Malware Analysis Report

2025-01-03 06:42

Sample ID 230821-bldmhsbg8w
Target 37ae53ead74452038b0c77abd3302258.bin
SHA256 30366af83c8706dbc4a540357aa10c20a75f35efb2a6f6b72362526da550b453
Tags
asyncrat fabookie redline smokeloader stormkitty default sel8 backdoor infostealer rat spyware stealer trojan lokibot aspackv2
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30366af83c8706dbc4a540357aa10c20a75f35efb2a6f6b72362526da550b453

Threat Level: Known bad

The file 37ae53ead74452038b0c77abd3302258.bin was found to be: Known bad.

Malicious Activity Summary

asyncrat fabookie redline smokeloader stormkitty default sel8 backdoor infostealer rat spyware stealer trojan lokibot aspackv2

RedLine

RedLine payload

StormKitty payload

Lokibot

AsyncRat

Detect Fabookie payload

Fabookie

StormKitty

SmokeLoader

Async RAT payload

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

ASPack v2.12-2.42

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-21 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-21 01:13

Reported

2023-08-21 01:16

Platform

win7-20230712-en

Max time kernel

11s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe"

Signatures

AsyncRat

rat asyncrat

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe
PID 2180 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe
PID 2180 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe
PID 2180 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe
PID 2180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe
PID 2180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe
PID 2180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe
PID 2180 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe
PID 2180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe
PID 2180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe
PID 2180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe
PID 2180 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe

"C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 124

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 96

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 732

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 780

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe"

C:\Users\Admin\AppData\Local\Temp\Q1M241GF64IGFJ0.exe

"C:\Users\Admin\AppData\Local\Temp\Q1M241GF64IGFJ0.exe"

C:\Users\Admin\AppData\Local\Temp\0Q2A1EP4C840AQK.exe

"C:\Users\Admin\AppData\Local\Temp\0Q2A1EP4C840AQK.exe"

C:\Users\Admin\AppData\Local\Temp\26FP5K1H865LQCO.exe

"C:\Users\Admin\AppData\Local\Temp\26FP5K1H865LQCO.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe"

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe"

C:\Users\Admin\AppData\Local\Temp\M760AJK88LOG5C4.exe

https://iplogger.com/12waJ4

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\deliver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 industrias-lopez.com udp
US 66.225.201.5:80 industrias-lopez.com tcp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 172.67.143.192:443 zzz.alie3ksgdd.com tcp
US 8.8.8.8:53 www.medichiccenter.com udp
US 172.67.165.112:443 www.medichiccenter.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
CA 108.181.20.39:443 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 udp
US 188.114.97.0:80 gapi-node.io tcp
US 188.114.97.0:80 gapi-node.io tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.97.0:80 gapi-node.io tcp
VN 103.37.60.77:80 tcp
US 188.114.97.0:80 gapi-node.io tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
VN 103.37.60.77:80 103.37.60.77 tcp
CA 108.181.20.39:443 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gapi-node.io tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gapi-node.io tcp
CA 108.181.20.39:443 tcp
FI 77.91.68.1:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gapi-node.io tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
TR 194.55.224.9:80 194.55.224.9 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 gstatic-node.io udp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gstatic-node.io tcp
CA 108.181.20.39:443 tcp
FI 77.91.68.1:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CA 108.181.20.39:443 tcp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 23.95.128.195:80 23.95.128.195 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 anydesk-my.com udp
CA 108.181.20.39:443 tcp
NL 94.142.138.147:23000 tcp
US 82.180.174.18:443 anydesk-my.com tcp
CA 108.181.20.39:443 tcp
US 82.180.174.18:443 anydesk-my.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
CA 108.181.20.39:443 tcp
US 82.180.174.18:80 anydesk-my.com tcp
US 82.180.174.18:443 anydesk-my.com tcp
CA 108.181.20.39:443 tcp
US 82.180.174.18:443 anydesk-my.com tcp
RU 193.233.255.9:80 193.233.255.9 tcp
CA 108.181.20.39:443 tcp
SG 8.241.129.126:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 h170257.srv22.test-hf.su udp
CA 108.181.20.39:443 tcp
RU 91.227.16.22:80 h170257.srv22.test-hf.su tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 fidelbringas.com udp
US 75.102.22.231:80 fidelbringas.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 down.suyx.net udp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gstatic-node.io tcp
NL 47.246.48.226:80 down.suyx.net tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 107.172.0.180:80 107.172.0.180 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 188.114.97.0:80 gstatic-node.io tcp
VN 103.16.225.211:80 103.16.225.211 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
CA 108.181.20.39:443 tcp
DE 116.203.59.108:34830 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
BG 2.59.254.18:80 2.59.254.18 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 tokoi45.beget.tech udp
US 8.8.8.8:53 df8588.top udp
MU 156.236.70.27:443 df8588.top tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
RU 5.101.152.100:80 tokoi45.beget.tech tcp
US 188.114.96.0:443 gstatic-node.io tcp
RU 5.101.152.100:80 tokoi45.beget.tech tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
RU 5.101.152.100:80 tokoi45.beget.tech tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
US 172.67.143.192:80 zzz.alie3ksgdd.com tcp
CA 108.181.20.39:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 66.225.201.5:80 industrias-lopez.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
RU 193.109.85.112:80 193.109.85.112 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
US 8.8.8.8:53 gservice-node.io udp
DE 37.27.17.95:80 37.27.17.95 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
IR 87.121.221.176:80 87.121.221.176 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 66.225.201.5:80 industrias-lopez.com tcp
CA 108.181.20.39:443 tcp
CN 39.98.177.61:80 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
US 38.181.25.43:3325 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp

Files

memory/2180-54-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

memory/2180-55-0x00000000000C0000-0x00000000000C8000-memory.dmp

memory/2180-56-0x0000000002040000-0x00000000020C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC757.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarC834.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_1.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

memory/2180-124-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

memory/2292-131-0x00000000000D0000-0x00000000002A0000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

memory/2084-134-0x0000000001280000-0x00000000013FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

memory/2292-144-0x0000000073F30000-0x000000007461E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

memory/2500-157-0x00000000009B0000-0x00000000009C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

memory/2984-146-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2984-159-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/2984-145-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

memory/2500-165-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2084-167-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2780-168-0x00000000FF8F0000-0x00000000FF9C9000-memory.dmp

memory/2500-169-0x00000000005C0000-0x0000000000600000-memory.dmp

memory/2180-170-0x0000000002040000-0x00000000020C0000-memory.dmp

memory/2292-171-0x0000000004360000-0x00000000043A0000-memory.dmp

memory/2084-172-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/488-173-0x0000000000400000-0x00000000018B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d36c1990ce90fc1f6185175443f7323
SHA1 7476e9a9d50d25b5998649dc24702ea94eb81123
SHA256 9dcaee4755ba6bdaeb6d367945a3c299b652b0b17ddbe57aa38d8146a78310b1
SHA512 56454648cbda00a68fb07139d220adc768254ad03faeefda8ac5e9c3c11c18e310e2c4002e968b56939a6273ca609e924f3ca35ed39bb88626f0fddd0a647baf

\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/2292-219-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2360-220-0x0000000000030000-0x0000000000234000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/1320-222-0x0000000002A20000-0x0000000002A36000-memory.dmp

memory/2360-221-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2500-225-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2360-228-0x0000000004F60000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/2084-230-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2984-223-0x0000000000400000-0x00000000018B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/2188-236-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2188-237-0x0000000000A40000-0x0000000000C44000-memory.dmp

memory/2500-238-0x00000000005C0000-0x0000000000600000-memory.dmp

memory/2188-250-0x00000000042C0000-0x0000000004300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

MD5 f0e7def68cf0ad13fa1465a84081e7fa
SHA1 ec0794f7b9e700a2e65030fff696856f9c95e3dd
SHA256 8dc60ed97c72e928555748075175d01c1568d89536d5b0040d6edd977e9613e3
SHA512 0ddcfa32b7fcb154252b3bcf0ccb927e7c221c3ee4206657dc5843f7e38dfc3ab47d7f6b95da58277032499d733cf039dff128ad24cfb5e7700bd7aa9ad9c25d

\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

MD5 f0e7def68cf0ad13fa1465a84081e7fa
SHA1 ec0794f7b9e700a2e65030fff696856f9c95e3dd
SHA256 8dc60ed97c72e928555748075175d01c1568d89536d5b0040d6edd977e9613e3
SHA512 0ddcfa32b7fcb154252b3bcf0ccb927e7c221c3ee4206657dc5843f7e38dfc3ab47d7f6b95da58277032499d733cf039dff128ad24cfb5e7700bd7aa9ad9c25d

memory/2084-319-0x0000000004CC0000-0x0000000004D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

memory/2060-328-0x00000000FF1A0000-0x00000000FF279000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

memory/2884-331-0x0000000000260000-0x00000000002C1000-memory.dmp

memory/2884-330-0x0000000000220000-0x000000000025B000-memory.dmp

memory/2884-337-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/2780-338-0x0000000003530000-0x0000000003661000-memory.dmp

memory/2780-339-0x00000000033B0000-0x0000000003521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2360-343-0x0000000073F30000-0x000000007461E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17ac5d3a2ddf6e3d62d7cef81bfc0ff9
SHA1 4a8ccf280de904cced10ab91929739742a248d40
SHA256 f43be7fd81d5ffe04ea5c70e08b4c41aab61a74d8d88817a93dd5938929cd114
SHA512 116e39c389c08065912c020231ccc6cba919273c5286f3028eeae704336b1a67350dd5444b75456ccd1e43dc6b9c87bd4c7b91eb547f12e5e184cf82cf7efc80

memory/2812-352-0x0000000000E50000-0x000000000106D000-memory.dmp

memory/2360-353-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/2812-354-0x0000000000E50000-0x000000000106D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2DFAB8E2D4F6F9032D3CDAF0E94F51C

MD5 1703bfe4f24c412d3ccd4fad6de2344f
SHA1 dca30bee97f35e5ab1beb30a51b6f9e452d92981
SHA256 422445fc0143bf9f96f325f9637479d14fc19bfcad495671af4328fd57d58da7
SHA512 cb85e139eabbdcb29c3a907a5cd8a3e8b1f2767d75e2a3ae8df38ebcfe380d74190816a854873db471330490f2692d477f4d82bc0f7d221510b41c06f5092152

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2DFAB8E2D4F6F9032D3CDAF0E94F51C

MD5 94ed73973bcfd3675eee28ecccfa9dc1
SHA1 b9bd0ddb4c1d88c06d0cc115adcdb1363356a91c
SHA256 8b857f3284017206dda59a8c9f8a3947791a5ce9cbb839bf66ce9a122003178b
SHA512 f461d06ab25e68a66aabebe325adfa93c00acf72bb45cf28f722ebb05a024c67421a6c348d1014052ba2d9156d0a455499ac212c75a836bd8c443b9dc632fa99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 fa2c01c5c0c642c4f959b416f2b879ce
SHA1 77ae299f6bb70f83c469aef8e1cc15061e62ce94
SHA256 54236c5db2edabe0d89d972d05a780e0698e5b8b25545721926aee692e2a93d7
SHA512 93849ae7486d899791d4639367eae5c55061cbaa7bce083c9d45749ced5fb0ed36cad29a89acda9bad7d56018a771533174d920e244ebb2f8a7025b460bbb575

memory/2720-381-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/2720-380-0x0000000000090000-0x00000000000B6000-memory.dmp

memory/2720-385-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2720-390-0x0000000000090000-0x00000000000B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2720-387-0x0000000000090000-0x00000000000B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2188-393-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2084-394-0x0000000000700000-0x000000000071C000-memory.dmp

memory/2720-396-0x00000000009F0000-0x0000000000A30000-memory.dmp

memory/2188-397-0x00000000042C0000-0x0000000004300000-memory.dmp

memory/2720-395-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2292-398-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-400-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-404-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-408-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-412-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-416-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-420-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-424-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-428-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-432-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2292-436-0x0000000000720000-0x0000000000735000-memory.dmp

memory/2084-442-0x0000000000700000-0x0000000000715000-memory.dmp

memory/2084-447-0x0000000000700000-0x0000000000715000-memory.dmp

memory/2588-451-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2884-456-0x0000000000400000-0x00000000018D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/2780-471-0x0000000003530000-0x0000000003661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/1188-477-0x0000000000FB0000-0x0000000001120000-memory.dmp

memory/1188-476-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

memory/2292-459-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2588-490-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2084-457-0x0000000000720000-0x0000000000721000-memory.dmp

memory/2588-496-0x0000000073F30000-0x000000007461E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/868-497-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2060-445-0x0000000002E20000-0x0000000002F51000-memory.dmp

memory/2588-499-0x0000000000690000-0x00000000006D0000-memory.dmp

memory/868-498-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2292-500-0x0000000073F30000-0x000000007461E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/868-521-0x0000000007450000-0x0000000007490000-memory.dmp

memory/2720-522-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/1976-554-0x0000000000C60000-0x0000000000DB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/1976-563-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/2720-562-0x00000000009F0000-0x0000000000A30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/2060-572-0x0000000002E20000-0x0000000002F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\Videos\Jeepdriveroads.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

