Malware Analysis Report

2025-01-03 06:33

Sample ID 230819-mbcs1saf2y
Target 37ae53ead74452038b0c77abd3302258.exe
SHA256 ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360
Tags
asyncrat fabookie lokibot lumma redline stormkitty vidar 980843ac508a7fe8f556d42e4c5cfb54 default infostealer rat spyware stealer trojan 6ba937c4f557f3e5e256c94548f72a29 aspackv2 evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360

Threat Level: Known bad

The file 37ae53ead74452038b0c77abd3302258.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat fabookie lokibot lumma redline stormkitty vidar 980843ac508a7fe8f556d42e4c5cfb54 default infostealer rat spyware stealer trojan 6ba937c4f557f3e5e256c94548f72a29 aspackv2 evasion

StormKitty

Fabookie

StormKitty payload

RedLine

Lokibot

Detect Fabookie payload

Lumma Stealer

AsyncRat

Vidar

Async RAT payload

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

ASPack v2.12-2.42

Reads user/profile data of web browsers

Reads data files stored by FTP clients

.NET Reactor proctector

Reads user/profile data of local email clients

Uses the VBS compiler for execution

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Gathers network information

Modifies registry class

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-19 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-19 10:17

Reported

2023-08-19 10:19

Platform

win7-20230712-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

Signatures

AsyncRat

rat asyncrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Lokibot

trojan spyware stealer lokibot

Lumma Stealer

stealer lumma

RedLine

infostealer redline

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 312 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 312 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 312 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 312 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 312 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 312 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 312 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 312 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 312 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 312 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 312 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 312 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 312 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 312 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 312 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 312 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1660 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 312 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 312 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 312 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 312 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 312 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 312 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 312 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 312 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1500 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 312 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 312 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 312 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 312 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 312 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 1828 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1828 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1828 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 96

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CwcZttCoAu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 776

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe"

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe"

C:\Users\Admin\AppData\Local\Temp\tmp8AD3.exe

"C:\Users\Admin\AppData\Local\Temp\tmp8AD3.exe"

C:\Users\Admin\AppData\Local\Temp\tmp88DF.exe

"C:\Users\Admin\AppData\Local\Temp\tmp88DF.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 88

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 592

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 592

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 www.medichiccenter.com udp
US 104.21.73.191:443 www.medichiccenter.com tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 104.21.54.252:80 zzz.alie3ksgdd.com tcp
US 192.3.223.26:80 192.3.223.26 tcp
US 8.8.8.8:53 gapi-node.io udp
VN 103.37.60.77:80 103.37.60.77 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 188.114.96.0:80 gapi-node.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 188.114.96.0:80 gapi-node.io tcp
FI 77.91.68.1:80 tcp
US 188.114.96.0:80 gapi-node.io tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
NL 94.142.138.147:23000 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
TR 194.55.224.9:80 194.55.224.9 tcp
TR 194.55.224.9:80 194.55.224.9 tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
US 23.95.128.195:80 23.95.128.195 tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 h170257.srv22.test-hf.su udp
RU 91.227.16.22:80 h170257.srv22.test-hf.su tcp
US 8.8.8.8:53 down.suyx.net udp
NL 47.246.48.224:80 down.suyx.net tcp
US 107.172.0.180:80 107.172.0.180 tcp
VN 103.16.225.211:80 103.16.225.211 tcp
CN 39.98.177.61:80 tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
BG 2.59.254.18:80 2.59.254.18 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 df8588.top udp
MU 156.236.70.27:443 df8588.top tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 gservice-node.io udp
RU 193.109.85.112:80 193.109.85.112 tcp
US 38.181.25.43:3325 tcp
CN 39.98.177.61:80 tcp
DE 37.27.17.95:80 37.27.17.95 tcp
IR 87.121.221.176:80 87.121.221.176 tcp
US 8.8.8.8:53 bripst.com udp
NL 46.149.73.6:443 bripst.com tcp
US 8.8.8.8:53 www.sisbom.online udp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 www.maytag36.com udp
US 76.223.26.96:80 www.maytag36.com tcp
VN 103.16.225.211:80 103.16.225.211 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 www.sqlite.org udp
US 45.33.6.223:80 www.sqlite.org tcp
RU 193.109.85.112:80 193.109.85.112 tcp
CN 39.98.177.61:80 tcp
NL 194.169.175.233:3002 194.169.175.233 tcp
TR 194.55.224.9:80 194.55.224.9 tcp
NL 194.169.175.233:3003 194.169.175.233 tcp

