Malware Analysis Report

2025-01-03 06:35

Sample ID 230819-mdd4vsha75
Target 37ae53ead74452038b0c77abd3302258.exe
SHA256 ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360
Tags
fabookie lokibot lumma redline evasion infostealer persistence spyware stealer trojan asyncrat stormkitty vidar 980843ac508a7fe8f556d42e4c5cfb54 default aspackv2 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360

Threat Level: Known bad

The file 37ae53ead74452038b0c77abd3302258.exe was found to be: Known bad.

Malicious Activity Summary

fabookie lokibot lumma redline evasion infostealer persistence spyware stealer trojan asyncrat stormkitty vidar 980843ac508a7fe8f556d42e4c5cfb54 default aspackv2 rat

Lokibot

AsyncRat

Lumma Stealer

Fabookie

Vidar

Detect Fabookie payload

StormKitty

RedLine

StormKitty payload

Async RAT payload

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

ASPack v2.12-2.42

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Executes dropped EXE

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Delays execution with timeout.exe

Views/modifies file attributes

Modifies system certificate store

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-19 10:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-19 10:20

Reported

2023-08-19 10:23

Platform

win7-20230712-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Lokibot

trojan spyware stealer lokibot

Lumma Stealer

stealer lumma

RedLine

infostealer redline

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U&U = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U&U.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 1180 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 1180 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 1180 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 1180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 1180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 1180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 1180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 1180 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 1180 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 1180 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 1180 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 1180 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 1180 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 1180 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3032 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 1180 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 3032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 3032 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1180 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 1180 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 1180 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 1180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 1180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 1180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 1180 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 1180 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 1180 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 1180 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 1180 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 1180 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 2616 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2616 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2616 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 96

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UuU.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&U.exe"'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&O.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic computersystem where name="KDGGTDCU" set AutomaticManagedPagefile=False

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe"

C:\Users\Admin\AppData\Local\Temp\U&U.exe

"U&U.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "U&U" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CwcZttCoAu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50AF.tmp"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 www.medichiccenter.com udp
US 104.21.73.191:443 www.medichiccenter.com tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 104.21.54.252:80 zzz.alie3ksgdd.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 192.3.223.26:80 192.3.223.26 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 gapi-node.io udp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 188.114.96.0:80 gapi-node.io tcp
NL 94.142.138.147:23000 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 www.logpasta.com udp
NL 188.166.57.133:443 www.logpasta.com tcp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
TR 194.55.224.9:80 194.55.224.9 tcp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
TR 194.55.224.9:80 194.55.224.9 tcp

Files

memory/1180-53-0x0000000000930000-0x0000000000938000-memory.dmp

memory/1180-54-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1180-55-0x000000001AF90000-0x000000001B010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8864.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar8896.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

memory/2180-131-0x00000000FF3A0000-0x00000000FF442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/3032-137-0x0000000000C10000-0x0000000000E2D000-memory.dmp

memory/3032-138-0x0000000000C10000-0x0000000000E2D000-memory.dmp

memory/2140-139-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2140-140-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1180-145-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2292-147-0x0000000000220000-0x000000000025B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/2292-149-0x00000000002D0000-0x0000000000331000-memory.dmp

memory/2140-148-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2140-155-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2140-156-0x0000000000400000-0x0000000000426000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8effe0f5a7ade4e1107d9fcd0ad51070
SHA1 f59d345f46e67e1c6118ee69e99e9e9f0e84cb2e
SHA256 4e7e7aa3d5eac0344e848b01c8f236d280d81701bbeb33dbb41d2d9d7e499db2
SHA512 cb1ce6befcc0a3cf2e30778fbab8a6625421962a25af8ae72d98070dde39573ca2f2bd3e7e7f1bda587f119576dc73e2c33a4345381b132cd1177fcf218e3591

memory/2292-180-0x0000000000400000-0x00000000018D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/1928-249-0x0000000001290000-0x000000000133C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/2140-276-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/1724-277-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/1724-272-0x00000000012A0000-0x0000000001410000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/2248-286-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/2248-297-0x0000000000120000-0x0000000000274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/2180-313-0x0000000003570000-0x00000000036E1000-memory.dmp

memory/2180-314-0x00000000036F0000-0x0000000003821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/2292-354-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/844-359-0x00000000023B0000-0x00000000024B0000-memory.dmp

memory/844-361-0x0000000000220000-0x000000000023B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5 6fad8de519b706038ada9fff3693e53b
SHA1 9b867203ec5cafae049da516db4cc315b6f6a627
SHA256 be5dedff846ef5dd2a37b4b6c8337d72cb8af23d9a849fa043081abb76d74e27
SHA512 8d58f4ec30bc5d650e315903844208eaf09e97e9bab3348453d34a359c039b7b4cce4c5c41393577fa65284d7147d7997ef6225617fbc1ecbfb6a36081b669d0

memory/2960-367-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/844-369-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/2960-368-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2960-370-0x0000000000240000-0x000000000025B000-memory.dmp

memory/2960-371-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/2292-372-0x00000000002D0000-0x0000000000331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.bat