\Users\Admin\Videos\Jeepdriveroads.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jeepdriveroads.lnk

MD5 49808a3a1d6d1e40116c4390fccda7cd
SHA1 cbce252e6acdfebdabc727348e07e491a394a37d
SHA256 644a704543745c6905acb12dd4f2992785899719b8f99c35b3d468553e028c7c
SHA512 8b4552ed1c792559dbd807e738787aadbcddd79ff6a44fb63df1f1efd8999fc60faf92f0ebf1074de79109c8f1fa2675df0f926b9a628b61ab3ae3496f3de312

C:\Users\Admin\AppData\Local\Temp\7413374368\dashost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

MD5 005d9f5b11d83c49a300daf9efa8e9cc
SHA1 ff6b5a53cbda91e35ead5bb89e73dd8ea34dc2c4
SHA256 e7c6065d235655ee2fa7871ee73a8d14b4f88b87351de7752a4c9569739b667d
SHA512 3e4e08657ced1d03164fbd1193485c4decd95d31e35b487bd3594eef30af38b84482e7027c5244a0f3ff605f2cffc558a7a0d84a9e613261c7fbbca88e10d55b

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

MD5 005d9f5b11d83c49a300daf9efa8e9cc
SHA1 ff6b5a53cbda91e35ead5bb89e73dd8ea34dc2c4
SHA256 e7c6065d235655ee2fa7871ee73a8d14b4f88b87351de7752a4c9569739b667d
SHA512 3e4e08657ced1d03164fbd1193485c4decd95d31e35b487bd3594eef30af38b84482e7027c5244a0f3ff605f2cffc558a7a0d84a9e613261c7fbbca88e10d55b

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

MD5 aa486e83365ae67a5778758685ca4d6f
SHA1 633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256 c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512 e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\Q1M241GF64IGFJ0.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\26FP5K1H865LQCO.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\H3KPAJCLFH5P1A0.exe

MD5 a321bdd79413b45bd029034e5af9caf8
SHA1 3d31d5e1bfde9a8f327f40141308104271233fb4
SHA256 3e0df4cc256122091975b5f49ae43fa546f47b1c12da6585a20eba71b6a748ad
SHA512 d5977be4cbc0a62d2b4ee80d075fc092caa797d356fda842ba15211eaf7fa3bf4c343afcc87ce8ba45e207e8e60578e213341947419e2c2a107205171af588fc

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab

C:\Users\Admin\AppData\Local\2df533d165da2c8a1754382db4d9275d\Admin@NYBYVYTJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-21 01:13

Reported

2023-08-21 01:16

Platform

win10v2004-20230703-en

Max time kernel

1s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe"

Signatures

AsyncRat

rat asyncrat

Lokibot

trojan spyware stealer lokibot

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe

"C:\Users\Admin\AppData\Local\Temp\ec8c114e9c0bd6154bd58396c72fabe79e2ffe70dea761cabc98b35186723360.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 356 -p 2672 -ip 2672

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2672 -s 160

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 2488 -ip 2488

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2488 -s 412

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4156 -ip 4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 296

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"

C:\Users\Admin\AppData\Local\Temp\DB5C60IGAPK6007.exe

"C:\Users\Admin\AppData\Local\Temp\DB5C60IGAPK6007.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\despitearea.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\despitearea.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuU.bat" "

C:\Users\Admin\AppData\Local\Temp\5NJEFQ62NDL0HA2.exe

https://iplogger.com/12waJ4

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 576

C:\Users\Admin\AppData\Local\Temp\KC0L002JHGA80O5.exe

https://iplogger.com/12waJ4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4776 -ip 4776

C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe

"C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe"

C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe

"C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe"

C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe

"C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe"

C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe

"C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe"

C:\Users\Admin\AppData\Local\Temp\A0AE6MLPEOEF0HK.exe

"C:\Users\Admin\AppData\Local\Temp\A0AE6MLPEOEF0HK.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3496 -ip 3496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 1280

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&U.exe"'

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\67EBOCL2N7OBEA6.exe

"C:\Users\Admin\AppData\Local\Temp\67EBOCL2N7OBEA6.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3580 -ip 3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 2972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&O.exe"'

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\U&U.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 564 -p 1376 -ip 1376

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1376 -s 736

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2156 -ip 2156

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1148

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ewrqqfaaa.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe"