Files

memory/312-54-0x00000000011B0000-0x00000000011B8000-memory.dmp

memory/312-55-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/312-56-0x000000001A640000-0x000000001A6C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA2E6.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarA346.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

memory/3008-132-0x00000000FF9B0000-0x00000000FFA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/1660-138-0x0000000000230000-0x000000000044D000-memory.dmp

memory/312-139-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1660-140-0x0000000000230000-0x000000000044D000-memory.dmp

memory/312-141-0x000000001A640000-0x000000001A6C0000-memory.dmp

memory/2972-142-0x00000000018E0000-0x000000000191B000-memory.dmp

memory/2972-143-0x0000000001970000-0x00000000019D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

memory/2972-148-0x0000000000400000-0x00000000018D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2704-155-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2704-157-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2704-161-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2704-163-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2704-164-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1908-166-0x0000000000C30000-0x0000000000CDC000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8d31fff348a86c4345baff26ddd0df4
SHA1 bd7c463ce2e9c9f6042f757c6dba18ae4f48e0e1
SHA256 38b649738ba3db6e4de68c6857c1cf316a35e39cae66f139bc05e57d0ed97d95
SHA512 fd184c8f648dd637ac2f15a177ad6e9d98189b93e9ec6f1a6319d769dcad6e47601dbe588ee8865612bea2540d83d6f32c8df25fae01d45faeef894faf4fe5ca

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/1716-194-0x0000000000BA0000-0x0000000000D10000-memory.dmp

memory/2704-204-0x0000000073BB0000-0x000000007429E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/1716-254-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/1828-300-0x0000000073BB0000-0x000000007429E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/1828-307-0x0000000000D20000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/2704-322-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/1716-327-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/2972-332-0x0000000000400000-0x00000000018D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

memory/2972-337-0x0000000001970000-0x00000000019D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

memory/3008-339-0x00000000032F0000-0x0000000003461000-memory.dmp

memory/3008-340-0x0000000003470000-0x00000000035A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/2652-351-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2652-352-0x00000000001B0000-0x00000000001CB000-memory.dmp

memory/2652-353-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/2704-354-0x0000000073BB0000-0x000000007429E000-memory.dmp

memory/2676-355-0x00000000001B0000-0x00000000001C5000-memory.dmp

memory/2676-357-0x00000000001D0000-0x00000000001EB000-memory.dmp

memory/2676-358-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/1716-359-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1828-360-0x0000000073BB0000-0x000000007429E000-memory.dmp

memory/2704-361-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/1716-362-0x000000001B060000-0x000000001B0E0000-memory.dmp

memory/1908-363-0x0000000000720000-0x0000000000732000-memory.dmp

memory/1828-367-0x0000000000280000-0x000000000029C000-memory.dmp

memory/1828-377-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-378-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-383-0x0000000000280000-0x0000000000295000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-377084978-2088738870-2818360375-1000\0f5007522459c86e95ffcc62f32308f1_2adee1ad-2a99-4d45-8cbe-92640edff60b

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Local\Temp\7413374368\dashost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/1828-389-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-391-0x0000000000280000-0x0000000000295000-memory.dmp

memory/3008-394-0x0000000003470000-0x00000000035A1000-memory.dmp

memory/1828-396-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-398-0x0000000000280000-0x0000000000295000-memory.dmp

memory/2972-399-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/1828-403-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-407-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-409-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-405-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-401-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1828-393-0x0000000000280000-0x0000000000295000-memory.dmp

memory/2652-411-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1828-410-0x0000000002370000-0x00000000023B0000-memory.dmp

memory/2652-412-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/1828-413-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1340-414-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-415-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-416-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-418-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1716-420-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/1340-421-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-423-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1340-425-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-427-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1340-428-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1716-429-0x00000000002F0000-0x000000000030A000-memory.dmp

memory/1828-430-0x0000000073BB0000-0x000000007429E000-memory.dmp

memory/1716-431-0x000000001B3C0000-0x000000001B526000-memory.dmp

memory/2384-432-0x0000000000400000-0x000000000068E000-memory.dmp

memory/2384-433-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1716-434-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/2704-435-0x0000000073BB0000-0x000000007429E000-memory.dmp

memory/1340-436-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1908-437-0x0000000000890000-0x000000000089E000-memory.dmp

memory/1908-438-0x0000000005340000-0x00000000053BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp

MD5 bd7bb629614bcae96ced4a410b429288
SHA1 f5f6c66cfd272e1ae4e2d6d8e1eaab296529a71e
SHA256 97107a1a336076b59391db6716c458f765861eb58a0f633bc5b85d86e832d0e2
SHA512 ef70f0598908ea00a15c23d5254aaa4c9c81862e1881c3d7774cc17ffdb4a6b603f2bf8208d4230f62963091af554ce1e11012dfdedf3eff2050089074605aa2

