Malware Analysis Report

2025-01-02 11:07

Sample ID 240314-fwbccsdf54
Target d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544
SHA256 d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544
Tags
amadey redline smokeloader stealc zgrat pub1 backdoor evasion infostealer rat stealer trojan upx dcrat lumma bootkit discovery persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544

Threat Level: Known bad

The file d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544 was found to be: Known bad.

Malicious Activity Summary

amadey redline smokeloader stealc zgrat pub1 backdoor evasion infostealer rat stealer trojan upx dcrat lumma bootkit discovery persistence spyware

Stealc

RedLine

Lumma Stealer

Detect ZGRat V1

Amadey

SmokeLoader

DcRat

ZGRat

RedLine payload

Pitou

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

UPX packed file

Executes dropped EXE

Reads data files stored by FTP clients

Loads dropped DLL

Deletes itself

Reads WinSCP keys stored on the system

Identifies Wine through registry keys

Unexpected DNS network traffic destination

Checks BIOS information in registry

Reads user/profile data of web browsers

Reads local data of messenger clients

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 05:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 05:12

Reported

2024-03-14 05:17

Platform

win7-20240220-en

Max time kernel

44s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1200 set thread context of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe
PID 1204 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe
PID 1204 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe
PID 1204 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E89.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1528 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1528 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe
PID 1200 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\B76F.exe C:\Users\Admin\AppData\Local\Temp\B76F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe

"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"

C:\Users\Admin\AppData\Local\Temp\8E89.exe

C:\Users\Admin\AppData\Local\Temp\8E89.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AFEF.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AFEF.dll

C:\Users\Admin\AppData\Local\Temp\B76F.exe

C:\Users\Admin\AppData\Local\Temp\B76F.exe

C:\Users\Admin\AppData\Local\Temp\B76F.exe

C:\Users\Admin\AppData\Local\Temp\B76F.exe

C:\Users\Admin\AppData\Local\Temp\EF51.exe

C:\Users\Admin\AppData\Local\Temp\EF51.exe

C:\Users\Admin\AppData\Local\Temp\197E.exe

C:\Users\Admin\AppData\Local\Temp\197E.exe

C:\Users\Admin\AppData\Local\Temp\217A.exe

C:\Users\Admin\AppData\Local\Temp\217A.exe

C:\Users\Admin\AppData\Local\Temp\38F1.exe

C:\Users\Admin\AppData\Local\Temp\38F1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124

C:\Users\Admin\AppData\Local\Temp\466A.exe

C:\Users\Admin\AppData\Local\Temp\466A.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

C:\Users\Admin\AppData\Local\Temp\april.exe

"C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp" /SL5="$8011C,1678053,54272,C:\Users\Admin\AppData\Local\Temp\466A.exe"

C:\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp" /SL5="$80120,1697899,56832,C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -i

C:\Users\Admin\AppData\Local\Temp\6550.exe

C:\Users\Admin\AppData\Local\Temp\6550.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Users\Admin\AppData\Local\Temp\u1ik.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1ik.0.exe"

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

"C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe" -s

C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe"

C:\Users\Admin\AppData\Local\Temp\8B67.exe

C:\Users\Admin\AppData\Local\Temp\8B67.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 576

C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

"C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe

"C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\721934792624_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe

"C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCBAEHCAEG.exe"

C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe

"C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd" "

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"

C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

"C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"

C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe

"C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 256

C:\Users\Admin\AppData\Local\Temp\onefile_1448_133548669116962000\stub.exe

"C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe

"C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe"

C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000936001\toolspub1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BAEBGHCFCA.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {F9BA1921-EEBE-4548-95F1-4EB0350C7231} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\721934792624_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F66.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7818.exe

C:\Users\Admin\AppData\Local\Temp\7818.exe

C:\Users\Admin\AppData\Local\Temp\7818.exe

C:\Users\Admin\AppData\Local\Temp\7818.exe

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
RU 185.215.113.45:80 185.215.113.45 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 midnight.bestsup.su udp
US 172.67.171.112:80 midnight.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 trmpc.com udp
DE 185.172.128.187:80 185.172.128.187 tcp
KR 211.171.233.129:80 trmpc.com tcp
DE 185.172.128.126:80 185.172.128.126 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 nidoe.org udp
MO 122.100.154.145:80 nidoe.org tcp
MO 122.100.154.145:80 nidoe.org tcp
MO 122.100.154.145:80 nidoe.org tcp
MO 122.100.154.145:80 nidoe.org tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
MO 122.100.154.145:80 nidoe.org tcp
RU 193.233.132.62:57893 193.233.132.62 tcp
MO 122.100.154.145:80 nidoe.org tcp
MO 122.100.154.145:80 nidoe.org tcp
DE 185.172.128.109:80 185.172.128.109 tcp
MO 122.100.154.145:80 nidoe.org tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 81.94.150.149:80 galandskiyher5.com tcp
MO 122.100.154.145:80 nidoe.org tcp
RU 193.233.132.56:80 193.233.132.56 tcp
MO 122.100.154.145:80 nidoe.org tcp
RU 193.233.132.139:30468 193.233.132.139 tcp
DE 185.172.128.33:8970 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:80 api.ipify.org tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
RU 193.233.132.56:80 193.233.132.56 tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 119.204.11.2:80 sdfjhuz.com tcp
TR 217.195.207.156:47721 tcp
LT 91.211.247.248:53 bwdynuu.com udp
RU 5.42.65.31:48396 tcp
TR 195.16.74.230:80 bwdynuu.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp

Files

memory/2904-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/2904-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2904-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2904-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1204-4-0x0000000002E20000-0x0000000002E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E89.exe

MD5 b6297922e4d7e05d1b009613d201883e
SHA1 b6c739fd153f0078e115386bd0f87d784c1b5588
SHA256 91a101f00488af2027b7fee5bfe9a14f290bcc401d183d352c9de40625af3700
SHA512 ab503a34d096ba5b6695505054e12ddf16ddd1407c1737d0fb5655b21947bab4de49e546b0ee1bbc9cdd581b8f32522ec720d27fa0fe9b79796ea0e3a6e3be79

memory/2632-17-0x00000000008C0000-0x0000000000D6E000-memory.dmp

memory/2632-18-0x0000000077350000-0x0000000077352000-memory.dmp

memory/2632-30-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2632-29-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/2632-28-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2632-27-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2632-26-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2632-25-0x0000000002520000-0x0000000002521000-memory.dmp

memory/2632-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/2632-23-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/2632-22-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2632-21-0x0000000002590000-0x0000000002591000-memory.dmp

memory/2632-20-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2632-19-0x00000000008C0000-0x0000000000D6E000-memory.dmp

memory/2632-33-0x0000000002860000-0x0000000002861000-memory.dmp

memory/2632-32-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2632-35-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2632-34-0x0000000002810000-0x0000000002811000-memory.dmp

memory/2632-36-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2632-41-0x00000000008C0000-0x0000000000D6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFEF.dll

MD5 54cb28e69125f2bc899399942744ab45
SHA1 d44785924d075f97e45618e82f53ef61ed4a2b51
SHA256 f601f958e30cf92f2af4a14209153eab34bbe5cb347f5ce8f340c3a945bdfd7d
SHA512 b9193bb4ab19460cd588ab8a8f8ea7a02003d55168fa1df0d2042b5e7fb60ee7e0c656f288d800ec80785214259133c26283f653098e79d0fdccfe1a83c3e920