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

"C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 193.233.255.9:80 193.233.255.9 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 9.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 industrias-lopez.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 industrias-lopez.com udp
US 66.225.201.5:80 industrias-lopez.com tcp
US 8.8.8.8:53 5.201.225.66.in-addr.arpa udp
US 8.8.8.8:53 zzz.alie3ksgdd.com udp
US 172.67.143.192:443 zzz.alie3ksgdd.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 172.67.165.112:443 tcp
VN 103.37.60.77:80 tcp
VN 103.37.60.77:80 103.37.60.77 tcp
US 188.114.97.0:80 tcp
FI 77.91.68.1:80 tcp
US 8.8.8.8:53 147.138.142.94.in-addr.arpa udp
US 188.114.97.0:80 gapi-node.io tcp
US 66.225.201.5:80 industrias-lopez.com tcp
US 66.225.201.5:80 industrias-lopez.com tcp
BG 2.59.254.19:80 2.59.254.19 tcp
US 20.242.39.171:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CA 108.181.20.39:443 tcp
CA 108.181.20.39:443 tcp
NL 94.142.138.147:23000 tcp
US 188.114.97.0:80 gapi-node.io tcp
FI 77.91.68.1:80 tcp
US 188.114.97.0:80 gapi-node.io tcp
US 188.114.97.0:80 gapi-node.io tcp
DE 148.251.234.93:443 tcp
NL 23.222.33.142:80 tcp
US 8.8.8.8:53 sangfor-udpate.oss-cn-beijing.aliyuncs.com udp
CN 59.110.190.12:443 sangfor-udpate.oss-cn-beijing.aliyuncs.com tcp
US 8.8.8.8:53 anydesk-my.com udp
US 82.180.174.18:443 anydesk-my.com tcp
US 8.8.8.8:53 18.174.180.82.in-addr.arpa udp
US 8.8.8.8:53 12.190.110.59.in-addr.arpa udp
DE 116.203.59.108:34830 tcp
US 82.180.174.18:443 anydesk-my.com tcp
US 23.95.128.195:80 23.95.128.195 tcp
US 8.8.8.8:53 195.128.95.23.in-addr.arpa udp
US 8.8.8.8:53 18.254.59.2.in-addr.arpa udp
US 8.8.8.8:53 h170257.srv22.test-hf.su udp
RU 91.227.16.22:80 h170257.srv22.test-hf.su tcp
US 8.8.8.8:53 udp
US 75.102.22.231:80 fidelbringas.com tcp
US 8.8.8.8:53 22.16.227.91.in-addr.arpa udp
US 8.8.8.8:53 231.22.102.75.in-addr.arpa udp
US 8.8.8.8:53 down.suyx.net udp
BG 2.59.254.18:80 tcp
NL 47.246.48.227:80 down.suyx.net tcp
US 107.172.0.180:80 tcp
VN 103.16.225.211:80 103.16.225.211 tcp
US 8.8.8.8:53 211.225.16.103.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
BG 2.59.254.18:80 2.59.254.18 tcp
BG 2.59.254.19:80 2.59.254.19 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 df8588.top udp
MU 156.236.70.27:443 df8588.top tcp
US 8.8.8.8:53 27.70.236.156.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
RU 193.109.85.112:80 193.109.85.112 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 112.85.109.193.in-addr.arpa udp
DE 45.9.74.80:80 tcp
US 188.114.96.0:443 tcp
US 172.67.143.192:80 zzz.alie3ksgdd.com tcp
CN 39.98.177.61:80 tcp
CN 39.98.177.61:80 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
CN 39.98.177.61:80 tcp
DE 45.9.74.182:80 45.9.74.182 tcp
US 8.8.8.8:53 crl.godaddy.com udp
US 8.8.8.8:53 182.74.9.45.in-addr.arpa udp

Files

memory/2644-133-0x0000000000210000-0x0000000000218000-memory.dmp

memory/2644-134-0x00007FFFFAD90000-0x00007FFFFB851000-memory.dmp

memory/2644-135-0x000000001AF00000-0x000000001AF10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBrokersidedark2.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

memory/2148-145-0x0000000001970000-0x0000000001979000-memory.dmp

memory/2148-144-0x0000000001950000-0x0000000001965000-memory.dmp

memory/2148-146-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/2644-147-0x00007FFFFAD90000-0x00007FFFFB851000-memory.dmp

memory/1036-148-0x0000000000B30000-0x0000000000B46000-memory.dmp

memory/2148-149-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/2644-152-0x000000001AF00000-0x000000001AF10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_2.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

C:\Users\Admin\AppData\Local\Temp\7413374368\data64_3.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25.exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

memory/2124-192-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

memory/4992-200-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2124-199-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/4992-201-0x0000000004D70000-0x0000000004E0C000-memory.dmp

memory/2124-202-0x00000000051A0000-0x0000000005744000-memory.dmp

memory/4992-198-0x0000000000270000-0x00000000003EE000-memory.dmp

memory/2124-203-0x0000000004C90000-0x0000000004D22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\RuntimeBroker.exe

MD5 bd0ffc2e1a9f0f13c8778fbe043af0b7
SHA1 b45f1b45b4ea3b8118eec41497e097b0cb3e6fbf
SHA256 bae93cf5e0de35c574ae5c2d78ae5f7929c1f944e885624009972146f85eb1e7
SHA512 68c59ee19467a94f58f7f290bc3972f76570c324ff298dba94972414c0607d81fe9f112027194427a12e2edfbe10defaf4b06026a7ea5ea4a06b3ee220bb73c0

memory/4992-204-0x0000000005680000-0x0000000005C98000-memory.dmp

memory/4992-205-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2124-206-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2124-207-0x0000000004D30000-0x0000000004D3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui.exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/1472-219-0x00000000001E0000-0x00000000003E4000-memory.dmp

memory/1472-220-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/1472-224-0x0000000004C20000-0x0000000004C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

C:\Users\Admin\AppData\Local\Temp\7413374368\1808tui (2).exe

MD5 34dc3b6f5ad9472d3eee5fe006b97b4a
SHA1 ab1db703b3a1f8d5cdee2e24649b994ef4f0dd20
SHA256 9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
SHA512 55d6e7a7c991e7de31783e32f1ca06cc3f85227ce35300325ad61877b63c72623147b82c910243a1f7db87231381f213db2ab95a1e3e586d00300ed731ae3b8f

memory/1996-233-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/4396-238-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/4396-237-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\agezdv.exe

MD5 3798e6dae3df606799111b63bf54aad9
SHA1 fcb82785c04b3b805c58ca20d24e83c28dc73fc8
SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA512 2b9472a2292a93b9f8b77c4d292b5a9f11e3f9a5229bb9dcdc3cd21f3ae67526e4c2355c0b762d3c3e7d38b95fe256e72f69dae8dfd84bfe5998323d0e1d47bb

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\456.exe

MD5 35b823296152d234d2a6a9999df3a462
SHA1 c07c47772f2f2422bf223c85099d560f9b06bbd0
SHA256 c28bc925e3bad21b524eca44b846ae271a0435e9735c9624ba6404d8125401a5
SHA512 68a9852c45c70ae47ce11a85349c1d42cd45042ef1390d099039360a6f613c923f5571555fed2c3a96f810a300dfae7dd8f30e64c08663a6e7b243a2d03fc022