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2056-457-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2056-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2056-461-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2056-463-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2056-465-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2056-467-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2056-470-0x0000000000400000-0x0000000000442000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2056-476-0x0000000000400000-0x0000000000442000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2424-477-0x000000006BF80000-0x000000006C52B000-memory.dmp

memory/2424-478-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2424-479-0x000000006BF80000-0x000000006C52B000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

memory/2696-497-0x0000000072E20000-0x000000007350E000-memory.dmp

memory/2696-498-0x0000000001310000-0x0000000001416000-memory.dmp

memory/2696-499-0x0000000004D00000-0x0000000004D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

memory/2104-507-0x0000000072E20000-0x000000007350E000-memory.dmp

memory/2104-506-0x00000000011F0000-0x0000000001222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

memory/2104-508-0x00000000009B0000-0x00000000009F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

memory/1560-521-0x00000000052E0000-0x00000000055FC000-memory.dmp

memory/1560-522-0x0000000072E20000-0x000000007350E000-memory.dmp

memory/1560-523-0x0000000004F80000-0x0000000004FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6015017ac2b8d7878a1f295c6323b369
SHA1 81231d7bcac8bc5a7e23091d706fa846d7c51569
SHA256 23f079c637b44c1456a0c6b8a5215f5ac8b9ab789a17b704d9df868e76b706b7
SHA512 fff4b82d11e866bd9ed0a708287cd74315daf06de901202de443b0c4b0210f0ec6d47a0def9a1c447aeae91ad9fecb22609fb98f44ad5c083267f88020c2bbab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 77df55a678957c5eb3d886c38bd0b54e
SHA1 715c25570a31b82df5a37fc25e94ea1690ae085c
SHA256 0a09d5461de510cf33cf77af1c124e9ccb6e8cfa872cb8b7e7e1f7a54318853c
SHA512 39c179dda9bddc2dfefea8c94a7784b01e7b2923cd07900d30ca322fef18747d97a71cd5ff662983ed096ebb9fadad5e5fe5d9f26b7b6b899477e0662f2bb0e5

C:\Users\Admin\AppData\Local\12a99a9d4ff292170cacb7c1967eb17d\Admin@DSWJWADP_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

MD5 328064b232879fe34864e9c6d88608ed
SHA1 728e0cb8b0a79b883bac76fb9913979962670708
SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA512 46b673b5d8f0aff18dd54ed69e7750796dab732bf8cae6ff1068b61e72c736d0cdc2f19e705dd9d447c69d8a00a66987125dddaf51717d777fb18e20c95f14dc

C:\Users\Admin\AppData\Local\Temp\tmp8AD3.exe

MD5 9cb45aca895fc9e3d6451eee3bcef501
SHA1 119318ffad9c90e63731cedc5155e98dfcf2e091
SHA256 c207f664b3f807f6639c5dbd0e3fc24dba025097aa40a4b8a40b6c988da4599b
SHA512 1b292c999d6cb8bfd0d40e76e8295d25f62f336fae92e011ed7294934f4b980974bcbefb75bdb3f6d3e8ee16f15ca4c5ad6303ba8579bceb101bef1b424f132a

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

MD5 86ee347279e32641070f69e669ec98e2
SHA1 b4635032cee3fd5da08d630159a254d2ed7a51fa
SHA256 63af1bc6256086131314311b5908c85399b95dda6c4c6e84c8d77bd1b4d1fc43
SHA512 8f1a2acb0df585423bf8d9c8d3b550198e5eb5ca448649f22a75ba6e04000cc8e4271949e54a10dc6e666367ac273c1d841aad87f11eff1a55aafee550a83927

C:\Users\Admin\AppData\Local\Temp\gdi4wz.zip

MD5 910ae9fbda13a82f9410303b653fe0c6
SHA1 3de02829408f5320b01e4209c79cf4a9d45cde86
SHA256 11ba415b7e3b91c4587dc73bec82caf92f62724d0e49782151e7764acca43cb5
SHA512 a7564409603dec6184920aed608024db319e8548b872a022eecd91501c12da2fde5fab5b6ce6772f1ba5724cce9151ce79214bed5cb3b13d39e5e9ea254e51b0

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

MD5 c8e60225448e9cda23b291b6b16bf78b
SHA1 b4bf689c839ab7bf8bb337b66765580c0271c14d
SHA256 b71880c437249e1aae73ab4f9a2377e435ce8e13b8ca2ada12c2019428c50cc0
SHA512 fbac3dbebeac05f866ac430a939a583314c3122eebbfa576725d5b7ae16708d6fbabe929df556032b0ec5ac65026579977909affd85cc818b06e0781f73184bc

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 aa618dbade57a9abadc9bf372233b35c
SHA1 4080e1aa6578698a6d60fee98c90b4d16559b5e6
SHA256 81fd1292a0426abe44b117f8f324dd33bd5710f9e5286d95d8bec8b01862e4dd
SHA512 253e37cc58ed4b05e03a4e551cce3a8ead7922e9aa3c718e2f5c45ddd7205102a02b8173e5c997157f442f0609647989cd27219f1bdc1ecf4221bc4692fe666f

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

MD5 b81f2946e63104b1578af5bfea8a4ba1
SHA1 c02ad7edee61bb533160cb72a7571123efa5e7e2
SHA256 a2e68b85a5510b066a9f5c7c25129ea35cf54b0cbe004189fe5dfd7528e14301
SHA512 455ae669fc41e985f8019acadc657f38727382fb3df8e79ee585616da765293d5ff0eee2804f899536a4d5dbd38b938afafa438b9805f75aac9409901d341f2e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-377084978-2088738870-2818360375-1000\0f5007522459c86e95ffcc62f32308f1_2adee1ad-2a99-4d45-8cbe-92640edff60b