\Users\Admin\AppData\Local\Temp\AFEF.dll

MD5 2fec3edd89c1341cdb4d83933b9019c6
SHA1 28b0c38d3f8b4fc9fc365173ff85cb2d963c9e11
SHA256 1a52d0d48a027a8be37104220ede8268f83c815ed0eeb1110b9a8704cf8f4bfc
SHA512 f58fed736c7bcf29e145ce00c4bf0ea57ea9fb178383f64bc0cdcf550e4d01bbe6ed2c96178ba5143e226d49e9c3621b43a915305e6abb855b8abedb243111b1

memory/1708-45-0x0000000010000000-0x00000000102CE000-memory.dmp

memory/1708-47-0x00000000001C0000-0x00000000001C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B76F.exe

MD5 996c2b1fb60f980ea6618aeefbe4cebf
SHA1 a8553f7f723132a1d35f7a57cae1a2e267cbc2ac
SHA256 f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50
SHA512 4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056

C:\Users\Admin\AppData\Local\Temp\B76F.exe

MD5 a3753e9ed59f01cb1571ac0c5430a8a8
SHA1 f85e924060cfe5da576e2773b6a0acb62eaeea98
SHA256 7074367a6e92a34cff78eece62750916395a07b73675c6e52d3373490bf9f64d
SHA512 209a366f793e75e00f4a9b85d543a8b09b1da22feeaa8dc68faea861b7dbfe2ac53897bcd2d5c211fe6332b31d662c4ed0f1e89f1689036ac6a10dc814d616a6

memory/1708-54-0x0000000002670000-0x000000000279B000-memory.dmp

memory/1708-55-0x00000000027A0000-0x00000000028AF000-memory.dmp

memory/1708-58-0x00000000027A0000-0x00000000028AF000-memory.dmp

memory/1200-59-0x0000000001F50000-0x0000000002108000-memory.dmp

memory/1200-60-0x0000000001F50000-0x0000000002108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B76F.exe

MD5 d0e1400d23279e9d4772b0ae3c0d9e54
SHA1 5b5ac3776b98ec30c1fd98666f53fd98906b3f9f
SHA256 d1608cdf18108b0c1f7485191127d46380771c1e3e9eb5af6dbebc63171bdafe
SHA512 df8601246b48e3aef28d6443aa4a1b8d573ca6b52fb4ab048521372adaf8eabf2e735a28c7f32604dbc3045063fee0d9fffa61f17c4e64d8ac318d01891abec3

memory/1756-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1200-63-0x0000000002110000-0x00000000022C7000-memory.dmp

memory/1756-66-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1756-68-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1756-69-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B76F.exe

MD5 412622de109100dbe7c1407b8e15a2fe
SHA1 aa21b277bea98a2c606eb1f8bc9e84cb8761ecc1
SHA256 de937417a1f8731bf9d53d24d7584fdadde27f0388bb47b4ff46da8ffb228017
SHA512 1352d2968b0d7d65bf9b9581ec0b6df18c38030a66c2392712465ee74ee029d82be2d65d868ad1f2710036e260490780f8062d5adbfc83289d6c5ba50a502d7f

memory/1756-70-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1756-71-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\B76F.exe

MD5 6d392f1421340e79a359d5e608734ecf
SHA1 cb36d6ce45aa9d31bb5c2b8b2d366fe426400a1d
SHA256 8f60d4b36646e9bdd1174e92267cd28dacb6749e7bede209f5335c966ab3b707
SHA512 cecdb41d9646397e5e576b21c564a7a1ff36a0719878180b9fda466ec634d8b5f858411cc84c8b748780e931936ae0c81033bfc26229a1e83ddd642e8b6d449f

memory/1756-72-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1756-75-0x0000000000270000-0x0000000000276000-memory.dmp

\Users\Admin\AppData\Local\Temp\AFEF.dll

MD5 e38a5abdc5910bd18427552de8930b14
SHA1 c4828008057429bc4c35fab01045b5ef18d2fda8
SHA256 567b3e0ffd4e8403f5a52a7469f76fafc40e73ae95bc8ef5903b748a5949b4cc
SHA512 7a2ac8309ef3661d89117ee0e248db7fad06bff6867ca44c9ef913e3f6270112abe65bf312c9fc2d70831704072b4b655a112034a5754b1fceee662172ca8db8

memory/1756-77-0x0000000002C80000-0x0000000002DAB000-memory.dmp

memory/1756-81-0x0000000002DB0000-0x0000000002EBF000-memory.dmp

memory/1756-84-0x0000000002DB0000-0x0000000002EBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF51.exe

MD5 68a9bf2ea7d3e606644b594a3420d9cc
SHA1 4366fbef31500ca265fad6f0a080802fc69c5465
SHA256 3b386b16dc4c9683d3c7a30270a133ed87c06675d8c76c2a9fb0cb77bb50448f
SHA512 dec7d0e2e6259b50f3971919e9492950a3392e7228827d3e879ed69d19d93e058c68f234728a2aa88f4ef1ad61788c027ac84a0126ca8a340707ff04587241e4

memory/1708-87-0x0000000010000000-0x00000000102CE000-memory.dmp

memory/1604-90-0x00000000012E0000-0x000000000187E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\197E.exe

MD5 81ed68e85b095ceb1ec4b3f9b6699e21
SHA1 1bd3882f103afe8120c24c7f63833d5f285375f4
SHA256 aeb43d3f19701a34981b0882e5305fe416a39a2f16c8728c307ef7d0fcfb654a
SHA512 e332eb6dbbcc4737306bd85fdef34ecd9d14062edc13e009a96e77ec47bb141e2717da67b3a1c14e1cf74ff007b3a0293d4813bb66f9a5490c03e7d53af47d58

memory/1604-95-0x0000000005060000-0x000000000529A000-memory.dmp

memory/2296-97-0x00000000012F0000-0x0000000001FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\217A.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/1916-108-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2296-109-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-111-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-113-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2296-114-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2296-116-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2296-118-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2296-121-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2296-123-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2296-126-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2296-128-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2296-131-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2296-133-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2296-136-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38F1.exe

MD5 08c7993cba41d1e99087c7563d86acbb
SHA1 23c7393fe790acbeed959c6198c8c5657da1e7ef
SHA256 791146f020de235494a4d80045743b22dd12430a8fe20d90ddd89e95ec2deb5b
SHA512 623250d5e18f0324338d8fe5b86244982d10fa9a6302cb30102783646745373199012aa35df245dec1853044fc67165af2cf94666abcaad6ef8b321fe74db1a2

memory/840-145-0x0000000000250000-0x00000000004A2000-memory.dmp

memory/1604-146-0x0000000073D60000-0x000000007444E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\38F1.exe

MD5 de126d2ab8fe0b4ba1fbb1fabb98a92e
SHA1 33a16c5267e02d394b2c9e53e8d32bfe635c067e
SHA256 4f9d4170b57f57e094fd8744143f0992320e6eee9df2a75d03dd58ba6f494a95
SHA512 cb11c04f729a162c0a4d40752e849d2b065695a386743238ecabaa264ddb730a700660d89bb4094529ebf448875fa039818859950cc4ce82211bff596071e87c

memory/1916-150-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

memory/1916-154-0x0000000000220000-0x000000000028B000-memory.dmp

memory/1916-156-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2296-158-0x0000000000150000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\466A.exe

