Sample File: MD5 hash: e5031e1adceac15c5db78da6f4303905 SHA1 hash: 53c7e365d8f55e0b3cf5e958e3b5da05b456a61b SHA256 hash: 6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e SSDEEP hash: 3072:Dg+cIZ071HOQBVJ7nxCtGcH8C3fVJ9YTT4pIAFxoftxqKudFAV8cw7OJO4:DgVN1HOQjJ7xCtGcH8OP98T4pZxirju+ Filename(s): gootkit_vbs-6ded37a6.vir.vbs Filetype: VBScript Mutex IOCs: Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 ServiceEntryPointThread Registry Key IOCs: HKEY_CLASSES_ROOT\.vbs HKEY_CLASSES_ROOT\VBSFile\ScriptEngine HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\SOFTWARE\Microsoft HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer HKEY_CURRENT_USER\SOFTWARE\Microsoft\{102f49a9-80c9-42ee-8924-3256738fc621} HKEY_CURRENT_USER\SOFTWARE\Microsoft\{2dc03b67-bbe0-46f6-a506-c0799ccb1f6b} HKEY_CURRENT_USER\SOFTWARE\Microsoft\{7ade5bfc-66f6-4220-aa24-6032bdb90317} HKEY_CURRENT_USER\SOFTWARE\Microsoft\{ec58180b-dfce-4a67-b18b-e6d83b3e979b} HKEY_CURRENT_USER\Software\AppDataLow HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_0 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_1 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_10 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_11 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_12 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_13 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_14 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_15 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_16 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_17 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_18 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_19 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_2 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_20 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_21 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_22 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_23 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_24 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_25 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_26 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_27 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_28 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_29 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_3 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_30 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_31 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_32 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_33 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_34 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_35 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_36 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_37 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_38 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_39 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_4 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_40 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_41 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_42 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_43 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_44 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_45 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_46 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_47 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_48 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_49 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_5 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_6 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_7 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_8 HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_9 HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1 HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1 HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\\2500 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\\2500 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\\2500 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\\2500 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\\2500 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\ProcessorNameString HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\~MHz HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\ProcessorNameString HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\~MHz HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemBiosVersion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy HKEY_PERFORMANCE_DATA HKEY_PERFORMANCE_DATA\2 Domain IOCs: 0 ::1 amd.martatovaglieri.it arb.palaser.eu drk.fm604.com gttopr.space localhost spop.lestanzedifederica.com xmpp.dolcesognar.it IP IOCs: 176.10.125.81 109.230.199.169 109.230.199.30 198.251.83.27 URL IOCs: http://amd.martatovaglieri.it/upll?26201 HTTP://drk.fm604.com/rbody320 HTTP://drk.fm604.com/rbody32 HTTP://drk.fm604.com/rpersist4/2091998236 HTTP://xmpp.dolcesognar.it/rbody320 HTTP://xmpp.dolcesognar.it/rpersist4/1197631235 HTTP://spop.lestanzedifederica.com/rpersist4/1197631235 HTTP://arb.palaser.eu/rpersist4/1197631235 HTTP://gttopr.space/rpersist4/1197631235 File IOCs: Filenames: C:\ C:\Program Files\WindowsPowerShell\Modules C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml C:\Program Files\WindowsPowerShell\Modules\PackageManagement C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.cdxml C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.dll C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psm1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.xaml C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml C:\Program Files\WindowsPowerShell\Modules\Pester C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5 C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1 C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml C:\Program Files\WindowsPowerShell\Modules\PowerShellGet C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml C:\ProgramData\Oracle\Java\javapath C:\Users C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp C:\Users\Nd9E1FYi C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100 C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex C:\Users\Nd9E1FYi\AppData\Local\Temp\ C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp C:\Users\Nd9E1FYi\Desktop C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\profile.ps1 C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp C:\Windows C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\SYSTEM32\ntdll.dll C:\Windows\System32\Wbem C:\Windows\System32\WindowsPowerShell\v1.0\ C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml C:\Windows\system32 C:\Windows\system32\WindowsPowerShell\v1.0\Modules C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\PSGetModuleInfo.xml C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1 C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 C:\Windows\system32\cmd.exe C:\Windows\system32\wldp.dll CONOUT$ \\?\C:\ProgramData\{d781e3a1-e512-422f-aa6c-27428437cbc4}.lock \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.dll \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.sxs.manifest \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\fatal-log.txt \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe.manifest \\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\uncaught-log.txt c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Appx c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Dism c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\ISE c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\International c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Kds c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent\MMAgent.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc\MsDtc.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement\PrintManagement.psd1 c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1 MD5 hashes: 40e29531e81493d6e680e38c3ace3714 8845f276e426accd51223008b6aed4bf 9832b59b183bb6318e62f1385d345c6d c4ca4238a0b923820dcc509a6f75849b c9fa9488f8854802c6f5eff3234d8a8a d41d8cd98f00b204e9800998ecf8427e d63332b5a8254668fbae1255b085775d e5031e1adceac15c5db78da6f4303905 SHA1 hashes: 356a192b7913b04c54574d18c28d46e6395428ab 4e82e31ad4e2eff91feec5f3827ed31168da3ca4 53c7e365d8f55e0b3cf5e958e3b5da05b456a61b 54b856a180fb3723403f9aad24ca548de63dc376 8b9029e83008d74b8c5414a2ef064629a340c9ae c9fa81aa57e7c32c4bcefd33788967cc3170fe91 da39a3ee5e6b4b0d3255bfef95601890afd80709 ee078721826355eae9ef0e96d476edf307d54046 SHA256 hashes: 12bd362291f72f2c2e7756742b7377549d13d5bf231455d23ef250c5bdf18121 57b17ab692375358c25c34caf15c1f0b4705a67ea5bedbd852fdec393a40eac0 66db29d5f893e6629dacd2a8097643fac25e67f707399b0b72e41506c164886b 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b 6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e 72831bc6962c8017ea71abc038a8f60e79976ebaf05d363c80f32c975a55d0d9 bfd60204585f1603ee9faac7c44adb9fcd6fa56b7748f03ecb1a9beaa7c56ea1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDEEP hashes: 192:8wUOJGqwAf5CBbXuQuxs0B8HX64MnENxUyrTEAsr9jQ0uwm/CgGZYySo0nbSRNNo:8wUOJGqwARCBbXxss0B8364MnENxUyr3 24:WM83yV+ty+ZcnPZcMGcZcFc7Vc4vcEvcXc6c4ncSZncJ5S+Z+Wz+q:BSy8PiPiMLim64EEEM34cYcJ5lgDq 24:WM83yV+ty+qXlIZXxf/DXdQXPZX3X6S+Z+Wz+q:BSy8PilIhNTWPhn6lgDq 3072:Dg+cIZ071HOQBVJ7nxCtGcH8C3fVJ9YTT4pIAFxoftxqKudFAV8cw7OJO4:DgVN1HOQjJ7xCtGcH8OP98T4pZxirju+ 384:yEsbArBxxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5F03+oYG 3:: 3:U:U 6:AkAh+BIHgVooT4WY/fWgJDIQlLJobNDHHAIQlLJobNDjPhn23fobAd9:Q+BIASL/fXJobRneJobRj0o49