MD5 6a8dd1621b2d306c12b24f6bac5fb3be
SHA1 23e05a3e2e65cc2cdca295a275070bb5b3090a9f
SHA256 e0b94f69ee4ec8416d8e8613d08e9d1ab93aff6aae7f065d9071625010c1b40a
SHA512 52aec6f2f61d79ba8a37aa235dd5c49b9706ffaf6c579d59baa57096e857ac8be6babf4cf2a41bf04a5aba959dae71a7782eb907330dbd9f77dfefc5f269e3e2

memory/1724-374-0x000000001B0B0000-0x000000001B130000-memory.dmp

memory/2140-375-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2140-376-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/1928-380-0x00000000006F0000-0x0000000000702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dashost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/1724-396-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1024678951-1535676557-2778719785-1000\0f5007522459c86e95ffcc62f32308f1_e956bc1e-e1e1-4a80-9462-c2e2022bbe1a

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/3004-399-0x000000006C750000-0x000000006CCFB000-memory.dmp

memory/2248-400-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2180-403-0x00000000036F0000-0x0000000003821000-memory.dmp

memory/3004-402-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/3004-401-0x000000006C750000-0x000000006CCFB000-memory.dmp

memory/1724-404-0x0000000000440000-0x0000000000446000-memory.dmp

memory/1724-405-0x0000000000450000-0x000000000046A000-memory.dmp

memory/3004-406-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2248-407-0x0000000000490000-0x00000000004AC000-memory.dmp

memory/1724-408-0x000000001B410000-0x000000001B576000-memory.dmp

memory/2292-410-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/844-409-0x00000000023B0000-0x00000000024B0000-memory.dmp

memory/844-411-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/3004-413-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2960-412-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/2248-415-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-414-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-431-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-429-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-427-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-425-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-423-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-421-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-419-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-417-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-433-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-437-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/2248-435-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/1724-438-0x000000001B0B0000-0x000000001B130000-memory.dmp

memory/2248-439-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2248-441-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2140-440-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/396-443-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-444-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-442-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-445-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-446-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-447-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/396-449-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-451-0x0000000000400000-0x0000000000464000-memory.dmp

memory/396-453-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3004-452-0x000000006C750000-0x000000006CCFB000-memory.dmp

memory/2248-454-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/3004-455-0x000000006C750000-0x000000006CCFB000-memory.dmp

memory/544-456-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-458-0x0000000000400000-0x000000000068E000-memory.dmp

memory/3004-459-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/544-460-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1724-462-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/544-461-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-463-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-466-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-465-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-464-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-468-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-469-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-467-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-477-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-476-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-475-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-474-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-473-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-472-0x0000000000400000-0x000000000068E000-memory.dmp

memory/544-471-0x0000000000400000-0x000000000068E000-memory.dmp

memory/3004-470-0x000000006C750000-0x000000006CCFB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 808104b6570f4747bdbb94669c60cb5e
SHA1 e4214dd66aa1c5065e3e6a1b6c251c5a1d2e6b11
SHA256 83c3ace0b746337f1529451e04426d47cdf23d4fc42f614681aaa36d2d7f7517
SHA512 2488fcdc0da6c6ca8e0ad208bd12f8096911f9d29ba766d9e8e1f94d6fe5462bd906d83fcc1eaa0264874fa24364412eeffd9c287e86379bdd72d92c9f7dc98d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZR3ZSNIFHU8S1F5PZFUH.temp

MD5 808104b6570f4747bdbb94669c60cb5e
SHA1 e4214dd66aa1c5065e3e6a1b6c251c5a1d2e6b11
SHA256 83c3ace0b746337f1529451e04426d47cdf23d4fc42f614681aaa36d2d7f7517
SHA512 2488fcdc0da6c6ca8e0ad208bd12f8096911f9d29ba766d9e8e1f94d6fe5462bd906d83fcc1eaa0264874fa24364412eeffd9c287e86379bdd72d92c9f7dc98d

memory/2964-492-0x000000006C7C0000-0x000000006CD6B000-memory.dmp

memory/2964-493-0x0000000002710000-0x0000000002750000-memory.dmp

memory/2964-494-0x000000006C7C0000-0x000000006CD6B000-memory.dmp

memory/544-496-0x0000000077990000-0x0000000077992000-memory.dmp

memory/2964-495-0x0000000002710000-0x0000000002750000-memory.dmp

memory/2964-497-0x000000006C7C0000-0x000000006CD6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 808104b6570f4747bdbb94669c60cb5e
SHA1 e4214dd66aa1c5065e3e6a1b6c251c5a1d2e6b11
SHA256 83c3ace0b746337f1529451e04426d47cdf23d4fc42f614681aaa36d2d7f7517
SHA512 2488fcdc0da6c6ca8e0ad208bd12f8096911f9d29ba766d9e8e1f94d6fe5462bd906d83fcc1eaa0264874fa24364412eeffd9c287e86379bdd72d92c9f7dc98d

memory/3012-504-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/3012-503-0x000000006BFD0000-0x000000006C57B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 808104b6570f4747bdbb94669c60cb5e
SHA1 e4214dd66aa1c5065e3e6a1b6c251c5a1d2e6b11
SHA256 83c3ace0b746337f1529451e04426d47cdf23d4fc42f614681aaa36d2d7f7517
SHA512 2488fcdc0da6c6ca8e0ad208bd12f8096911f9d29ba766d9e8e1f94d6fe5462bd906d83fcc1eaa0264874fa24364412eeffd9c287e86379bdd72d92c9f7dc98d