MD5 2720b13efe7efd301e55e2842fa79144
SHA1 fa88aeb2f671070b4263acad18335b99de78cc28
SHA256 44d12fb26d47338e99659e731679755acaefe86a513e0c6c49cb87a211280c4f
SHA512 035e975d11aa25e80c799abd630db925c156a5173951c6881aa779282cca8929235f0638973ca06b43772bd15067b390ecdee5e6006e470e79aa6b21758277a1

memory/2380-167-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 c75cbb954f63d490e03fceea09bc8e32
SHA1 bd87491341ddba3ca9ff4b96cbf50c8dfa1a7a2b
SHA256 b73fed3630a6c199a455ab1342eb3d6afff32d60a4122b50ac2b3c547ae4d2f8
SHA512 1a3292adfdda199aac202bac82374f3a927ccd2da516334b27ef4d7d3348370deb00341be01d720da4a6e00f7fe6d6e98aab2a35ecad83145c1c07c0ff053d48

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 c73bc3df042e28aec3b3624e60c32a7c
SHA1 59d8364cf706419d4d1cad16add50e7bda268b09
SHA256 6c67ccedff9062fba93f27e1e780ee482c066cbfa3e46617ccdb354f0e216771
SHA512 97a1b705a31dfb094d4acae84094c4a1e79bedffa94bd26b6683e41bf4232c732bd18f2a6349fcf557a034ebc4976c308437cc8efcf56c781cf72a601fa3d75f

\Users\Admin\AppData\Local\Temp\197E.exe

MD5 e5e2eece8c0b563097fd4dbc979a5db4
SHA1 ab6b685633b23b059ed3653094f2dea0d45cb08f
SHA256 d6d51d8018797ae24cba1a108fa0198ae48db2d8e1e560ec8b22eb721ba2ef4c
SHA512 609f8a3c339f0ec16cb038bd6a37386876870e32d017568f532f85a32a705f7d2dcc7e5eb3bdb7ed148cd9e6f953b6f0b103b6cc5a0c1132a5571d2462f4a094

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 7e4cab8d4afb695d8c036c20aa5cc2a4
SHA1 2bef85d07704564607e7983852ecb081010ba605
SHA256 b08c46dee564834f052938ed423a9247a00a3d6d0c6cd3767694bf7d008e21dc
SHA512 f6e217ede07e912a193a965661c2f6fd04f39d58bc213dbabf45028bf09472ccc186f586a964f8bbe211bd0ac58264a2fb04924397e0d0834001898c0757f8e5

memory/840-185-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/1288-184-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7F4QC.tmp\april.tmp

MD5 4df57aaf92a50f25127408e03415e9ae
SHA1 8f7670cfae2f405be830c8ec5f06856358d301a1
SHA256 d247810adf596b210b373af971bfeeeebea4f574cf2175d87d4899dcfa6e405c
SHA512 a2bbb20f3d41b86f01455640c188b2c80d2bf8559ffd335e4cbeac7d70b8d88da3f75432e19a3597ffb79c183c32e1f071f0d259b277caf9173cf60479d312b5

C:\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp

MD5 c525e77d2e33c307848205b1921c23b9
SHA1 195ed1d4581bba1ee5d5d2bdc54835a20f60b146
SHA256 559471df6c535e3bdf7072c3a7de93cf7260a070c12f39480bb992036a593cdf
SHA512 9ab82dcb85ca1b1233182b21c36d2c1d1e5bf6e5debb6a8c3f481d7e9f54b97aa0223f428abe7efcf915b2a411dc1f85fa2c8c900c85edf252ad9b6a19a5242e

\Users\Admin\AppData\Local\Temp\is-L3E5V.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Email Box Organizer\is-30O1N.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\Users\Admin\AppData\Local\Temp\is-L3E5V.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-NBFM7.tmp\466A.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

MD5 37d284e87eceacea55df22ce74605ebe
SHA1 86408c00ddb91986e996f61865c78ac19f2f28ef
SHA256 507bbf6666d88a286c030eaa1c065048bcec1f39b7c36296ee54245f30c94025
SHA512 10297220cd597cc0f61d68a1934ea6cf1e43d8a18e85a150fd61e70efe9a556925452123a55259326e2c0bc43757369835e93a3351324be792fde97078c3d54a

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

MD5 925124964e0da47419dee645fbedf1fd
SHA1 ade75c567e5ec025e80f14d82bb044cf1b3220b9
SHA256 a387c71e0e84c0e8c47347fbfbb83c30ae21dc3a18f0ad6cb5df79843e649b84
SHA512 87cd638ea07b0ee08b0aa7b798f60b34486e3f3001d4968be4f61d45496db27e279f517e2a9f7f8079677b4f98503414a9cad98ece53c7f699eb403979b6ca8f

\Users\Admin\AppData\Local\Temp\april.exe

MD5 f39dd4217ca407ca45ec79e43e1939a2
SHA1 c52b1e1f33008c38755f8aeebd91302bafb5ae20
SHA256 055a30c4c817c6d85dc96971bf974f47eec8a420a02084e02a40d05bfc1ff58a
SHA512 a2444bc348f4eb3ecf9cb1850559d2c3e4ec48e2ea3caefb7608ee88c92da40e7cf2ee2c187c929eaa90cc22ad4a8fa72eeda944fd9ecfcf658779d7aa9be307

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 c7118610fefdaad90083c662bd4ef37f
SHA1 9c051ff43747b8b52032b3cbe4d5b9a1edf8b9a5
SHA256 333836d1c49ef069087f74844295e31ac2273b5337c2c2d70eb3c8f74901af14
SHA512 7afa9b4b623927dee5a46ce471eb73dfa295dd989f789accf274526c618e2996ed5bd0d0a1930d84395a01412ccd966eca51359187e5612d18a988206e09d256

memory/840-160-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/1604-165-0x0000000000980000-0x00000000009C0000-memory.dmp

memory/2296-157-0x00000000012F0000-0x0000000001FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6550.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 053eeb9e1945aca4425205986c36620c
SHA1 7b29cdee2ed7b5a9fa3fc04f2c3b43b011aa930c
SHA256 d1fffd9e53d2f931d27ad39fd56cb70f7630235537e889017c7edeca2b521425
SHA512 6b5f8b9c61cedc12d77b969bbe3edc2afa0f3aeed0dc87ffb59e20db49b14f3fbc60a18fa2356d3a1cf20c36f0b3dc0632ed6331306028d42b059bed6c608e28

memory/2996-264-0x00000000003E0000-0x000000000088E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 eb7f73f290f1875876c51977441aeba8
SHA1 22b7a335fb75a0576e2ac49faf9c4cd2b755ce17
SHA256 df870d52c6d554711068feac3ec42973f0218c082c8d17356f6c5f1262b7c004
SHA512 233ec8d3fa4e107f59749f485a76e6f14e5f9da648687d556199f0acd6c7146b7c1f4fefeec9aa05b71d57205dbe9480d5fa542ef64e04de33fa33a78d0b4b5a

\Users\Admin\AppData\Local\Temp\u1ik.0.exe

MD5 eae8f1cff410a54725527cd0e759ce41
SHA1 9537e90abd8c6da642f8c26b56fe35997add10f3
SHA256 415a23efec7414a0d75d07b7f57f4af8a3c92deafd35e61226b1efa12cf22f94
SHA512 2d735aac10c0638fc903aa073f12fa5346e1283c8463aa91371967c63047fac15deec8b4bf0f425eb63a9e1e75f6e7116e490c4677797551395b91e95167e5cc