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

MD5 f0e7def68cf0ad13fa1465a84081e7fa
SHA1 ec0794f7b9e700a2e65030fff696856f9c95e3dd
SHA256 8dc60ed97c72e928555748075175d01c1568d89536d5b0040d6edd977e9613e3
SHA512 0ddcfa32b7fcb154252b3bcf0ccb927e7c221c3ee4206657dc5843f7e38dfc3ab47d7f6b95da58277032499d733cf039dff128ad24cfb5e7700bd7aa9ad9c25d

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

MD5 f0e7def68cf0ad13fa1465a84081e7fa
SHA1 ec0794f7b9e700a2e65030fff696856f9c95e3dd
SHA256 8dc60ed97c72e928555748075175d01c1568d89536d5b0040d6edd977e9613e3
SHA512 0ddcfa32b7fcb154252b3bcf0ccb927e7c221c3ee4206657dc5843f7e38dfc3ab47d7f6b95da58277032499d733cf039dff128ad24cfb5e7700bd7aa9ad9c25d

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup3.exe

MD5 f0e7def68cf0ad13fa1465a84081e7fa
SHA1 ec0794f7b9e700a2e65030fff696856f9c95e3dd
SHA256 8dc60ed97c72e928555748075175d01c1568d89536d5b0040d6edd977e9613e3
SHA512 0ddcfa32b7fcb154252b3bcf0ccb927e7c221c3ee4206657dc5843f7e38dfc3ab47d7f6b95da58277032499d733cf039dff128ad24cfb5e7700bd7aa9ad9c25d

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

C:\Users\Admin\AppData\Local\Temp\7413374368\okka25 (2).exe

MD5 9a3d39a36e8da1542ed79190e778b587
SHA1 b55c90c39c7c8b0d30ca2b8cd0068966ccf90559
SHA256 81b5941968b524ce0c043f6a431d362ae347d9c25e7b1b1fde151241abd68056
SHA512 6c15f4ecc79253f6d4a3eb59526dc68f25841e913d6f2d6d100f3edc81c7e44d7971051f29b7edc55a24e0c0774bc254a9a8c41bdaf6d5e010fa44489cd712d2

memory/2124-269-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4992-272-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/4992-273-0x0000000005050000-0x0000000005060000-memory.dmp

memory/3580-275-0x0000000003460000-0x00000000034C1000-memory.dmp

memory/3580-274-0x0000000001A20000-0x0000000001A5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2124-285-0x0000000007570000-0x0000000007628000-memory.dmp

memory/4156-288-0x00000000004A0000-0x00000000006BD000-memory.dmp

memory/2124-286-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2124-290-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-287-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2124-292-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\nuIex_crypted.exe

MD5 55994b5392dc148b6ffad440403bcf06
SHA1 8d81e17eb48aa37f77bfde940d24cb912075ad57
SHA256 cfd3caa9dbbbb9d4f6fff3597a2155b5f04e898cd082c84b368fe94943830108
SHA512 eb8d1059a71b202f8eb5c3432e55c6b4ad6f51024552ca3b0b6635220232700ad717e86928376f3cf91d579207b9baafbd218e0c65a2c40a726dc78b8ce8ba53

memory/2124-294-0x0000000007570000-0x0000000007628000-memory.dmp

memory/3580-279-0x0000000000400000-0x00000000018D9000-memory.dmp

memory/2124-296-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-298-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-301-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-304-0x0000000007570000-0x0000000007628000-memory.dmp

memory/1036-300-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/2124-307-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-309-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-311-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-313-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-316-0x0000000007570000-0x0000000007628000-memory.dmp

memory/1472-315-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/2124-318-0x0000000007570000-0x0000000007628000-memory.dmp

memory/1996-322-0x0000000000400000-0x00000000018B4000-memory.dmp

memory/2124-324-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-320-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/2124-338-0x0000000007570000-0x0000000007628000-memory.dmp

memory/1472-339-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/1108-342-0x00000203FE100000-0x00000203FE270000-memory.dmp

memory/2124-341-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-345-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/2124-348-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost.exe

MD5 f226785987c5b4c128d4785c6a2d413d
SHA1 3bc64ea834deb4545e918bd8577ca6e4c584beb1
SHA256 be8a7be2a07887ff0bcbcfbee0c512e94838fd8aeaddd2ed8e2d7e7685fa5dfd
SHA512 7e3ad2062dead1f1f08e6938ab385e6b81e223c897daef551c5578751e5033fc596b5106199b908c389b7ffd95f48d821ee4763676b6d826c7d7e4300de9ac9d

memory/2124-350-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-357-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/4992-360-0x0000000005100000-0x00000000051CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

memory/2124-361-0x0000000007570000-0x0000000007628000-memory.dmp

memory/2124-364-0x0000000007570000-0x0000000007628000-memory.dmp

memory/4992-367-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/4992-382-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

memory/2124-369-0x0000000007570000-0x0000000007628000-memory.dmp

memory/4992-365-0x0000000004EC0000-0x0000000004ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

C:\Users\Admin\AppData\Local\Temp\7413374368\Setup2potok.exe

MD5 e6b8cfb15c6fce9abcea7a716345d537
SHA1 c56b60c650439c124b403e31aced45c584ecdd7b
SHA256 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277
SHA512 e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1

memory/396-421-0x0000000000330000-0x0000000000484000-memory.dmp

memory/3116-425-0x0000000000400000-0x0000000000426000-memory.dmp

memory/3116-436-0x0000000005110000-0x0000000005122000-memory.dmp

memory/3116-442-0x0000000005240000-0x000000000534A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\Al.exe

MD5 95d977a14fbc0eb268d4aae47bdb4dee
SHA1 1fd72860977b790d21d82f2d098e2fccb39c07b2
SHA256 cb4f7547c933b91f4bea866cf51f91762e67bb4e71893321f626ec7f7ec9f043
SHA512 631eb5a0cde3e9969962e028b3dcca23b0675b39874cba3f4c313a2441b2a04d66591d114e036ae8bffd2fd52ea9c39d299871e0096c1836c4670b6fde04d9fd

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

memory/448-491-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4396-497-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/1108-518-0x00007FFFFAD90000-0x00007FFFFB851000-memory.dmp

memory/1108-522-0x00000203989F0000-0x0000020398A00000-memory.dmp

memory/4156-526-0x00000000004A0000-0x00000000006BD000-memory.dmp

memory/3116-540-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/1472-547-0x00000000752E0000-0x0000000075A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HSTART.bat