C:\Users\Admin\AppData\Local\Temp\Add.ps1

MD5 4290d15a8274e0f8a8500079730b3ccd
SHA1 40399f9217a00212a12a1d5f4880bcabd687ccb2
SHA256 93274ad71a934997fffe81a63eba67d4521ab4193c53d7c4f9933a3262adfcc4
SHA512 07965b428633805a7f51cf29b32df1538a1edfdc6643a395c4ba0d8a5e4ce8254f442d4b7db5e52cfae1d65257326beb189c881c3909f97277bca9695b697d67

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 808104b6570f4747bdbb94669c60cb5e
SHA1 e4214dd66aa1c5065e3e6a1b6c251c5a1d2e6b11
SHA256 83c3ace0b746337f1529451e04426d47cdf23d4fc42f614681aaa36d2d7f7517
SHA512 2488fcdc0da6c6ca8e0ad208bd12f8096911f9d29ba766d9e8e1f94d6fe5462bd906d83fcc1eaa0264874fa24364412eeffd9c287e86379bdd72d92c9f7dc98d

C:\Users\Admin\AppData\Local\Temp\tmp50AF.tmp

MD5 8ef691bc7f1ff5ba65371c1fd0c0da5a
SHA1 7569dec0af144f39578e7179e6785975c0457b4a
SHA256 a18ac03da13cf822b141a494f37939bd87a80c36fcef14c697df48ffa2c46176
SHA512 d9ebc431c48e12e7ccf3efd9e11d5747d1f24cbdb3ac0db29f06df9448c9b0fe8ef41dc820b4839744f1640c862e0457eb7275030e15b30ae3c633e33c06348f

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1024678951-1535676557-2778719785-1000\0f5007522459c86e95ffcc62f32308f1_e956bc1e-e1e1-4a80-9462-c2e2022bbe1a

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-19 10:20

Reported

2023-08-19 10:23

Platform

win10v2004-20230703-en

Max time kernel

96s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

Signatures

AsyncRat

rat asyncrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Lokibot

trojan spyware stealer lokibot

RedLine

infostealer redline

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U&U = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\U&U.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File created C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\U&U.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\U&U.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4428 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 4428 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 4428 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe
PID 4428 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 4428 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 4428 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe
PID 4428 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 4428 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe
PID 4428 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 4428 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 4428 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe
PID 1484 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4428 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 4428 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 4428 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe
PID 4428 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 4428 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe
PID 4428 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 4428 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 4428 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe
PID 4428 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 4428 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 4428 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe
PID 4892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 4428 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 4428 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe
PID 4196 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4196 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4196 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4428 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 4428 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 4428 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe
PID 5016 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 5016 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 5016 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
PID 5016 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
PID 5016 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 5016 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 5016 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1000 wrote to memory of 4068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 4068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 4068 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3776 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3776 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe

"C:\Users\Admin\AppData\Local\Temp\37ae53ead74452038b0c77abd3302258.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 288

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1616 -ip 1616

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuU.bat" "

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&U.exe"'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&O.exe"'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe"'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic computersystem where name="YACSFKWT" set AutomaticManagedPagefile=False

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\U&U.exe"

C:\Users\Admin\AppData\Local\Temp\U&U.exe

"U&U.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "U&U" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe" /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CwcZttCoAu.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CwcZttCoAu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe"

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\tmp4B28.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4B28.exe"

C:\Users\Admin\AppData\Local\Temp\tmp50F6.exe

"C:\Users\Admin\AppData\Local\Temp\tmp50F6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 256

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe"

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3472 -ip 3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 4988

C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 2184

C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 404 -p 1652 -ip 1652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\anyarchitect.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\anyarchitect.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1652 -s 1016

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4 (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4 (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe"