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

MD5 7a8f28fd05ccc91e836fd56251a4425d
SHA1 1d78fada34f0a1064bdb692c562be6c817fbaa7f
SHA256 a50c12cc04019fdcd0d9ca0c9cfc4e69bb988245444930ac3ba5fc7ae8d1df2f
SHA512 9a4253468e9bf3b88df9a0f2291df306125f1bdb79b53a4233ac7e5a07c440e9a0e6f2d5e9482bba1e269ed8548cd55eb6dc24970196e8c1d3c25029d40a7d83

memory/3060-285-0x0000000000400000-0x00000000005D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 8e3d884097d2dad555573d99e916af96
SHA1 649d9267b6255240ce09c9f982e214b524b78648
SHA256 6b3d6c581a7a255fb198b15792cd67de204da441a7c757d2f8bf473837c36457
SHA512 7a9f99e2e9a56fb1858222ff7ba373ceea2016e6f718ddc0e4500a08baeeaae850c5d8fdf5c88eba33e8ba419d68767df24a88563e703001db826f025c54cb1b

\Users\Admin\AppData\Local\Temp\u1ik.1.exe

MD5 2692835e4a6eab15be64ef77ea797ec4
SHA1 7473986d972424b55a15e7ca6bd6845e372765d9
SHA256 4cbc9b7f5a181e9e9e4e01c3a8f1aff1dd42f68235fa88ba1bd9e1fd69cdcbba
SHA512 37e4115a16f7b88953198706d0c0f053740027eae8e729e0c6a8e703c8036b92184518ede0d84b97c14b24397bead49c6c8412a2e4d1b10376a0aa5084076eae

C:\Users\Admin\AppData\Local\Temp\u1ik.1.exe

MD5 14f16a065ed9312017ea917244e91e5c
SHA1 1ab9f23276f95b684556673b4c5c9235490a2158
SHA256 4ebf18592c3a8df3f36828431e5f53209b73fd9c33d549b8e7fd5f7ab7d9ae11
SHA512 62f9e3262e9268408469cab84cdc26f417645bffbbeb56725ee68a6de4cf5e6691ae7f4afd8d2ea119865c7dc1de1e2e99134cfbf533a740fb67eb6068dfff35

memory/1964-302-0x000000000093F000-0x0000000000975000-memory.dmp

memory/1964-303-0x0000000000250000-0x00000000002B7000-memory.dmp

memory/1964-304-0x0000000000400000-0x000000000049B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B67.exe

MD5 5edc27f4fb945833e627a554407746a1
SHA1 ce0f744e2a827d7ba428562f7fd4932e6f144cbc
SHA256 608f8c358e578d87c5668673eff699f5bceb5a9fff9a9b51a0da6b1be51b1466
SHA512 4deea18efe3c586f7a7ceb240819b88fc17ea3ad1bef238eec9c7d4d2ab50e3b4040cf4cf544fd82e0607da41b83fde156205904faf5a3b329df461fcbbc3c50

\Users\Admin\AppData\Local\Temp\u1ik.1.exe

MD5 878c830c1299b4949edcff11bbf20d04
SHA1 b1262134e25928e4708a125a6736d756c9d0f4bf
SHA256 0edfafbe74c65b4d37f1f5a5ce8cde9012bb99682af03c92071819d24e6959aa
SHA512 650491fdbace695af97871036dbf86bd5e9b2ea8494110b166a339b1f761dbd2a3b2fee020bbb817f3a3cfd06491103791fc81c62f61a30b0a7066e8ee961f3b

\Users\Admin\AppData\Local\Temp\u1ik.1.exe

MD5 01a90e9b395761e38299d1bf60706e31
SHA1 1d760ee68f064ef2efb345b929a59b662fe5070f
SHA256 1f0fab66b4e866692bb196aa02e61ff685f6bdc23bb69269549191e6879f36cd
SHA512 3d6c46e9cad52d8544f31cfcdac28c9932f487b9d7330f3c4be1184e99eaa1e666031c5912384665d39b32c9b9223260e5051ed2a7d9eb4e19f3f2320a10c7b0

C:\Users\Admin\AppData\Local\Text Ultra Edit\textultraedit.exe

MD5 0cd7cc1ececd29f44a846dc3516c0464
SHA1 1a7c9e06d63555df7541c76e009d0e8e6ee0c768
SHA256 be8614ab582d6b194ccac803679c2209868b585480a77f9eff56155ce89168cf
SHA512 099df213b13685478cfd758392299d17ddf22614cc387244ab9befdf62062f92b607927d799d03ac7584d7529a88a6be62a06cd0b8149995f96a72a01fe6c66b

C:\Windows\Tasks\explorgu.job

MD5 f89ced814efbeca417345c599500c7aa
SHA1 983dcfbc44237f3d10f9916603ee22f61a8e49e6
SHA256 1cbeda558707ffb80a85917570e5174ef197862e9ed4ded946f2d48c421ebd43
SHA512 3b9cd8c81f49931e849de1897d645509db92e5bc580a943c3c257d775a92f790101c8b3c421cea2c7ad23a468b65c6019e92cf6168fb3f231ea9a9da5ace9b15

\Users\Admin\AppData\Local\Temp\EF51.exe

MD5 a312ddba00ea2c394a4675991ac079ae
SHA1 903adb62a739556ce565e508b5f9890bb27ffc62
SHA256 05eeaebff84be64c401ab40dcaf095107ab0fba5d2f6868e9addde3bd8e7fffe
SHA512 07f10e99bdd5ca98dfafca72a26f54eda4cf052b20e8baf39f3569f4cf0b269b0a95a2f92844405614d9f4c63dfb3601a45dd2fba1343fc28c5685464da6c1fe

memory/1392-320-0x0000000000BD6000-0x0000000000BEB000-memory.dmp

memory/1392-322-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1392-323-0x0000000000400000-0x0000000000724000-memory.dmp

\Users\Admin\AppData\Local\Temp\EF51.exe

MD5 68e81892b80fa6716025fcb1a2af36ff
SHA1 0b3d95ca92fcd52882481053435bd5d854d82b1d
SHA256 7e4ad35d21b4ac44c746c71fa43151528093ce2c87ead245dd3a7b3ea90fb1c2
SHA512 4833b872a2cd74e25268c49879f35709f6deeafcca95d94344b431605f6ab5c1e341725a39ba3c36499eea44f365866f0f033203d3b70345c1c817828b2d92e4

C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

MD5 a3f8b60a08da0f600cfce3bb600d5cb3
SHA1 b00d7721767b717b3337b5c6dade4ebf2d56345e
SHA256 0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb
SHA512 14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

MD5 b873ccdd97b4ded1a9cc656fbcacbbd3
SHA1 288af299ca89eaff08e43ef30cea363ed634242c
SHA256 58a9ce8c6b76493f1b2cd1d3af80abd73c64654639accab104fa244e5d48280c
SHA512 b36bdd51920bf7c61109861763cb7e28b67831acc2e3ee4e0f0c265f7e437f18dcb0d057df8fc59a64b22c723281c838eeb69e91ee36fd768f8281cb3d855f4e

memory/1120-338-0x00000000009A0000-0x0000000000A2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Temp\1000837001\goldprime1234.exe

MD5 0c4fee8706a8ea370b7a272b7c5bbc85
SHA1 bda2a1ebc921db843d06aa5074884207ccbe9242
SHA256 9ec8397acd7c4106763ba84f4ebe1fd1cf39b4b0de442be8f89cd57de6151aac
SHA512 dd2c1d00325533db2cc5fe14ab52747182a494a2524e4f891e3dcd3ce2ab9685322a9fe1f5f2bd2b9808d6f1efab2a9cdfcc762016935464a7ddd237e620f9a4

memory/2012-403-0x00000000000D0000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Local\Temp\1000858001\alex12341.exe