MD5 ab3271d2afead00384bba13936b3ddc7
SHA1 eda089e784e20a0ff1a3a280fe65e7968b777f6a
SHA256 44cce1bb374c63af3cb70ba836f0d68e1e57b294b6a9635530127574d72a39e3
SHA512 4d0f8a87ba4f531c53aa30573300b1d1708df9cd7ac2b700be7b8973f43c68c7df4abc421f2bec6f851476086b25d0bafdb7be12c54c99d9fbcbcadeec8c1bf1

memory/4396-554-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3116-552-0x0000000005200000-0x0000000005210000-memory.dmp

memory/4992-556-0x0000000004F00000-0x0000000004F01000-memory.dmp

memory/3664-564-0x0000000000400000-0x0000000000492000-memory.dmp

memory/448-561-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/1932-566-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4348-568-0x0000000000400000-0x0000000000492000-memory.dmp

memory/2440-572-0x00000000019D0000-0x00000000019E5000-memory.dmp

memory/2440-574-0x00000000019F0000-0x0000000001A0B000-memory.dmp

memory/396-532-0x00000000752E0000-0x0000000075A90000-memory.dmp

memory/3116-527-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/2440-596-0x0000000000400000-0x00000000018B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0AE6MLPEOEF0HK.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\A0AE6MLPEOEF0HK.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\HKG38MACD7FGMPO.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\OBHCC262FBLQPGA.exe

MD5 a321bdd79413b45bd029034e5af9caf8
SHA1 3d31d5e1bfde9a8f327f40141308104271233fb4
SHA256 3e0df4cc256122091975b5f49ae43fa546f47b1c12da6585a20eba71b6a748ad
SHA512 d5977be4cbc0a62d2b4ee80d075fc092caa797d356fda842ba15211eaf7fa3bf4c343afcc87ce8ba45e207e8e60578e213341947419e2c2a107205171af588fc

C:\Users\Admin\AppData\Local\Temp\5NJEFQ62NDL0HA2.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

C:\Users\Admin\AppData\Local\Temp\KC0L002JHGA80O5.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

C:\Users\Admin\AppData\Local\Temp\KC0L002JHGA80O5.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

C:\Users\Admin\AppData\Local\Temp\5NJEFQ62NDL0HA2.exe

MD5 8719ce641e7c777ac1b0eaec7b5fa7c7
SHA1 c04de52cb511480cc7d00d67f1d9e17b02d6406b
SHA256 6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea
SHA512 7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4176143399-3250363947-192774652-1000\0f5007522459c86e95ffcc62f32308f1_a45f701b-5010-437a-b6fa-20e6d38f067d

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\UuU.bat

MD5 6a8dd1621b2d306c12b24f6bac5fb3be
SHA1 23e05a3e2e65cc2cdca295a275070bb5b3090a9f
SHA256 e0b94f69ee4ec8416d8e8613d08e9d1ab93aff6aae7f065d9071625010c1b40a
SHA512 52aec6f2f61d79ba8a37aa235dd5c49b9706ffaf6c579d59baa57096e857ac8be6babf4cf2a41bf04a5aba959dae71a7782eb907330dbd9f77dfefc5f269e3e2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\despiitearea.exe

MD5 48e86fba19f4289c41bf2d83fdab6340
SHA1 748ac221cfc8805c1d65961aad8fc7de24c8853f
SHA256 8eac540b005be89124e2f41323b573a4d70567e01bb7f5c6b33a0b687e3fe378
SHA512 6737b4416d7ccb32b269d08dcb9914b9e75257bbd79365d953b9d5fb562ff54d1a37a39c9580a45b68dde3f17d23bafab09d2196a661dfa204cbff1b6314c401

C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\despitearea.exe

MD5 f526b418904b7abf10dda8330d15918c
SHA1 c05b96e8b0a6ea706eb688bf6c16238ee21c2aeb
SHA256 b729f29a47b6f7ba31cc8b615b3897e57693cf937c2812403056c2ef15b31de0
SHA512 d7969ef7fd235bb3355d57789a4a9eeff26212e00d8c47b6db4fe2d060264480128e6d5ccc462ebb9a3568c4338adb66f0b8d7a3fd6fadfa12a080fd27428144

C:\Users\Admin\AppData\Local\Temp\EKGQ65MB4OMJ2FI.exe

MD5 8ddf6828d0af91fe8984277aa7b8e497
SHA1 ae47ac962239a225a42520cbf36907dce93827d6
SHA256 64e3a9c661f65005b77e1083e1dd4f1d9bfd7dca1d7bedc666e383824a0a6b03
SHA512 1841cccba2475f6f95ccd5e9e89dc8b5e4299ac93d9336e027e83c63e8573c3c3f1531cf6beaf741b9547cd7e4b10813942926f2656f0d1b56dce26bea498f47

C:\Users\Admin\AppData\Local\Temp\DB5C60IGAPK6007.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\Local\Temp\DB5C60IGAPK6007.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 edd389c7c270bac8d63c282e6028018c
SHA1 44932f8680e8e092eec0ec95272492e7ee4fd062
SHA256 0e8054f4a6ee4b925f62aeaf9908b3377f4d034f7734bb1bff7dece2ed1ebe10
SHA512 cc1ccac7d1bf1deed8e80f272d75ae5457c268c6bd75cb08e7a09f45066a082649a3e7ca1695325dfac096f0306297fca4ce86778f028d8761483e549e912fc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 de44f52be6e151c02d6b02e9551c614a
SHA1 03b4df7b990070aeccdf5295c6943e1560ee1502
SHA256 f0c000106216622ea11ff35c3e07db80fec2bdcb62fbe90394f93d963af4e9db
SHA512 15921fbb9b0486c63b9a4cdc12aa97aa1438373deadce5aca41771b129bca2f1a514586a60cc3f569d7fb7604a1311968d817d7e0ad17817d63d51898035aade

memory/624-589-0x0000000000B30000-0x0000000000D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67EBOCL2N7OBEA6.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\Local\Temp\67EBOCL2N7OBEA6.exe