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 www.medichiccenter.com udp
US 104.21.73.191:443 www.medichiccenter.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 191.73.21.104.in-addr.arpa udp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 9.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 172.67.143.192:80 zzz.alie3ksgdd.com tcp
US 8.8.8.8:53 192.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 gapi-node.io udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
US 192.3.223.26:80 192.3.223.26 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.223.3.192.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 77.60.37.103.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
NL 94.142.138.147:23000 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 147.138.142.94.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
FI 77.91.68.1:80 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 8.8.8.8:53 9.224.55.194.in-addr.arpa udp
TR 194.55.224.9:80 194.55.224.9 tcp
US 188.114.96.0:80 gapi-node.io tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 188.114.96.0:80 gapi-node.io tcp
US 188.114.96.0:80 gapi-node.io tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 www.logpasta.com udp
NL 188.166.57.133:443 www.logpasta.com tcp
US 8.8.8.8:53 133.57.166.188.in-addr.arpa udp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
US 8.8.8.8:53 12.190.110.59.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 23.95.128.195:80 23.95.128.195 tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 195.128.95.23.in-addr.arpa udp
US 8.8.8.8:53 h170257.srv22.test-hf.su udp
CN 39.98.177.61:80 tcp
TR 194.55.224.9:80 194.55.224.9 tcp
US 8.8.8.8:53 fidelbringas.com udp
US 75.102.22.231:80 fidelbringas.com tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 231.22.102.75.in-addr.arpa udp
US 8.8.8.8:53 down.suyx.net udp
NL 47.246.48.228:80 down.suyx.net tcp
US 107.172.0.180:80 107.172.0.180 tcp
US 8.8.8.8:53 228.48.246.47.in-addr.arpa udp
US 8.8.8.8:53 180.0.172.107.in-addr.arpa udp
VN 103.16.225.211:80 103.16.225.211 tcp
US 8.8.8.8:53 211.225.16.103.in-addr.arpa udp
CN 39.98.177.61:80 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
US 8.8.8.8:53 18.254.59.2.in-addr.arpa udp
US 8.8.8.8:53 df8588.top udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
MU 156.236.70.27:443 df8588.top tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 80.92.205.102:11542 tcp
US 8.8.8.8:53 27.70.236.156.in-addr.arpa udp
US 38.181.25.43:3325 tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 43.25.181.38.in-addr.arpa udp
RU 193.109.85.112:80 193.109.85.112 tcp
DE 168.119.174.1:8080 168.119.174.1 tcp
US 8.8.8.8:53 112.85.109.193.in-addr.arpa udp
US 8.8.8.8:53 1.174.119.168.in-addr.arpa udp
US 8.8.8.8:53 gservice-node.io udp
CN 39.98.177.61:80 tcp
DE 45.9.74.182:80 45.9.74.182 tcp
IR 87.121.221.176:80 87.121.221.176 tcp
US 8.8.8.8:53 182.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 176.221.121.87.in-addr.arpa udp
US 8.8.8.8:53 bripst.com udp
NL 46.149.73.6:443 bripst.com tcp
US 80.92.205.102:11542 tcp
US 8.8.8.8:53 6.73.149.46.in-addr.arpa udp
VN 103.16.225.211:80 103.16.225.211 tcp
CN 39.98.177.61:80 tcp
RU 193.109.85.112:80 193.109.85.112 tcp
US 80.92.205.102:11542 tcp
MD 176.123.9.85:16482 tcp
NL 194.169.175.233:3002 194.169.175.233 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 233.175.169.194.in-addr.arpa udp
NL 194.169.175.233:3003 194.169.175.233 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
CN 39.98.177.61:80 tcp
DE 149.202.0.242:31728 tcp
US 80.92.205.102:11542 tcp
US 8.8.8.8:53 242.0.202.149.in-addr.arpa udp
US 8.8.8.8:53 www.sisbom.online udp
US 8.8.8.8:53 6rbygv.ru udp
US 188.114.97.0:443 6rbygv.ru tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
PL 51.83.170.21:19447 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 www.maytag36.com udp
US 13.248.148.254:80 www.maytag36.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 80.92.205.102:11542 tcp
CN 39.98.177.61:80 tcp
DE 159.69.198.239:27015 159.69.198.239 tcp
US 8.8.8.8:53 239.198.69.159.in-addr.arpa udp
VN 103.74.104.213:80 103.74.104.213 tcp
US 8.8.8.8:53 213.104.74.103.in-addr.arpa udp
US 8.8.8.8:53 files.catbox.moe udp
CA 108.181.20.39:443 files.catbox.moe tcp
US 8.8.8.8:53 39.20.181.108.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp
FI 77.91.124.231:80 tcp
US 80.92.205.102:11542 tcp
CN 39.98.177.61:80 tcp
TR 194.55.224.9:80 194.55.224.9 tcp

Files

memory/4428-133-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/4428-134-0x00007FFD6DC80000-0x00007FFD6E741000-memory.dmp

memory/4428-135-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 006667191f1b2b04e3fb0a2d38d789e0
SHA1 e6a302ee4706d3d1e419146c3ae2d4ba3dd3854f
SHA256 f422f73ee1f1f5d1a31181d93384c7a81527c71cb95c04a6bd8b5859f9dae942
SHA512 ccf8b8291da70656b3b129b595d6722869946c9ce045f34f26665493a6e0e5048427b5273291b68535ee6768632ef1e147d5c8ad9028a2673ec8333f1d548f05

memory/4388-163-0x00007FF701390000-0x00007FF701432000-memory.dmp

memory/4568-164-0x00000000034E0000-0x000000000351B000-memory.dmp

memory/4568-165-0x0000000003520000-0x0000000003581000-memory.dmp

memory/4568-166-0x0000000000400000-0x00000000018D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/1484-176-0x00000000003C0000-0x00000000005DD000-memory.dmp

memory/4428-175-0x00007FFD6DC80000-0x00007FFD6E741000-memory.dmp

memory/1484-177-0x00000000003C0000-0x00000000005DD000-memory.dmp

memory/3220-178-0x0000000000210000-0x0000000000236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