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-19 10:17

Reported

2023-08-19 10:19

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

Signatures

AsyncRat

rat asyncrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Lokibot

trojan spyware stealer lokibot

Lumma Stealer

stealer lumma

RedLine

infostealer redline

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 3896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 3896 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 3896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 3896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 3896 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 3896 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 3896 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 3896 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 3896 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 3896 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 3896 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 3896 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 3896 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 3896 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 3896 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 3896 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 3896 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 3896 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 3896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 3896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 3896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 4236 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4236 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4236 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4236 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1656 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 3896 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 3896 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 3896 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 3896 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 3896 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 3784 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3784 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3784 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3764 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 3764 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 3764 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
PID 3764 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
PID 3764 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
PID 3764 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
PID 3764 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 3764 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 3764 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
PID 3764 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
PID 3764 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
PID 3764 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
PID 3764 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3764 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3764 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
PID 3764 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
PID 3764 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 3764 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 3764 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 3764 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
PID 3764 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
PID 3764 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
PID 3764 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
PID 3764 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3764 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 276

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4236 -ip 4236

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuU.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4840 -ip 4840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&U.exe"'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&O.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CwcZttCoAu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic computersystem where name="MSXGLQPS" set AutomaticManagedPagefile=False

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe"

C:\Users\Admin\AppData\Local\Temp\U&U.exe

"U&U.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "U&U" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe" /F

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1148 -ip 1148

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe"

C:\Users\Admin\AppData\Local\Temp\tmp3222.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3222.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe"

C:\Users\Admin\AppData\Local\Temp\tmp3CF1.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3CF1.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1784 -ip 1784

C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 308

C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe" & exit

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 576 -p 2756 -ip 2756

C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1756 -ip 1756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\anyarchitect.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\anyarchitect.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 272

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2756 -s 1016

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2236 -ip 2236

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4 (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4 (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1816 -ip 1816

C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 2296

C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4496 -ip 4496

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 576 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1760

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 www.medichiccenter.com udp
US 172.67.165.112:443 www.medichiccenter.com tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 112.165.67.172.in-addr.arpa udp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 104.21.54.252:80 zzz.alie3ksgdd.com tcp
US 8.8.8.8:53 9.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 252.54.21.104.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 192.3.223.26:80 192.3.223.26 tcp
US 8.8.8.8:53 26.223.3.192.in-addr.arpa udp
US 8.8.8.8:53 gapi-node.io udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 8.8.8.8:53 211.135.67.172.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 77.60.37.103.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 172.67.135.211:80 gapi-node.io tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
FI 77.91.68.1:80 tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
NL 94.142.138.147:23000 tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 147.138.142.94.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
BG 2.59.254.19:80 2.59.254.19 tcp
US 8.8.8.8:53 19.254.59.2.in-addr.arpa udp
BG 2.59.254.19:80 2.59.254.19 tcp
BG 2.59.254.19:80 2.59.254.19 tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 172.67.135.211:80 gapi-node.io tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 126.137.241.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 www.logpasta.com udp
NL 188.166.57.133:443 www.logpasta.com tcp
US 8.8.8.8:53 133.57.166.188.in-addr.arpa udp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
US 8.8.8.8:53 12.190.110.59.in-addr.arpa udp
US 23.95.128.195:80 23.95.128.195 tcp
US 8.8.8.8:53 195.128.95.23.in-addr.arpa udp
US 8.8.8.8:53 h170257.srv22.test-hf.su udp
RU 91.227.16.22:80 h170257.srv22.test-hf.su tcp
US 8.8.8.8:53 22.16.227.91.in-addr.arpa udp
US 8.8.8.8:53 down.suyx.net udp
NL 47.246.48.224:80 down.suyx.net tcp
US 8.8.8.8:53 224.48.246.47.in-addr.arpa udp
US 107.172.0.180:80 107.172.0.180 tcp
US 8.8.8.8:53 180.0.172.107.in-addr.arpa udp
VN 103.16.225.211:80 103.16.225.211 tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 211.225.16.103.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
CN 39.98.177.61:80 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
US 8.8.8.8:53 18.254.59.2.in-addr.arpa udp
BG 2.59.254.19:80 2.59.254.19 tcp
US 8.8.8.8:53 df8588.top udp
MU 156.236.70.27:443 df8588.top tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 27.70.236.156.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 38.181.25.43:3325 tcp
CN 39.98.177.61:80 tcp
RU 193.109.85.112:80 193.109.85.112 tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
US 8.8.8.8:53 112.85.109.193.in-addr.arpa udp
IR 87.121.221.176:80 87.121.221.176 tcp
US 8.8.8.8:53 176.221.121.87.in-addr.arpa udp
DE 168.119.174.1:8080 168.119.174.1 tcp
US 8.8.8.8:53 bripst.com udp
NL 46.149.73.6:443 bripst.com tcp
US 8.8.8.8:53 1.174.119.168.in-addr.arpa udp
US 8.8.8.8:53 6.73.149.46.in-addr.arpa udp
VN 103.16.225.211:80 103.16.225.211 tcp
CN 39.98.177.61:80 tcp
RU 193.109.85.112:80 193.109.85.112 tcp
NL 194.169.175.233:3002 194.169.175.233 tcp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
CN 39.98.177.61:80 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
US 8.8.8.8:53 gservice-node.io udp
CN 39.98.177.61:80 tcp
US 80.92.205.102:11542 tcp
DE 149.202.0.242:31728 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 242.0.202.149.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 www.sisbom.online udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 6rbygv.ru udp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 188.114.96.0:443 6rbygv.ru tcp
US 8.8.8.8:53 239.198.69.159.in-addr.arpa udp
US 80.92.205.102:11542 tcp
US 188.114.96.0:443 6rbygv.ru tcp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 www.maytag36.com udp
US 76.223.26.96:80 www.maytag36.com tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
VN 103.74.104.213:80 103.74.104.213 tcp
US 8.8.8.8:53 213.104.74.103.in-addr.arpa udp
FI 77.91.124.231:80 tcp
US 80.92.205.102:11542 tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 files.catbox.moe udp
CA 108.181.20.39:443 files.catbox.moe tcp
US 8.8.8.8:53 39.20.181.108.in-addr.arpa udp
US 80.92.205.102:11542 tcp
BG 2.59.254.19:80 2.59.254.19 tcp