MD5 1c76706643695bfd003d768b2c14f925
SHA1 6e232285359a0c65e6c3ae09691d712aaf64adc0
SHA256 2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
SHA512 6c4f8c66449de6b6c5a9ab64be67f51028074606ff6d1e2e9cd2faaf82db8ac5dc2b3e440b9f8e39e5c3da937277d3289b4050e5fa438e99277bc047c40891be

C:\Users\Admin\AppData\Local\Temp\vbs.vbs

MD5 6fad8de519b706038ada9fff3693e53b
SHA1 9b867203ec5cafae049da516db4cc315b6f6a627
SHA256 be5dedff846ef5dd2a37b4b6c8337d72cb8af23d9a849fa043081abb76d74e27
SHA512 8d58f4ec30bc5d650e315903844208eaf09e97e9bab3348453d34a359c039b7b4cce4c5c41393577fa65284d7147d7997ef6225617fbc1ecbfb6a36081b669d0

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (3).exe

MD5 6ac95d0ff18baaa2fa5bbfa1cbe4ff6e
SHA1 25415858c21fc5b62cdba919ce1e13d35dfcfd46
SHA256 c90bb9ff7894af79b5f98b328712d1d8817d8e941b1cf70805706902ed5a6457
SHA512 ecec24d74eb3728037ebf169867545697d2d43e19a925bf92a7011d0f4df47a88465b4afbaddf76213cadb8cb5e6271e4d19dbf9d06e7c21b4a6693fe5f81d8e

memory/3116-452-0x0000000005170000-0x00000000051AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 7cfc2520e8fd8a455538e88efa9f9357
SHA1 bb2b84d305cb6a72444c65ffcce02471cdf1c445
SHA256 2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
SHA512 27dbf95b40cd8fbc5dc4aac09c9eb704253a1e87948215b98f72427701dc7c8c1763eb80919ab5db321d63d556bdb5d6c89c1fa807b6f6d6120f7aceef9b3a68

memory/1108-352-0x00000203FE620000-0x00000203FE63A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DB5C60IGAPK6007.exe.log

MD5 fa577fbb3211d416cf1ce2c392b22320
SHA1 2bf1ba8218e42d5bff1c5b4cbb8e1246e5732942
SHA256 2d4c674f53c7aac5bf4550b518b4941b65c23eba9eb7477141860cc59d37aff7
SHA512 dbfee5fd64eb5c100a239245e31bf4e84d45b01072b6d36966eca61b24fc324af59225f2b9064ac1a9acadad3e5cef5233bbe7a11b8b769f99c804b8d0a36208

memory/2124-328-0x0000000007570000-0x0000000007628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk2i5lmy.hx1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jeepdriveroads.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Videos\Jeepdriveroads.exe

MD5 48a0efb20b34146d249e1d2ec6e4b635
SHA1 5b31708982e1b7a4809860bfca27c87d8cce7096
SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA512 4ed35a70b97c93392c481a1d595ec040bc9eed8abd30324506b80dd756860be3af4d6aefe90ce6740e993c041aef16ec4599607e5d0142beb1508387324b958a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 28854213fdaa59751b2b4cfe772289cc
SHA1 fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA256 7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA512 1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jeepdriveroads.lnk

MD5 b0546fe4f3071e52f9f026737c111a25
SHA1 498036404abdc7fcfff3952b6a9138cd0b789334
SHA256 84d77c19f6ad8c1d745b43dd013fcc56fdaabb77e413040de1f51f882eefe19a
SHA512 a1926993dd9fea13f2d662d44791c68d45b87d408e452ec62d937e11e3ddc444393a6d4a8737ab9a553c8c44f4966742312de640b1366a3e252b09a39c3bebce

C:\Users\Admin\AppData\Local\Temp\7413374368\update.exe

MD5 392495c31f590a0a04b0c0f1cb0e06a9
SHA1 448790c1eeefa56077894f0b658c3b1ecd1c3fac
SHA256 98a675d90eba03e1ebe08348e4e305cc72b5797f42ef28718078b9dbca9d3c88
SHA512 b33cf50dc293c881b80394ae0c32827430fe727761b8cd4cde3576394de1acd63405456afa46db925d10202caf0eb6d51d010a343538bb0abe68bc994ec1ea60

C:\Users\Admin\AppData\Local\Temp\7413374368\dasHost (2).exe

MD5 30971ee638ec6185289994daae14730a
SHA1 f521ec64ee7f57f620ba34567eeec88febc7c6b6
SHA256 459e33ed8a481e8f628590b3c74938f4990e4e504c52b351585cccc9a5a892a9
SHA512 75a19592bde3eea0755fe70aba4fd6db9993eaee7f4c17791a19a77d991f7c56456c089cd6c098f4baa4ac2ededdb8d6e26f31af6f0ea03decf13ec1eabb9eae

C:\Users\Admin\AppData\Local\Temp\7413374368\ghostzx.exe

MD5 005d9f5b11d83c49a300daf9efa8e9cc
SHA1 ff6b5a53cbda91e35ead5bb89e73dd8ea34dc2c4
SHA256 e7c6065d235655ee2fa7871ee73a8d14b4f88b87351de7752a4c9569739b667d
SHA512 3e4e08657ced1d03164fbd1193485c4decd95d31e35b487bd3594eef30af38b84482e7027c5244a0f3ff605f2cffc558a7a0d84a9e613261c7fbbca88e10d55b

C:\Users\Admin\AppData\Local\Temp\7413374368\zaliv.exe

MD5 67c418ee40a4edb8a5b232298234f4be
SHA1 1b0f3c83711debfdb62b0b466c3a59aebe74caed
SHA256 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
SHA512 bf7b776124d211b7acf5c978666664af9c61d3531d07d0f66f80873f81475d007729f1c7773b3b6e430202267e90fc86242ae9e0eadfc9d5faa5f38754009eb4

C:\Users\Admin\AppData\Local\Temp\7413374368\162.exe

MD5 048e94bcc447bc7c96688d2266006dce
SHA1 43a158739baa1a85cc612583643a8e48d18da1f1
SHA256 6a9e0666d7ae9bdaf122bb956891802f59e9de16be838a2bd2a05680f786f8ed
SHA512 27a0c733240f8d297443d8fd4c4c93c9ef782ede997ebc315254590cdbedce377e3354c8c6ff7dd30061ea85887a7d18ec6f74f6da49a6de368823dedb66a1ab