memory/3220-197-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/4580-198-0x0000000000B00000-0x0000000000BAC000-memory.dmp

memory/3220-199-0x0000000004EA0000-0x00000000054B8000-memory.dmp

memory/3220-201-0x0000000004900000-0x0000000004912000-memory.dmp

memory/4580-202-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/3220-207-0x0000000004A30000-0x0000000004B3A000-memory.dmp

memory/4580-206-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/4580-200-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/4580-208-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3220-210-0x0000000004960000-0x000000000499C000-memory.dmp

memory/3220-209-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/4580-211-0x00000000055F0000-0x00000000055FA000-memory.dmp

memory/4568-212-0x0000000003520000-0x0000000003581000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/3220-226-0x0000000004CD0000-0x0000000004D36000-memory.dmp

memory/5016-224-0x00000224A4610000-0x00000224A4780000-memory.dmp

memory/5016-227-0x00007FFD6DC80000-0x00007FFD6E741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/5016-234-0x00000224A65F0000-0x00000224A660A000-memory.dmp

memory/4568-237-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/5016-238-0x00000224BF080000-0x00000224BF090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/4388-241-0x0000000002C00000-0x0000000002D71000-memory.dmp

memory/4388-239-0x0000000002D80000-0x0000000002EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/3776-266-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/3776-265-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/3776-264-0x0000000000BD0000-0x0000000000D24000-memory.dmp

memory/4568-270-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/3220-271-0x0000000073FA0000-0x0000000074750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5 6fad8de519b706038ada9fff3693e53b
SHA1 9b867203ec5cafae049da516db4cc315b6f6a627
SHA256 be5dedff846ef5dd2a37b4b6c8337d72cb8af23d9a849fa043081abb76d74e27
SHA512 8d58f4ec30bc5d650e315903844208eaf09e97e9bab3348453d34a359c039b7b4cce4c5c41393577fa65284d7147d7997ef6225617fbc1ecbfb6a36081b669d0

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/4580-294-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/3220-295-0x0000000005D00000-0x0000000005D76000-memory.dmp

memory/3220-297-0x00000000070E0000-0x00000000072A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UuU.bat

MD5 6a8dd1621b2d306c12b24f6bac5fb3be
SHA1 23e05a3e2e65cc2cdca295a275070bb5b3090a9f
SHA256 e0b94f69ee4ec8416d8e8613d08e9d1ab93aff6aae7f065d9071625010c1b40a
SHA512 52aec6f2f61d79ba8a37aa235dd5c49b9706ffaf6c579d59baa57096e857ac8be6babf4cf2a41bf04a5aba959dae71a7782eb907330dbd9f77dfefc5f269e3e2

memory/3220-301-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/1448-304-0x0000000002440000-0x0000000002540000-memory.dmp

memory/1448-305-0x0000000002410000-0x000000000242B000-memory.dmp

memory/5016-306-0x00007FFD6DC80000-0x00007FFD6E741000-memory.dmp

memory/3220-307-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/3220-302-0x00000000077E0000-0x0000000007D0C000-memory.dmp

memory/1868-300-0x0000000000400000-0x000000000068E000-memory.dmp

memory/4580-299-0x0000000005660000-0x0000000005670000-memory.dmp

memory/1868-309-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1448-310-0x0000000000400000-0x00000000022E7000-memory.dmp

memory/1616-311-0x00000000033E0000-0x00000000033FB000-memory.dmp

memory/1616-313-0x0000000000400000-0x00000000018B7000-memory.dmp

memory/1616-314-0x0000000003380000-0x0000000003395000-memory.dmp

memory/1868-315-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-316-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-317-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-318-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-319-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-320-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-321-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-322-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-323-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-324-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-326-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-327-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-329-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-330-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-332-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-333-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-334-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-336-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-338-0x0000000000400000-0x000000000068E000-memory.dmp

memory/404-340-0x0000000002690000-0x00000000026C6000-memory.dmp

memory/404-341-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/4388-343-0x0000000002D80000-0x0000000002EB1000-memory.dmp

memory/404-345-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/404-344-0x00000000051F0000-0x0000000005818000-memory.dmp

memory/404-342-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/1868-339-0x0000000077DA4000-0x0000000077DA6000-memory.dmp

memory/1868-337-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-335-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-331-0x0000000000400000-0x000000000068E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjk0yrmk.dco.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3220-356-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/404-358-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/1868-360-0x0000000000400000-0x000000000068E000-memory.dmp

memory/3776-384-0x0000000002F00000-0x0000000002F15000-memory.dmp

memory/3776-385-0x0000000002F00000-0x0000000002F15000-memory.dmp

memory/404-359-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/3776-388-0x0000000002F00000-0x0000000002F15000-memory.dmp

memory/3776-393-0x0000000073FA0000-0x0000000074750000-memory.dmp

memory/2252-387-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1868-328-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1868-325-0x0000000000400000-0x000000000068E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/3776-431-0x0000000005830000-0x0000000005840000-memory.dmp