Files

memory/3896-133-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

memory/3896-134-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp

memory/3896-135-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

memory/1388-163-0x00007FF78FC30000-0x00007FF78FCD2000-memory.dmp

memory/4976-165-0x00000000034E0000-0x000000000351B000-memory.dmp

memory/4976-166-0x0000000003520000-0x0000000003581000-memory.dmp

memory/3896-169-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/4976-173-0x0000000000400000-0x00000000018D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/4236-176-0x0000000000F20000-0x000000000113D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/3896-187-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2980-193-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/2980-192-0x0000000000080000-0x000000000012C000-memory.dmp

memory/2980-194-0x00000000050A0000-0x0000000005644000-memory.dmp

memory/2980-195-0x00000000049E0000-0x0000000004A72000-memory.dmp

memory/2980-199-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/2980-200-0x00000000049D0000-0x00000000049DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/1388-212-0x00000000030B0000-0x0000000003221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/1388-214-0x0000000003230000-0x0000000003361000-memory.dmp

memory/4976-217-0x0000000003520000-0x0000000003581000-memory.dmp

memory/3764-219-0x00000179855E0000-0x0000017985750000-memory.dmp

memory/3764-220-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/4976-222-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/3764-231-0x000001799FBC0000-0x000001799FBDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/4824-252-0x0000000000DA0000-0x0000000000EF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/4824-254-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/4236-261-0x0000000000F20000-0x000000000113D000-memory.dmp

memory/3408-257-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4236-256-0x0000000000F20000-0x000000000113D000-memory.dmp

memory/4824-253-0x0000000005870000-0x000000000590C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

memory/3408-272-0x0000000005AD0000-0x00000000060E8000-memory.dmp

memory/3408-273-0x0000000005550000-0x0000000005562000-memory.dmp

memory/3408-274-0x00000000056C0000-0x00000000057CA000-memory.dmp

memory/3408-276-0x00000000055F0000-0x000000000562C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/3408-287-0x0000000005990000-0x00000000059F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5 6fad8de519b706038ada9fff3693e53b
SHA1 9b867203ec5cafae049da516db4cc315b6f6a627
SHA256 be5dedff846ef5dd2a37b4b6c8337d72cb8af23d9a849fa043081abb76d74e27
SHA512 8d58f4ec30bc5d650e315903844208eaf09e97e9bab3348453d34a359c039b7b4cce4c5c41393577fa65284d7147d7997ef6225617fbc1ecbfb6a36081b669d0

memory/3408-294-0x0000000005910000-0x0000000005920000-memory.dmp

memory/920-296-0x0000000001900000-0x0000000001915000-memory.dmp

memory/920-299-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/2980-300-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/4840-301-0x0000000002350000-0x0000000002450000-memory.dmp

memory/4840-302-0x0000000002330000-0x000000000234B000-memory.dmp

memory/4824-303-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/3408-306-0x0000000006630000-0x00000000066A6000-memory.dmp

memory/4824-305-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-311-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-316-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/3408-315-0x0000000006880000-0x0000000006A42000-memory.dmp

memory/3408-323-0x0000000007580000-0x0000000007AAC000-memory.dmp

memory/4824-324-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4840-317-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/920-322-0x0000000000400000-0x00000000018B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4176143399-3250363947-192774652-1000\0f5007522459c86e95ffcc62f32308f1_a45f701b-5010-437a-b6fa-20e6d38f067d