C:\Users\Admin\AppData\Local\Temp\7413374368\amday.exe

MD5 aa486e83365ae67a5778758685ca4d6f
SHA1 633e328f5deb9c09e99368fa25f6deca4a601bbb
SHA256 c010da0b5ee5ca9b8d48491d007af10e5b80f6d7950145e1cf81a195c19836d7
SHA512 e16ef48515eccea7dcb27521027785e9a42ec9d8c76af86f598be363998453f3a71e976bb9ac38caf0751286c41f443cd3a3fad0507f4eedd1d7affeb4734dfd

C:\Users\Admin\AppData\Local\Temp\7413374368\SuWar3Tools.exe

MD5 b48808aa48def99c1d4f23332e8aa49b
SHA1 1853ca237e234f6f3683704dc4a19f57b69ce57a
SHA256 7030cf57b71fd090d5f606baffcea09b21849d996c5931419b2b93d6cf05b481
SHA512 ae413c92d965d3fcfc9422f87ad448c1592b3365a8d434899a7c0628c304815aaab9bb73d38db8d6bc1bc7468c8d425679578bc3d0447cbb5a6ffb895b49e447

C:\Users\Admin\AppData\Local\Temp\7413374368\invoice.exe

MD5 47699e23b8a46230799ae564517d7519
SHA1 ae3b67fd6908257d022d108da46d3017c090d8a4
SHA256 06810a7d576fc02e44a135364d1b17014081be39675bdb4b48f87799dbacf471
SHA512 d9214cafdb5154eef80c5eba2f8dfa0a17ff8ebccf509ae4b02d95a226469b0bbdcd4842194a1600d1c2a4a6131b1d2c414b13f61a3ceee9263dc62b115562b1

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit.exe

MD5 64870ba5b0e92b05dc383959e02782ce
SHA1 167e866c71e4cbcc12c2d24d49c7b89e8cfb1b99
SHA256 a0c810baccbd3943748568d16e5b9cdf6b829364c8e4b21cda09c4f865b228f0
SHA512 4589f98f20390b93343de6dcdd265cd61a2722e73b6d50ac79b899a2bdf9ae03d644c25b37e6780a80ac605966b161f86a1049d3b03e8aa2c2347b5e5c35a8a3

C:\Users\Admin\AppData\Local\Temp\7413374368\wininit (2).exe

MD5 7f162aac8d8d2af6c52e87a85a1547e5
SHA1 71ebb043ef3c5bd1dfd8e4ad2b16a49899070ed4
SHA256 5e0519cad57279ab39f475c7ec22d2435a4a69f2378cf2254745e089f5c174fb
SHA512 c5f8e75f33e829744f7129127b96812814d59995dfcac9f885efb8ba48895c5258e97b9c1b051705927e08547b3187a807a720cb425dd7a0d62d480ffdd7bf0d

C:\Users\Admin\AppData\Local\Temp\7413374368\yugozx.exe

MD5 f8c3412590b684f623589e4120558499
SHA1 e770438dfab86a3f9430dfdb3cde29c2a8639b6c
SHA256 873affaacad199fcc1687b9d8e39d75707123ed4ce38181da37e093b624832da
SHA512 84ace1e87ac35d973834598cebded542b51533e2156b8315fcee9d52575532b75a661235a20a86ba1572069eca327eface2d2a8d1b6c85fc40830db6130965be

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4176143399-3250363947-192774652-1000\0f5007522459c86e95ffcc62f32308f1_a45f701b-5010-437a-b6fa-20e6d38f067d

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Local\Temp\7413374368\builsrtdd.exe

MD5 3656380b872547ff69f460c90328d257
SHA1 d9669ed63561e3419900c72207a66f9443e26075
SHA256 25418f9accfaa84b3ea5ef662fc2b24f9782d1e2e00c1303f879f11afc2eec7b
SHA512 1c5ebf89b64eafc1231ee90898897cdd58b9ced7c8a59ee1f33033fe9a66f6e8bf1f26869c5e8a2d1284587f77c9c56172e572ea7942923b73efba4323547a18

C:\Users\Admin\AppData\Local\Temp\7413374368\build1234.exe

MD5 5fb59ec46fd6a15ac0856e37fe226573
SHA1 eee55c1d7f2108fff02d44b33343cd2aad989847
SHA256 a77aeb964d6d999e14963b578325f37c7b951da9d67af592ae833a42858649df
SHA512 816e074ad14ce301baaa35cafbb0e00defcd12cb7d5b8c07397d9f97dd748e272c60c027fefeb6fcbe0f81afbf909935519977138066541cab47db75ecd6eb2f

C:\Users\Admin\AppData\Local\Temp\7413374368\chrme.exe

MD5 5b04c44af744f95bf670840cea457616
SHA1 201d5971e506338c8e8e5d02e28505233d3bb9f0
SHA256 e23a12b3686decc690209df23410d3fc8d54b08be33bbd33899f5932351e8fca
SHA512 7558394d5a8a1a95d6cd7f59f22dc8aafa7e1eca908f77c20833a04c52ac01ea1980bc5b1eab72dc208b01c7a1a76d7f3140806ff43e264b2f1770c1b0aca581

C:\Users\Admin\AppData\Local\Temp\tmpF6DF.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpF6DD.tmp.dat

MD5 3aab77f422e7f9bbfcd27cf92dc5be35
SHA1 86b2c375a42310865deb92dd30321a52ce0aacae
SHA256 afe30515e23e0ee5995270c77a39932a1b9cd8ed473d9920970209eaaf466ade
SHA512 1714bd3f24dfe8fdacfb11d0900923d11011a636c4b888fc9f6e19f75165ce1b1df27fd28be13c0d3801f158f30605f99b2334cba6127e0f4d40f6a9d1e516f5

C:\Users\Admin\AppData\Local\Temp\7413374368\PeriodicalConiform.exe

MD5 43bbed8db3d574acd479bb95fdaeb89f
SHA1 3cbd4ff5252f1505471ba80608345d5fd8b300a8
SHA256 cd3b625cb2fe094def21db9f7261c9d83873471dd3ef060345c391bd12af84b8
SHA512 0a765113eddc4e0bac10bc9ccb69000fab17df13fa7fd0f634f87a8adefc3344369d508cc0bbf638f994c04ca6cd6ccbf89dc236dfb2773296d94f31fe6b50ab