memory/3776-433-0x00000000055A0000-0x00000000055A1000-memory.dmp

memory/3776-435-0x0000000073FA0000-0x0000000074750000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 28854213fdaa59751b2b4cfe772289cc
SHA1 fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA256 7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA512 1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75af94434bb3d481ce2da40c41ae2e48
SHA1 bf4e703a9be6c594d27b3ca11b59c926ee74a0a0
SHA256 b81dc01303054aed611070b67d7ada5eb11a0bc6f70b0b001f065c6757b96a55
SHA512 e48f202b352d4c9bb13e58fb1292bb8f03e8675742a6dfa70363347e0404b36bdae6c4e86da988d6f8a8932a2e2ba1eb947e01f4b1145e05005cac40f7ab3fd4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10f234423200ece32598ec4cbcebdede
SHA1 56bf603037a49e40a95801bb96c313c46fa5de6c
SHA256 4e8580d18ae0ea1b1a9461018aecd67c5eec4a42057ba37d7c4ccabf03633750
SHA512 0c869f02bd17e1fcd9c94a18512e676172d80bd6261df28b465e43cf12566a82f396bf349ef4c45991e4c9d2d999a7159324986c7f9b7f5a07f05723c6580981

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4852ba1a73e914520aa934202f54a64
SHA1 28823b1df335e17c9e78c40eb44323959cd90f8c
SHA256 a9f18ef71b12ff8a653dec3a6ef9200a3aa80fea270eaca6a201c0ab7c7ca024
SHA512 aa9647847f768964dd0c3903e692a0c8caa7ae45b353bea15cbc67ab64072ce74d5c59e93ec9c52c85166b7cc2727ed961de19f6ec73e96b7977acac11183e54

C:\Users\Admin\AppData\Local\Temp\Add.ps1

MD5 4290d15a8274e0f8a8500079730b3ccd
SHA1 40399f9217a00212a12a1d5f4880bcabd687ccb2
SHA256 93274ad71a934997fffe81a63eba67d4521ab4193c53d7c4f9933a3262adfcc4
SHA512 07965b428633805a7f51cf29b32df1538a1edfdc6643a395c4ba0d8a5e4ce8254f442d4b7db5e52cfae1d65257326beb189c881c3909f97277bca9695b697d67

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\U&U.exe

MD5 d00341a71196dbf6965ef54691a4621d
SHA1 fa1b7720bccf0f83c33f61184d6cbbb3c39c8408
SHA256 17ce2fc03033721d53a73504afb7094d707b9bfadbd292ba6f39a7626c4d2044
SHA512 dc24ce59001f58f8df4cc25de0394fd48b25a468ca520600e385f36970850842aa6e0aa292b4a5c19ad8e01223523a6d342633bab411c8a697a8c5892c2988af

C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp

MD5 c9fb766340c56b0b7f45ee808a008c01
SHA1 737ec0832800f98ba26d6d5327ff95a4735df01f
SHA256 d7d17c7f105843d89e2525f9bed864f7eb31c6dd7f7f1594a79af364378e67cd
SHA512 bec1b5da46b719c9c974a73f0dd7ffb32df3dbe276caf69d4fa4f5cc8d056406ecca99678d6f3b499b5644793d59e4ec66d14351d0b4f6bc747f4c0c9daac0e4

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Temp\7413374368\ChromeSetup.exe

MD5 e092af3320c668d973ca003e7ecc387f
SHA1 93505578ef679ae9ba85e4369fe2d3b9404e22fe
SHA256 5b55637a26181e3420983b78038cedc5b9f3b10ac3cf0b904c6f9195f3b28baa
SHA512 8c156369576652b9016cc8247af9e29ce13028d28142c797d324bb82a0eb0e33626c9d7a6f9cc59e7a41b99c86af2aa790ee34a2d605df124970bd14c655970a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ChromeSetup.exe.log

MD5 6dcfdb496c3cf0a736b09292618b380d
SHA1 59d3aecbd319c9b48d500b51a093ee48d02af334
SHA256 cb5dcf594045c8b7a5f87e8a12eabbd3e53e673654926027627ed79ef3e2a203
SHA512 9b7d22dc9e40d11693f7191f7b075a78974322af145010e66b19d989e678477dfe4741e88d02929d5b37236276f4605bc23a7adbedf43b66cd3c4e5e7b7e67ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f797a915fb4b09acb0820b2a1921d4f
SHA1 f47b0f355b7df8c55cd882d8b78d7d0e6c55a196
SHA256 8af73add8e49a3e8ef8bb65b69f8359238529762a38361edb9e75b0d7cf25c6c
SHA512 e1737956d3cd6a4f28ad353661920d3aabb5b565a67abf67f01ee3be523079d8c4ba6f2a8270770f28e93c5693cf3f757f420cf27ec6a60e78a8016437fe8756

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-618519468-4027732583-1827558364-1000\0f5007522459c86e95ffcc62f32308f1_7cdcba7c-ddfa-4ddd-854f-aa7eeb433240

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Local\eb54a34a6b77d932212b33fa3641a27f\Admin@YACSFKWT_en-US\System\Process.txt