MD5 5bc4c899b1a92d101d4377016c856fbb
SHA1 40a1085239dd4b3698ecf76417285ccfa8b3b1d4
SHA256 efbb4590bdb6beb761525fbb3005c8328de0e2aabeb358ac259fff88de8efdbb
SHA512 21ec4ab6d5837f69abbaf45a15156a9efe43d1a490adac5489785b1f2bd872bd57848336ba2f530bd881f6c7b6433d422c158591d1049e52b5b0d832980c0903

C:\Users\Admin\AppData\Local\Temp\1000838001\judith1234.exe

MD5 12b6f76b557ac91491e84f979cb8af08
SHA1 1ee68fe2041399e7a0727b3e3f60bd03ed8555a2
SHA256 acf2c667463495b2b04e915080cbf100d6addab4d1b5bd4d69cc69894f9ea734
SHA512 52dd6d7baa04e5d329d1bcf5b52257b3ac59b09817d6f6db0dbe1fe25faa86c5c12cbb1fdb40b853fe80d8643fa1786c99ac5b829a49511d56ee39a996904ca3

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\1000865001\dais.exe

MD5 1f22a7e6656435da34317aa3e7a95f51
SHA1 8bec84fa7a4a5e4113ea3548eb0c0d95d050f218
SHA256 55fbfaaeee07219fa0c1854b2d594a4b334d94fad72e84f9f4b24f367628ca6c
SHA512 a263145b00ff21ecaf04214996f1b277db13bdc5013591c3c9cf25e9082fc99bc5e357f56aba4cea4dbcc68f85262fe7bbd7f1cec93cde81c0b30dae77f1b95e

memory/2384-531-0x0000000000946000-0x000000000095B000-memory.dmp

memory/1164-535-0x000000001B540000-0x000000001B822000-memory.dmp

memory/1164-536-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1616-529-0x00000000008A0000-0x0000000000A5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe

MD5 538210b986be477618df46f781b648e8
SHA1 b504ec3dbc01ffa194990d454f82b6170d281a4a
SHA256 0aaf7021364e865bbfc649dea016af730fc382a7ef41c24d570a5b2302104551
SHA512 ddbbe251015fb78b17025c92914ba429446a8464f6cf99f8f14ed14590f5c1edaa7122519b5699f73eed5b2ba31441f9cbf565fdc3050b0163c5cd2403281bb8

memory/1776-538-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

memory/2384-534-0x0000000000400000-0x0000000000724000-memory.dmp

memory/2384-533-0x0000000000220000-0x0000000000247000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000874021\random.cmd

MD5 7ca00195b480ee284ddaebfea321f27e
SHA1 a9ef34c03c1285c450b0414a20fce7f9533f7fa6
SHA256 c133cb730f4483b60434981714e8544a30bdb422376495c74aabeb16b13fd5d6
SHA512 c78ba3153ac0999f71c1ab0e5c4738e2e46d03f6567045e8c5ec3bd7157adabe4ce61b56554c546ce6070f09c84f26a64354ffaef0bf32175a4b40c27d4a3035

memory/1164-590-0x000000000285B000-0x00000000028C2000-memory.dmp

memory/1616-593-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/1164-586-0x0000000002854000-0x0000000002857000-memory.dmp

memory/2792-601-0x0000000000400000-0x0000000000592000-memory.dmp

memory/1164-584-0x000007FEF30D0000-0x000007FEF3A6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

MD5 818dc0dd7334787c46fdf54843c02417
SHA1 7635d080a51c429a0945c1370435c59f45c2ecdc
SHA256 8c234dd732bcbd1bc5db85e94289adcf22a501b643f1fc4da9f06ad664ca5543
SHA512 5ec240a099e320521f5a5bfaaa16b8c90f1f0413dad785aa1ca4002a836e6f96415a456f49f5f3c80c922643acd3dce38664a4d62f09681bf4312bce65f6c934

C:\Users\Admin\AppData\Local\Temp\1000903001\lummahelp.exe

MD5 2360df510c08c4e5c28d1f1781926caa
SHA1 28431c0f11a095ca7accc2e2bb3e478071c1f6f6
SHA256 78efb7926cb47df2ad223406af9b0d6b5a099fa111564f82b3c9c38dbb9ecb59
SHA512 e8b95e94c845c76b14b71d1fd5ac0380c34c142e0f24bdaf1df4524a7371a323ba2180bb46d3d817a6338e8013af5f5a4bf3066d62ad867bfd3fc7ad09e66540

memory/2688-514-0x0000000001100000-0x0000000001154000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000935001\InstallSetup3.exe

MD5 de0a3c0f33147c7f1f7046d7013bb4be
SHA1 0d2ab457db0beb7b1c87975d565278fe9fda516e
SHA256 2c5734dbe0498b97b7c06fee2f249b8c87100167e0eda86a59b1249c91156b48
SHA512 fc4f04eb0442bbc90decdabc97a6ed27c3e4d9767eed5e250b15d1ba48a8696935971f60aea6ed1824ab203101cfa73506ca5d691c9f6e9c456150da43c23fca

C:\Users\Admin\AppData\Local\Temp\1000010001\frukt.exe

MD5 0348f416c569b4276adbd2101d283669
SHA1 e90e94a49d3e97f5f64b11810ce07e07b0b6dc2d
SHA256 c85575e45adf9aa4fe23b0c23e5834bd51140f507fc0d3f71213824f1b9ab6ba
SHA512 0b8b0e96bb9467eb7e17d4cf918e81fb84284629f70bb1be4e96dcfc524ca8ef4aa93848e1770b737faa94391f479f2f548a692986a7f47e27974e5b50956295

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 15a42d3e4579da615a384c717ab2109b
SHA1 22aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA256 3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA512 1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

C:\Users\Admin\AppData\Local\Temp\nsp7CB2.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 726cd06231883a159ec1ce28dd538699
SHA1 404897e6a133d255ad5a9c26ac6414d7134285a2
SHA256 12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA512 9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

C:\Users\Admin\AppData\Local\Temp\F66.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7818.exe

MD5 4cfc8ad2dcdb75023522d8ce5399b848
SHA1 e9df741de3aa107dbef0b0b57e15b6f2ddb55d21
SHA256 0245b98c5523f0fe169741a6eae0bf56e194aa1b77f8b20ca30f2f3a78ce7da5
SHA512 c3afa71e76a47a21e3fc23880ac76bc7813f2ad7d6d7f09f61c3d69acabe3cc2c8ba5c7d5f54a2fb2713613b85323327deb4a5b525e6cb449b31f697e55bf444

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 05:12

Reported

2024-03-14 05:18

Platform

win10-20240221-en

Max time kernel

170s

Max time network

303s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\D092.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\D092.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\D092.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\D092.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\FE76.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CAAKFIIDGI.exe" C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\9887.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D092.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2772 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 764 set thread context of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E8FD.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E8FD.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E8FD.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe
PID 3300 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe
PID 3300 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe
PID 3300 wrote to memory of 4120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3300 wrote to memory of 4120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4120 wrote to memory of 3752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4120 wrote to memory of 3752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4120 wrote to memory of 3752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3300 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 3300 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 3300 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 2772 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\FE76.exe C:\Users\Admin\AppData\Local\Temp\FE76.exe
PID 3300 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\376A.exe
PID 3300 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\376A.exe
PID 3300 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\Temp\376A.exe
PID 3300 wrote to memory of 4984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F00.exe
PID 3300 wrote to memory of 4984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F00.exe
PID 3300 wrote to memory of 4984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F00.exe
PID 3300 wrote to memory of 3484 N/A N/A C:\Users\Admin\AppData\Local\Temp\9887.exe
PID 3300 wrote to memory of 3484 N/A N/A C:\Users\Admin\AppData\Local\Temp\9887.exe
PID 3300 wrote to memory of 3484 N/A N/A C:\Users\Admin\AppData\Local\Temp\9887.exe
PID 3300 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe
PID 3300 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe
PID 3300 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe
PID 5100 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 5100 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 5100 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 3300 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\A981.exe
PID 3300 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\A981.exe
PID 3300 wrote to memory of 316 N/A N/A C:\Users\Admin\AppData\Local\Temp\A981.exe
PID 5100 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 5100 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 5100 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\A0E5.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 4604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp
PID 4604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp
PID 4604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp
PID 316 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\A981.exe C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
PID 316 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\A981.exe C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
PID 316 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\A981.exe C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 1484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4380 wrote to memory of 1484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1484 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1484 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 764 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\376A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe
PID 4608 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe

"C:\Users\Admin\AppData\Local\Temp\d5870c7a3755e9c9099974743838d1be43d97b8e4a5578cfc552bf283c27b544.exe"

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F52E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F52E.dll

C:\Users\Admin\AppData\Local\Temp\FE76.exe

C:\Users\Admin\AppData\Local\Temp\FE76.exe

C:\Users\Admin\AppData\Local\Temp\FE76.exe

C:\Users\Admin\AppData\Local\Temp\FE76.exe

C:\Users\Admin\AppData\Local\Temp\376A.exe

C:\Users\Admin\AppData\Local\Temp\376A.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\8F00.exe

C:\Users\Admin\AppData\Local\Temp\8F00.exe

C:\Users\Admin\AppData\Local\Temp\9887.exe

C:\Users\Admin\AppData\Local\Temp\9887.exe

C:\Users\Admin\AppData\Local\Temp\A0E5.exe

C:\Users\Admin\AppData\Local\Temp\A0E5.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

C:\Users\Admin\AppData\Local\Temp\april.exe

"C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\A981.exe

C:\Users\Admin\AppData\Local\Temp\A981.exe

C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp" /SL5="$60230,1697899,56832,C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp" /SL5="$3027E,1678053,54272,C:\Users\Admin\AppData\Local\Temp\A981.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 968

C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\824464007487_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\D092.exe

C:\Users\Admin\AppData\Local\Temp\D092.exe

C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\E8FD.exe

C:\Users\Admin\AppData\Local\Temp\E8FD.exe

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"