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/4824-338-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/3408-332-0x0000000006750000-0x000000000676E000-memory.dmp

memory/4824-341-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-343-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-330-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-346-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/920-297-0x0000000001920000-0x000000000193B000-memory.dmp

memory/392-295-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3408-292-0x0000000073FB0000-0x0000000074760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.bat

MD5 6a8dd1621b2d306c12b24f6bac5fb3be
SHA1 23e05a3e2e65cc2cdca295a275070bb5b3090a9f
SHA256 e0b94f69ee4ec8416d8e8613d08e9d1ab93aff6aae7f065d9071625010c1b40a
SHA512 52aec6f2f61d79ba8a37aa235dd5c49b9706ffaf6c579d59baa57096e857ac8be6babf4cf2a41bf04a5aba959dae71a7782eb907330dbd9f77dfefc5f269e3e2

memory/3764-349-0x00007FFEF4B20000-0x00007FFEF55E1000-memory.dmp

memory/4824-348-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/2980-352-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4824-354-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/4824-355-0x00000000018F0000-0x00000000018F1000-memory.dmp

memory/1476-356-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1388-357-0x0000000003230000-0x0000000003361000-memory.dmp

memory/4824-351-0x00000000018A0000-0x00000000018B5000-memory.dmp

memory/1476-358-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1476-360-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1476-361-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4824-362-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/220-363-0x00000000044F0000-0x0000000004526000-memory.dmp

memory/220-364-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/220-365-0x0000000004680000-0x0000000004690000-memory.dmp

memory/220-366-0x0000000004680000-0x0000000004690000-memory.dmp

memory/220-367-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/220-368-0x0000000004AE0000-0x0000000004B02000-memory.dmp

memory/220-369-0x00000000052F0000-0x0000000005356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nh5vqliy.lnn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/220-379-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

memory/3408-382-0x0000000073FB0000-0x0000000074760000-memory.dmp

memory/1476-383-0x0000000000400000-0x0000000000464000-memory.dmp

memory/920-384-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/220-387-0x0000000073FB0000-0x0000000074760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 00f5d6dae7e4349076035141c8033b8f
SHA1 54391d99edc3c70aea5e14924cb6ec95b1ad17c0
SHA256 3709f8b5a6cafa5f1265c66433e353d021ebb0663275c2498cfb3c1a7b2a0d5d
SHA512 d9d0ab0c0f55c6d513eb722cc7e8fa92dc9ec4753dc9e9591124e33458e9ac85a4cb76c43b9cee1cc23ecf4422367f341afed3c8f8715c96ebbe5156b8354268

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94cef75f621c395aea0840802f7277e0
SHA1 a48d39ee234ba2c75053765778ac8f1a8f571e44
SHA256 670aee988b7a019427ce155dafc5b0acb23b78b8256e2682dae3eccd1009f219
SHA512 95c50df2c6972946086d7b259f508cf0707c0e693f60f2ac1adb4ca9a2d759a4b20dffbd4a89fbe3ea4369b235a104697d52831bb89adc4e788bc528a3ddb1f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0637a28cba1141ef9479e2423928cb0
SHA1 96eefee6ba8e5cf7ee47d8a97529411d659efbf0
SHA256 8399d9938140cb65c8deb6280e4c6dc39ed1be795e6a546a6cdddcd1cf572da8
SHA512 9255217f4e7897fa4f7f2f20735f1876b33dbeddc83535cd6ac6cdc9597945955f74875778a5912182fca4aaf8308c37d467d3d64eb3ee28f4cd128ae7ba59a5

C:\Users\Admin\AppData\Local\Temp\Add.ps1

MD5 4290d15a8274e0f8a8500079730b3ccd
SHA1 40399f9217a00212a12a1d5f4880bcabd687ccb2
SHA256 93274ad71a934997fffe81a63eba67d4521ab4193c53d7c4f9933a3262adfcc4
SHA512 07965b428633805a7f51cf29b32df1538a1edfdc6643a395c4ba0d8a5e4ce8254f442d4b7db5e52cfae1d65257326beb189c881c3909f97277bca9695b697d67

C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp

MD5 b27354594d2b7dd12be15399cb6e4d4f
SHA1 203abd91f7674c66c3cd31f8dad6ddaaac8a795d
SHA256 bb6f1116224690d2cc44c5355f845f3604c03cc03c1be98b890c9414fff91bf1
SHA512 d37b3d82baa7b1b813b6abc88b713d990b0335a44c961fd83beafeb6ce6764b9c5808c244181e74166b188b2c5c4b4117820fb357f84a4faab302c6a2104f0a0

memory/1244-468-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae910bfe85649452fd16b44b92ef23c6
SHA1 be5d7ec06b61952b0758b68f948d86a7a7e335b0
SHA256 1c4eddc8fe8ebc3ac92b7043bb924461c3c5076e570f10e78f40077c1a055d04
SHA512 cbf6036f0269dda4deab2ca260b8c8723d96b5d28178cb30f919a249be58cd2e31c2484959aaf271e2da8708ab164a7344181b3b257dcaddd6cd5cd28fb5d903