MD5 cee7b8aa1a7ceca99b84f96ac5d9f75e
SHA1 2ff9b3d007d98af68ff02ee00dd3cc4f3d7d0f3d
SHA256 e9c1ed80316264429208f2ebafb4823eb21a8857ee4f1037c98e257d42a49e5a
SHA512 2f4f6cfd35452fda0a3a54047e787ddbcdea81ff3decc80a2e6eae098397a22e10164b5c34894757fd21f4af3b22766392e632f24f30a87f215b54684498b8a8

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

MD5 aa486e83365ae67a5778758685ca4d6f
SHA1 633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256 c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512 e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

MD5 aa486e83365ae67a5778758685ca4d6f
SHA1 633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256 c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512 e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

MD5 aa486e83365ae67a5778758685ca4d6f
SHA1 633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256 c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512 e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 73a905e0e421e21f1ac899f13ffbff05
SHA1 af4beffe5df3cbe71cbc7fe4e4d91a5d24dab369
SHA256 ad79217dc98d23b4c3e99fe39b7a554671c5d13b2ea29a2013f8f86b2d904a07
SHA512 b1f83c4fbd73754a93f258e8362413d3ed85d5515d308392f1a3d1fdee56fe5e43fcc5b99427aa293074bb8579f950c21f38f621fddc88a9c4764057709e8025

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

MD5 452b07503337e7e73c5ed974dc99eef2
SHA1 0e5124958691add440b1b10d96ad6c1c019fed54
SHA256 5f1cd5ec515101dedf44163e38edf6a74526fa8c62257823acfc54a61d38914a
SHA512 471337f15b16319a75063bad66c9d4a47c3be1265303b7a2a23776a9aeb5577cea1d0613c93bc96b3f399f900e6558046f741307ea69b96659423f3b24b6d77a

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\7413374368\build666.exe

MD5 328064b232879fe34864e9c6d88608ed
SHA1 728e0cb8b0a79b883bac76fb9913979962670708
SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA512 46b673b5d8f0aff18dd54ed69e7750796dab732bf8cae6ff1068b61e72c736d0cdc2f19e705dd9d447c69d8a00a66987125dddaf51717d777fb18e20c95f14dc

C:\Users\Admin\AppData\Local\Temp\7413374368\32.exe

MD5 fdb650f759c72c4d408a4da61096ac29
SHA1 716e5c1b39859939e96e2e2c9c22fc930c704f59
SHA256 38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
SHA512 9bb0b8086003319be32405dda2bcb36c0f73c8053e088f3bd80dec63ac672c97e26e3e5df2f746f530cf7e36cd7a33e02b31432b89ade0bb4030bafb1c32dc38

C:\Users\Admin\AppData\Local\Temp\tmp4B28.exe

MD5 e0a8661ae16ed665f76508965aa74f07
SHA1 7fd8a3d6a3ccf4731f3312cb5327be7723275608
SHA256 2af681a9a436799fdcd06924033517f84b631261541d8c07429e27d9323f4f4a
SHA512 88e2f432ae1ac885b246432e30bc430dd5ac2fca9eb3c9e274bc0f72f2aa6d2a5edcfc9c1b751dd1e1ccdaea7b3c7586a5d95eb9df2c91744e2caa7cff494806

C:\ProgramData\63984284381727607243552465

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp50F6.exe

MD5 9cb45aca895fc9e3d6451eee3bcef501
SHA1 119318ffad9c90e63731cedc5155e98dfcf2e091
SHA256 c207f664b3f807f6639c5dbd0e3fc24dba025097aa40a4b8a40b6c988da4599b
SHA512 1b292c999d6cb8bfd0d40e76e8295d25f62f336fae92e011ed7294934f4b980974bcbefb75bdb3f6d3e8ee16f15ca4c5ad6303ba8579bceb101bef1b424f132a

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (3).exe

MD5 cb38f35ebcddff1cb735acad8b65096e
SHA1 b005e60a82d606a7e73c1f01782962a655fb97e9
SHA256 adf4ca6996042eb10e2cb46b72dd67d5640e30c945b90e9adc8f627330f8690c
SHA512 ce4763ac5f955e5b920b4889869b3b942d02032d6192a61803f74012671a595659af32f1691c478b6f0b3851e531a4c1751c61c27906f6af1ed2adcddae913b9

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (4).exe

MD5 1188a953c9f36b374ca3714c9de1763e
SHA1 8ed3947a1e45f67263327a020035765965951949
SHA256 20d45ab8062d59db6229e293a604f37e2760519894d07380288f0f8f5e2b5c95
SHA512 61a856720237b95295d4bafe295bea107d7bede4b0f498c43c6d344af1483ddb788d7431f08451e86bb6c8e60a74beb9e7fdaa831b6405b3a5fe3f460ca5213c

C:\Users\Admin\AppData\Local\Temp\7413374368\blackfridaydiscount.exe

MD5 86ee347279e32641070f69e669ec98e2
SHA1 b4635032cee3fd5da08d630159a254d2ed7a51fa
SHA256 63af1bc6256086131314311b5908c85399b95dda6c4c6e84c8d77bd1b4d1fc43
SHA512 8f1a2acb0df585423bf8d9c8d3b550198e5eb5ca448649f22a75ba6e04000cc8e4271949e54a10dc6e666367ac273c1d841aad87f11eff1a55aafee550a83927