C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe

"C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 45.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 104.21.29.103:80 midnight.bestsup.su tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 172.67.181.250:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 250.181.67.172.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 172.67.206.194:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 194.206.67.172.in-addr.arpa udp
US 172.67.181.250:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 trmpc.com udp
PA 190.218.35.32:80 trmpc.com tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.35.218.190.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
FR 80.67.172.162:443 tcp
US 184.105.220.24:9001 tcp
US 8.8.8.8:53 162.172.67.80.in-addr.arpa udp
AU 124.168.18.172:9001 tcp
FR 51.15.246.170:443 tcp
US 162.251.116.10:443 tcp
NO 95.141.83.146:443 tcp
US 8.8.8.8:53 170.246.15.51.in-addr.arpa udp
US 8.8.8.8:53 146.83.141.95.in-addr.arpa udp
US 8.8.8.8:53 10.116.251.162.in-addr.arpa udp
N/A 127.0.0.1:50271 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 nidoe.org udp
AR 190.195.60.212:80 nidoe.org tcp
US 162.251.116.10:443 tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
NO 95.141.83.146:443 tcp
AR 190.195.60.212:80 nidoe.org tcp
N/A 127.0.0.1:20129 tcp
AR 190.195.60.212:80 nidoe.org tcp
AR 190.195.60.212:80 nidoe.org tcp
AR 190.195.60.212:80 nidoe.org tcp
AR 190.195.60.212:80 nidoe.org tcp
AR 190.195.60.212:80 nidoe.org tcp
AR 190.195.60.212:80 nidoe.org tcp
N/A 127.0.0.1:20129 tcp
AR 190.195.60.212:80 nidoe.org tcp
N/A 127.0.0.1:20129 tcp
AR 190.195.60.212:80 nidoe.org tcp
N/A 127.0.0.1:20129 tcp
US 8.8.8.8:53 account.kemnaker.go.id udp
N/A 127.0.0.1:20129 tcp
N/A 127.0.0.1:50402 tcp
N/A 127.0.0.1:50408 tcp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 account.kemnaker.go.id udp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 pendaftaran.unpad.ac.id udp
US 8.8.8.8:53 regayzanko.com udp
US 8.8.8.8:53 pendaftaran.unpad.ac.id udp
ID 149.129.233.232:22 account.kemnaker.go.id tcp
ID 149.129.233.232:443 account.kemnaker.go.id tcp
US 8.8.8.8:53 regayzanko.com udp
US 8.8.8.8:53 masryonsat.net udp
ID 149.129.233.232:21 account.kemnaker.go.id tcp
US 8.8.8.8:53 masryonsat.net udp
ID 111.223.252.90:443 pendaftaran.unpad.ac.id tcp
US 8.8.8.8:53 stud.infostud.uniroma1.it udp
ID 149.129.233.232:143 account.kemnaker.go.id tcp
US 8.8.8.8:53 stud.infostud.uniroma1.it udp
ID 111.223.252.90:21 pendaftaran.unpad.ac.id tcp
ID 111.223.252.90:22 pendaftaran.unpad.ac.id tcp
US 172.67.180.4:22 regayzanko.com tcp
US 172.67.180.4:21 regayzanko.com tcp
ID 149.129.233.232:465 account.kemnaker.go.id tcp
US 8.8.8.8:53 232.233.129.149.in-addr.arpa udp
ID 149.129.233.232:80 account.kemnaker.go.id tcp
US 8.8.8.8:53 farmasiint.com udp
US 172.67.180.4:443 regayzanko.com tcp
US 8.8.8.8:53 sloty.com udp
SG 172.96.191.76:21 masryonsat.net tcp
SG 172.96.191.76:22 masryonsat.net tcp
ID 149.129.233.232:995 account.kemnaker.go.id tcp
US 8.8.8.8:53 farmasiint.com udp
US 8.8.8.8:53 90.252.223.111.in-addr.arpa udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 8.8.8.8:53 sloty.com udp
ID 111.223.252.90:143 pendaftaran.unpad.ac.id tcp
SG 172.96.191.76:443 masryonsat.net tcp
IT 151.100.101.215:22 stud.infostud.uniroma1.it tcp
IT 151.100.101.215:21 stud.infostud.uniroma1.it tcp
ID 111.223.252.90:465 pendaftaran.unpad.ac.id tcp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
US 172.67.180.4:143 regayzanko.com tcp
US 8.8.8.8:53 4.180.67.172.in-addr.arpa udp
US 172.67.180.4:465 regayzanko.com tcp
IT 151.100.101.215:443 stud.infostud.uniroma1.it tcp
TR 195.46.154.244:22 farmasiint.com tcp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
GB 107.154.212.223:22 sloty.com tcp
US 8.8.8.8:53 claimfreecoins.io udp
ID 111.223.252.90:995 pendaftaran.unpad.ac.id tcp
ID 147.139.164.60:22 account.kemnaker.go.id tcp
US 8.8.8.8:53 76.191.96.172.in-addr.arpa udp
US 8.8.8.8:53 claimfreecoins.io udp
US 172.67.180.4:80 regayzanko.com tcp
ID 147.139.164.60:21 account.kemnaker.go.id tcp
SG 172.96.191.76:143 masryonsat.net tcp
ID 149.129.233.232:80 account.kemnaker.go.id tcp
TR 195.46.154.244:21 farmasiint.com tcp
GB 107.154.212.223:21 sloty.com tcp
ID 111.223.252.90:80 pendaftaran.unpad.ac.id tcp
US 172.67.180.4:995 regayzanko.com tcp
US 8.8.8.8:53 sloty-com.mail.protection.outlook.com udp
ID 147.139.164.60:143 account.kemnaker.go.id tcp
US 8.8.8.8:53 farmasiint-com.mail.protection.outlook.com udp
US 172.67.180.4:80 regayzanko.com tcp
TR 195.46.154.244:443 farmasiint.com tcp
US 104.21.31.220:21 regayzanko.com tcp
US 104.21.31.220:22 regayzanko.com tcp
ID 147.139.164.60:465 account.kemnaker.go.id tcp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 172.64.155.61:21 adobeid.services.adobe.com tcp
US 172.64.155.61:22 adobeid.services.adobe.com tcp
GB 107.154.212.223:443 sloty.com tcp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 215.101.100.151.in-addr.arpa udp
IT 151.100.101.215:143 stud.infostud.uniroma1.it tcp
SG 172.96.191.76:80 masryonsat.net tcp
N/A 127.0.0.1:50412 tcp
SG 172.96.191.76:465 masryonsat.net tcp
US 172.64.155.61:443 adobeid.services.adobe.com tcp
ID 111.223.252.90:80 pendaftaran.unpad.ac.id tcp
ID 149.129.233.232:443 account.kemnaker.go.id tcp
ID 147.139.164.60:995 account.kemnaker.go.id tcp
SG 172.96.191.76:995 masryonsat.net tcp
NL 52.101.73.1:143 farmasiint-com.mail.protection.outlook.com tcp
US 172.67.144.98:22 claimfreecoins.io tcp
US 172.67.144.98:21 claimfreecoins.io tcp
US 104.21.31.220:143 regayzanko.com tcp
IT 151.100.101.215:80 stud.infostud.uniroma1.it tcp
IT 151.100.101.215:465 stud.infostud.uniroma1.it tcp
NL 52.101.73.11:143 sloty-com.mail.protection.outlook.com tcp
IT 151.100.101.215:80 stud.infostud.uniroma1.it tcp
US 104.21.31.220:465 regayzanko.com tcp
US 107.154.248.223:22 sloty.com tcp
NL 52.101.73.11:465 sloty-com.mail.protection.outlook.com tcp
SG 172.96.191.76:80 masryonsat.net tcp
N/A 127.0.0.1:50416 tcp
N/A 127.0.0.1:50422 tcp
N/A 127.0.0.1:50430 tcp
N/A 127.0.0.1:50432 tcp
N/A 127.0.0.1:50434 tcp
N/A 127.0.0.1:50437 tcp
GB 107.154.212.223:80 sloty.com tcp
NL 52.101.73.1:465 farmasiint-com.mail.protection.outlook.com tcp
GB 107.154.212.223:80 sloty.com tcp
US 8.8.8.8:53 bithourly.net udp
US 104.21.31.220:995 regayzanko.com tcp
US 104.18.32.195:22 adobeid.services.adobe.com tcp
N/A 127.0.0.1:50440 tcp
TR 195.46.154.244:80 farmasiint.com tcp
US 104.18.32.195:21 adobeid.services.adobe.com tcp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 bluesea.com.bd udp
US 172.67.180.4:443 regayzanko.com tcp
US 172.67.144.98:443 claimfreecoins.io tcp
N/A 127.0.0.1:50452 tcp
N/A 127.0.0.1:50455 tcp
US 104.21.71.102:22 claimfreecoins.io tcp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
IE 52.101.68.39:143 farmasiint-com.mail.protection.outlook.com tcp
US 104.21.71.102:21 claimfreecoins.io tcp