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

memory/3144-570-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-571-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-573-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-575-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-578-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-580-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-586-0x0000000005080000-0x0000000005395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

memory/3144-596-0x0000000005080000-0x0000000005395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

memory/3144-598-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-600-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-603-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-605-0x0000000005080000-0x0000000005395000-memory.dmp

memory/3144-609-0x0000000005080000-0x0000000005395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4176143399-3250363947-192774652-1000\0f5007522459c86e95ffcc62f32308f1_a45f701b-5010-437a-b6fa-20e6d38f067d

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\78a681b7645586e0ea371e717c08fac3\Admin@MSXGLQPS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

MD5 328064b232879fe34864e9c6d88608ed
SHA1 728e0cb8b0a79b883bac76fb9913979962670708
SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA512 46b673b5d8f0aff18dd54ed69e7750796dab732bf8cae6ff1068b61e72c736d0cdc2f19e705dd9d447c69d8a00a66987125dddaf51717d777fb18e20c95f14dc

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

MD5 328064b232879fe34864e9c6d88608ed
SHA1 728e0cb8b0a79b883bac76fb9913979962670708
SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA512 46b673b5d8f0aff18dd54ed69e7750796dab732bf8cae6ff1068b61e72c736d0cdc2f19e705dd9d447c69d8a00a66987125dddaf51717d777fb18e20c95f14dc

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

MD5 328064b232879fe34864e9c6d88608ed
SHA1 728e0cb8b0a79b883bac76fb9913979962670708
SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA512 46b673b5d8f0aff18dd54ed69e7750796dab732bf8cae6ff1068b61e72c736d0cdc2f19e705dd9d447c69d8a00a66987125dddaf51717d777fb18e20c95f14dc

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

MD5 fdb650f759c72c4d408a4da61096ac29
SHA1 716e5c1b39859939e96e2e2c9c22fc930c704f59
SHA256 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
SHA512 9bb0b8086003319be32405dda2bcb36c0f73c8053e088f3bd80dec63ac672c97e26e3e5df2f746f530cf7e36cd7a33e02b31432b89ade0bb4030bafb1c32dc38

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

MD5 fdb650f759c72c4d408a4da61096ac29
SHA1 716e5c1b39859939e96e2e2c9c22fc930c704f59
SHA256 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
SHA512 9bb0b8086003319be32405dda2bcb36c0f73c8053e088f3bd80dec63ac672c97e26e3e5df2f746f530cf7e36cd7a33e02b31432b89ade0bb4030bafb1c32dc38

C:\Users\Admin\AppData\Local\Temp\tmp3222.exe

MD5 e0a8661ae16ed665f76508965aa74f07
SHA1 7fd8a3d6a3ccf4731f3312cb5327be7723275608
SHA256 2af681a9a436799fdcd06924033517f84b631261541d8c07429e27d9323f4f4a
SHA512 88e2f432ae1ac885b246432e30bc430dd5ac2fca9eb3c9e274bc0f72f2aa6d2a5edcfc9c1b751dd1e1ccdaea7b3c7586a5d95eb9df2c91744e2caa7cff494806

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe

MD5 cb38f35ebcddff1cb735acad8b65096e
SHA1 b005e60a82d606a7e73c1f01782962a655fb97e9
SHA256 adf4ca6996042eb10e2cb46b72dd67d5640e30c945b90e9adc8f627330f8690c
SHA512 ce4763ac5f955e5b920b4889869b3b942d02032d6192a61803f74012671a595659af32f1691c478b6f0b3851e531a4c1751c61c27906f6af1ed2adcddae913b9

C:\Users\Admin\AppData\Local\Temp\tmp3CF1.exe

MD5 9cb45aca895fc9e3d6451eee3bcef501
SHA1 119318ffad9c90e63731cedc5155e98dfcf2e091
SHA256 c207f664b3f807f6639c5dbd0e3fc24dba025097aa40a4b8a40b6c988da4599b
SHA512 1b292c999d6cb8bfd0d40e76e8295d25f62f336fae92e011ed7294934f4b980974bcbefb75bdb3f6d3e8ee16f15ca4c5ad6303ba8579bceb101bef1b424f132a

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe

MD5 1188a953c9f36b374ca3714c9de1763e
SHA1 8ed3947a1e45f67263327a020035765965951949
SHA256 20d45ab8062d59db6229e293a604f37e2760519894d07380288f0f8f5e2b5c95
SHA512 61a856720237b95295d4bafe295bea107d7bede4b0f498c43c6d344af1483ddb788d7431f08451e86bb6c8e60a74beb9e7fdaa831b6405b3a5fe3f460ca5213c