C:\Users\Admin\AppData\Local\Temp\7413374368\djdffvj.exe

MD5 c8e60225448e9cda23b291b6b16bf78b
SHA1 b4bf689c839ab7bf8bb337b66765580c0271c14d
SHA256 b71880c437249e1aae73ab4f9a2377e435ce8e13b8ca2ada12c2019428c50cc0
SHA512 fbac3dbebeac05f866ac430a939a583314c3122eebbfa576725d5b7ae16708d6fbabe929df556032b0ec5ac65026579977909affd85cc818b06e0781f73184bc

C:\Users\Admin\AppData\Local\Temp\7413374368\file.exe

MD5 6883cac79bf32bc71e629099e4108c7b
SHA1 26f5dc337a34f733ac348115731df541138307d7
SHA256 2450a79857b2d97653db25698bc2a902d58087d4bd25b1ebd743fc13b84f8a5f
SHA512 f8a7223c414002bd0f54a505b37fda0d95ec45ff0c8cabcdf8c481c050dfc342b3bb0b8eb81e0171c4067a56e2236547f58e32525c3ee6188854d84c69d99a64

C:\Users\Admin\AppData\Local\Temp\7413374368\file (2).exe

MD5 ea574dde100b38b040b422c37ef6814b
SHA1 e29a978f7c4c225d37ddc87a2a0ba82d23eb99ba
SHA256 696b6607853c35bf80ba50b4784cf28234686f6152750c5ed42c6596ea3f8775
SHA512 b1f0d8aa87c364485fa86fe88c50d982300627f2c354280c29e3ad9a0eda6d39550e3699ad132fc67533ee56984b0ff567694e4fe7ec6d287e72b03e80428697

C:\Users\Admin\AppData\Local\Temp\7413374368\ikmerozx.exe

MD5 e93d755480c85eed3031653a3ed477c9
SHA1 16589af8e8786300063d1ed5badff8ff03303e3e
SHA256 30175a4cdae27076cabcb5eb7106779cadc47113ef17a7b67d0e02aa840072e0
SHA512 9e1ae658163e2af1ff73c83b62d6945bdede05b95d23869d9d54cea64ef91bb839b2ef1b76f7c14a01b7ed1fcc7f364fee7e4023336b8f1ea8a78d724532f67e

C:\Users\Admin\AppData\Local\Temp\7413374368\isbinzx.exe

MD5 d60926cbe4de77584ee8e5f7b8268909
SHA1 04bb41d8317fc1af66ddaf8bbb92d1538d867199
SHA256 4412a658ff8b5e5c1048703b9307e62e7565834d1eaa5e0ad8db96ee72f9b162
SHA512 5a0695a85c24dd173923efc15d1ac5b95d984ee78d3383384f22cf2c33ff2fa792dd5fda92901bac50a7a0d485a7d2d151050b3cada0202ec0c1c5bda108b3e5

C:\Users\Admin\AppData\Local\Temp\7413374368\oncestatistic.exe

MD5 7f84503a1a12b3edb0da052aad05e49c
SHA1 15610b7896b980e913c07fa808ef89bf01853c32
SHA256 3454a03a003a23385521dae0e13fbe65211a9e9c590022dc906da7085ca71244
SHA512 6671ba8e5c64a593b0cefb5f46c23f608abe182e598972847c2a952d558ba3782d15bf26cb89b7671d523c886908759061e9e759433e3e38310401d3ab6a34a1

C:\Users\Admin\AppData\Local\Temp\7413374368\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b2e91cdd0e1c97efec540f2f60472d94
SHA1 719d6ebb5c0098733ed7acfb99909afe3d9468e2
SHA256 f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411
SHA512 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a

C:\Users\Admin\AppData\Local\Temp\7413374368\toolspub2.exe

MD5 a76e515e1150c903070a1eb1b2d216c0
SHA1 e747dbe088744a6de47ffcc9072404bfa60545ad
SHA256 a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50
SHA512 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\7413374368\YV8xEFq6858Firy.exe

MD5 ba2b37ae83f07749c8ae0287d5344c90
SHA1 487daab3d122fc23cdf0c671430df6d46e3d2c56
SHA256 9de15a5c7e9cdefb9a48de4039027de8687838849d9588434564a343d15a9355
SHA512 69019deffd81ad39a28a30a7fc637d3b2f36f7f1146d7b2fe79505d6f9ba5b5437a007506a73c13332554d472883f932686a1b81f5fb64bca55a4b724e08de6a

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 5bbc472213a61725a6f3c2a6d41f0687
SHA1 57fafc3fc2b54f4e0b0393381245cc53482d831a
SHA256 87ff101166da8298955695c7aaf1ba7571149aa12866fa74f4768e1fdeb7e698
SHA512 6f390ddbbc5e93a416c494c40dad5a7ec91df9c2bdf46ea0d6dc68257b336f939f3393cdd9996b613fdfec4acb0c850bffd20a3d61664595d636f35a51b91830

C:\ProgramData\17519753960477585594253373

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\601h15l

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\04326561320513108504993530

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73