d8a4a2cec9a971ec804045790f1ad44fe6f4e3
SHA256 d0880efb6e5495261564e93b7500146653752da01b9da230a6940be0f140e047
SHA512 14db4944e6162471e9497ac67f0ce05ef197c332c4302fcf7da9b2c6dd88f0664208b16d6ade292babea53fd42b518e16ea912751f34d42083354b848bdcd1f1

C:\Users\Admin\AppData\Local\Temp\AC#69EC.tmp

MD5 d8e4a791f343eb747cc5adfa4d9aa89e
SHA1 f12b3773b7376322c7833f628e421426877573df
SHA256 d28f3d6f4014251c0d0fd29f5e3b20fbab155e88c504600540b720de8a774dec
SHA512 436420bfc30777bf130d3b0e11b9846dc5e3ed80d51bfcba2fef107e190c7125bc798c18e16a0018555a2085baa173f1fce3cd47cfeab584f95ae73d7673f960

C:\Users\Admin\AppData\Local\Temp\AC#69FD.tmp

MD5 e89020910597c93169d0905d9d3de6c5
SHA1 333cb3f681583337c10611667cea18990239ae88
SHA256 66d89bd3adc5a7ed389bfe7dd09a3e5737efcfdaca01a87abaf57815b0f41f06
SHA512 bd1c8b40ca02b31f3064ceb84bad05ebf5a4f1b0cb5e5cb4f9aa063002fb5b847c34d2da6e04346ee3df2363f738d14658383fe66460b0397eccffdbe9d3931d

memory/1608-1202-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1608-1203-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1608-1206-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1608-1209-0x0000000000400000-0x0000000000424000-memory.dmp