C:\ProgramData\65921734873441698955785294

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

MD5 86ee347279e32641070f69e669ec98e2
SHA1 b4635032cee3fd5da08d630159a254d2ed7a51fa
SHA256 63af1bc6256086131314311b5908c85399b95dda6c4c6e84c8d77bd1b4d1fc43
SHA512 8f1a2acb0df585423bf8d9c8d3b550198e5eb5ca448649f22a75ba6e04000cc8e4271949e54a10dc6e666367ac273c1d841aad87f11eff1a55aafee550a83927

C:\ProgramData\37842497015533633782387473

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

MD5 c8e60225448e9cda23b291b6b16bf78b
SHA1 b4bf689c839ab7bf8bb337b66765580c0271c14d
SHA256 b71880c437249e1aae73ab4f9a2377e435ce8e13b8ca2ada12c2019428c50cc0
SHA512 fbac3dbebeac05f866ac430a939a583314c3122eebbfa576725d5b7ae16708d6fbabe929df556032b0ec5ac65026579977909affd85cc818b06e0781f73184bc

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

MD5 6883cac79bf32bc71e629099e4108c7b
SHA1 26f5dc337a34f733ac348115731df541138307d7
SHA256 2450a79857b2d97653db25698bc2a902d58087d4bd25b1ebd743fc13b84f8a5f
SHA512 f8a7223c414002bd0f54a505b37fda0d95ec45ff0c8cabcdf8c481c050dfc342b3bb0b8eb81e0171c4067a56e2236547f58e32525c3ee6188854d84c69d99a64

C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe

MD5 ea574dde100b38b040b422c37ef6814b
SHA1 e29a978f7c4c225d37ddc87a2a0ba82d23eb99ba
SHA256 696b6607853c35bf80ba50b4784cf28234686f6152750c5ed42c6596ea3f8775
SHA512 b1f0d8aa87c364485fa86fe88c50d982300627f2c354280c29e3ad9a0eda6d39550e3699ad132fc67533ee56984b0ff567694e4fe7ec6d287e72b03e80428697

C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe

MD5 e93d755480c85eed3031653a3ed477c9
SHA1 16589af8e8786300063d1ed5badff8ff03303e3e
SHA256 30175a4cdae27076cabcb5eb7106779cadc47113ef17a7b67d0e02aa840072e0
SHA512 9e1ae658163e2af1ff73c83b62d6945bdede05b95d23869d9d54cea64ef91bb839b2ef1b76f7c14a01b7ed1fcc7f364fee7e4023336b8f1ea8a78d724532f67e

C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe

MD5 d60926cbe4de77584ee8e5f7b8268909
SHA1 04bb41d8317fc1af66ddaf8bbb92d1538d867199
SHA256 4412a658ff8b5e5c1048703b9307e62e7565834d1eaa5e0ad8db96ee72f9b162
SHA512 5a0695a85c24dd173923efc15d1ac5b95d984ee78d3383384f22cf2c33ff2fa792dd5fda92901bac50a7a0d485a7d2d151050b3cada0202ec0c1c5bda108b3e5

C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe

MD5 7f84503a1a12b3edb0da052aad05e49c
SHA1 15610b7896b980e913c07fa808ef89bf01853c32
SHA256 3454a03a003a23385521dae0e13fbe65211a9e9c590022dc906da7085ca71244
SHA512 6671ba8e5c64a593b0cefb5f46c23f608abe182e598972847c2a952d558ba3782d15bf26cb89b7671d523c886908759061e9e759433e3e38310401d3ab6a34a1

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b2e91cdd0e1c97efec540f2f60472d94
SHA1 719d6ebb5c0098733ed7acfb99909afe3d9468e2
SHA256 f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
SHA512 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a

C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe

MD5 a76e515e1150c903070a1eb1b2d216c0
SHA1 e747dbe088744a6de47ffcc9072404bfa60545ad
SHA256 a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
SHA512 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30

C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe

MD5 ba2b37ae83f07749c8ae0287d5344c90
SHA1 487daab3d122fc23cdf0c671430df6d46e3d2c56
SHA256 9de15a5c7e9cdefb9a48de4039027de8687838849d9588434564a343d15a9355
SHA512 69019deffd81ad39a28a30a7fc637d3b2f36f7f1146d7b2fe79505d6f9ba5b5437a007506a73c13332554d472883f932686a1b81f5fb64bca55a4b724e08de6a

C:\ProgramData\42257136797479866718454689

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 3aab77f422e7f9bbfcd27cf92dc5be35
SHA1 86b2c375a42310865deb92dd30321a52ce0aacae
SHA256 afe30515e23e0ee5995270c77a39932a1b9cd8ed473d9920970209eaaf466ade
SHA512 1714bd3f24dfe8fdacfb11d0900923d11011a636c4b888fc9f6e19f75165ce1b1df27fd28be13c0d3801f158f30605f99b2334cba6127e0f4d40f6a9d1e516f5

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84