IE 52.101.68.8:143 sloty-com.mail.protection.outlook.com tcp
IE 52.101.68.8:465 sloty-com.mail.protection.outlook.com tcp
IT 151.100.101.215:995 stud.infostud.uniroma1.it tcp
TR 195.46.154.244:22 farmasiint.com tcp
IE 52.101.68.39:465 farmasiint-com.mail.protection.outlook.com tcp
ID 111.223.252.90:465 pendaftaran.unpad.ac.id tcp
IE 52.101.68.39:143 farmasiint-com.mail.protection.outlook.com tcp
N/A 127.0.0.1:50459 tcp
NL 52.101.73.1:995 farmasiint-com.mail.protection.outlook.com tcp
IE 52.101.68.36:143 farmasiint-com.mail.protection.outlook.com tcp
N/A 127.0.0.1:50462 tcp
N/A 127.0.0.1:50463 tcp
N/A 127.0.0.1:50469 tcp
N/A 127.0.0.1:50477 tcp
N/A 127.0.0.1:50481 tcp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
IE 52.101.68.12:143 sloty-com.mail.protection.outlook.com tcp
IE 52.101.68.39:465 farmasiint-com.mail.protection.outlook.com tcp
NL 52.101.73.6:143 farmasiint-com.mail.protection.outlook.com tcp
IE 52.101.68.36:465 farmasiint-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 myaccount.centerpointenergy.com udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
IE 52.101.68.12:465 sloty-com.mail.protection.outlook.com tcp
IE 52.101.68.39:995 farmasiint-com.mail.protection.outlook.com tcp
NL 52.101.73.6:465 farmasiint-com.mail.protection.outlook.com tcp
SG 172.96.191.76:80 masryonsat.net tcp
US 172.64.155.61:143 adobeid.services.adobe.com tcp
US 172.64.155.61:80 adobeid.services.adobe.com tcp
US 8.8.8.8:53 223.212.154.107.in-addr.arpa udp
IE 52.101.68.36:995 farmasiint-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 244.154.46.195.in-addr.arpa udp
US 8.8.8.8:53 61.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 _dc-mx.7f0121abe11c.claimfreecoins.io udp
US 8.8.8.8:53 sloty-com.mail.protection.outlook.com udp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 myaccount.centerpointenergy.com udp
US 8.8.8.8:53 project-infinity.cloud udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
N/A 127.0.0.1:50484 tcp
N/A 127.0.0.1:50489 tcp
N/A 127.0.0.1:50491 tcp
N/A 127.0.0.1:50496 tcp
N/A 127.0.0.1:50502 tcp
N/A 127.0.0.1:50505 tcp
N/A 127.0.0.1:50507 tcp
N/A 127.0.0.1:50515 tcp
N/A 127.0.0.1:50518 tcp
N/A 127.0.0.1:50521 tcp
N/A 127.0.0.1:50531 tcp
US 172.67.144.98:80 claimfreecoins.io tcp
N/A 127.0.0.1:50538 tcp
N/A 127.0.0.1:50541 tcp
N/A 127.0.0.1:50544 tcp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 project-infinity.cloud udp
ID 111.223.252.90:443 pendaftaran.unpad.ac.id tcp
N/A 127.0.0.1:50553 tcp
N/A 127.0.0.1:50555 tcp
N/A 127.0.0.1:50559 tcp
N/A 127.0.0.1:50571 tcp
N/A 127.0.0.1:50575 tcp
N/A 127.0.0.1:50582 tcp
N/A 127.0.0.1:50584 tcp
N/A 127.0.0.1:50586 tcp
N/A 127.0.0.1:50590 tcp
N/A 127.0.0.1:50594 tcp
N/A 127.0.0.1:50597 tcp
N/A 127.0.0.1:50602 tcp
N/A 127.0.0.1:50616 tcp
N/A 127.0.0.1:50623 tcp
N/A 127.0.0.1:50627 tcp
US 8.8.8.8:53 pb-dekthai.com udp
IT 151.100.101.215:443 stud.infostud.uniroma1.it tcp
N/A 127.0.0.1:50632 tcp
N/A 127.0.0.1:50635 tcp
N/A 127.0.0.1:50638 tcp
N/A 127.0.0.1:50645 tcp
N/A 127.0.0.1:50648 tcp
N/A 127.0.0.1:50650 tcp
N/A 127.0.0.1:50653 tcp
N/A 127.0.0.1:50655 tcp
US 8.8.8.8:53 pb-dekthai.com udp
ID 111.223.252.90:80 pendaftaran.unpad.ac.id tcp
US 8.8.8.8:53 idp.nycenet.edu udp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
N/A 127.0.0.1:50663 tcp
N/A 127.0.0.1:50665 tcp
N/A 127.0.0.1:50668 tcp
N/A 127.0.0.1:50675 tcp
N/A 127.0.0.1:50678 tcp
N/A 127.0.0.1:50682 tcp
N/A 127.0.0.1:50684 tcp
N/A 127.0.0.1:50688 tcp
N/A 127.0.0.1:50696 tcp
N/A 127.0.0.1:50704 tcp
N/A 127.0.0.1:50711 tcp
N/A 127.0.0.1:50718 tcp
N/A 127.0.0.1:50723 tcp
N/A 127.0.0.1:50728 tcp
N/A 127.0.0.1:50731 tcp
N/A 127.0.0.1:50735 tcp
N/A 127.0.0.1:50747 tcp
N/A 127.0.0.1:50752 tcp
N/A 127.0.0.1:50755 tcp
N/A 127.0.0.1:50757 tcp
N/A 127.0.0.1:50763 tcp
N/A 127.0.0.1:50766 tcp
N/A 127.0.0.1:50775 tcp
N/A 127.0.0.1:50777 tcp
N/A 127.0.0.1:50781 tcp
US 8.8.8.8:53 lebenslauf2go.de udp
GB 107.154.212.223:80 sloty.com tcp
US 8.8.8.8:53 idp.nycenet.edu udp
US 8.8.8.8:53 lebenslauf2go.de udp
N/A 127.0.0.1:50787 tcp
N/A 127.0.0.1:50792 tcp
N/A 127.0.0.1:50800 tcp
N/A 127.0.0.1:50803 tcp
N/A 127.0.0.1:50808 tcp
N/A 127.0.0.1:50810 tcp
N/A 127.0.0.1:50816 tcp
N/A 127.0.0.1:50824 tcp
N/A 127.0.0.1:50828 tcp
US 8.8.8.8:53 seminolewildcard.com udp
SG 172.96.191.76:80 masryonsat.net tcp
US 8.8.8.8:53 seminolewildcard.com udp
ID 149.129.233.232:80 account.kemnaker.go.id tcp
GB 107.154.212.223:80 sloty.com tcp
N/A 127.0.0.1:50840 tcp
N/A 127.0.0.1:50844 tcp
N/A 127.0.0.1:50846 tcp
N/A 127.0.0.1:50849 tcp
N/A 127.0.0.1:50853 tcp
N/A 127.0.0.1:50859 tcp
N/A 127.0.0.1:50862 tcp
N/A 127.0.0.1:50867 tcp
N/A 127.0.0.1:50872 tcp
N/A 127.0.0.1:50876 tcp
N/A 127.0.0.1:50878 tcp
N/A 127.0.0.1:50880 tcp
US 8.8.8.8:53 madafaka.ru udp
US 8.8.8.8:53 www.farmasi.com.tr udp
US 8.8.8.8:53 madafaka.ru udp
US 13.58.172.217:443 www.farmasi.com.tr tcp
US 8.8.8.8:53 bithourly.net udp
N/A 127.0.0.1:50883 tcp
N/A 127.0.0.1:50887 tcp
N/A 127.0.0.1:50890 tcp
N/A 127.0.0.1:50893 tcp
N/A 127.0.0.1:50900 tcp
N/A 127.0.0.1:50902 tcp
N/A 127.0.0.1:50907 tcp
N/A 127.0.0.1:50909 tcp
N/A 127.0.0.1:50912 tcp
N/A 127.0.0.1:50921 tcp
N/A 127.0.0.1:50925 tcp
N/A 127.0.0.1:50928 tcp
N/A 127.0.0.1:50931 tcp
N/A 127.0.0.1:50933 tcp
N/A 127.0.0.1:50935 tcp
N/A 127.0.0.1:50937 tcp
SG 172.96.191.76:80 masryonsat.net tcp
N/A 127.0.0.1:50943 tcp
N/A 127.0.0.1:50945 tcp
N/A 127.0.0.1:50950 tcp
N/A 127.0.0.1:50953 tcp
N/A 127.0.0.1:50960 tcp
N/A 127.0.0.1:50964 tcp
N/A 127.0.0.1:50967 tcp
N/A 127.0.0.1:50975 tcp
N/A 127.0.0.1:50977 tcp
N/A 127.0.0.1:50979 tcp
N/A 127.0.0.1:50981 tcp
N/A 127.0.0.1:50985 tcp
N/A 127.0.0.1:50991 tcp
N/A 127.0.0.1:50997 tcp
N/A 127.0.0.1:51000 tcp
US 8.8.8.8:53 login.gaijin.net udp
N/A 127.0.0.1:51006 tcp
US 8.8.8.8:53 api.julofinance.com udp
ID 111.223.252.90:443 pendaftaran.unpad.ac.id tcp
N/A 127.0.0.1:51009 tcp
US 172.67.180.4:80 regayzanko.com tcp
N/A 127.0.0.1:51012 tcp
N/A 127.0.0.1:51023 tcp
N/A 127.0.0.1:51033 tcp
US 8.8.8.8:53 98.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 madafaka.ru udp
US 8.8.8.8:53 bluesea.com.bd udp
N/A 127.0.0.1:51044 tcp
N/A 127.0.0.1:51047 tcp
US 170.114.52.5:80 us05web.zoom.us tcp
N/A 127.0.0.1:51049 tcp
US 8.8.8.8:53 api.julofinance.com udp
US 8.8.8.8:53 login.gaijin.net udp
US 8.8.8.8:53 accounts.google.com udp
N/A 127.0.0.1:51054 tcp
N/A 127.0.0.1:51058 tcp
N/A 127.0.0.1:51060 tcp
N/A 127.0.0.1:51063 tcp
N/A 127.0.0.1:51068 tcp
TR 195.46.154.244:80 farmasiint.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 apps.trac.jobs udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
N/A 127.0.0.1:51079 tcp
N/A 127.0.0.1:51082 tcp
N/A 127.0.0.1:51086 tcp
N/A 127.0.0.1:51091 tcp
N/A 127.0.0.1:51093 tcp
N/A 127.0.0.1:51097 tcp
N/A 127.0.0.1:51105 tcp
N/A 127.0.0.1:51111 tcp
N/A 127.0.0.1:51114 tcp
N/A 127.0.0.1:51117 tcp
N/A 127.0.0.1:51120 tcp
US 8.8.8.8:53 apps.trac.jobs udp
US 8.8.8.8:53 asia.wargaming.net udp
N/A 127.0.0.1:51130 tcp
N/A 127.0.0.1:51135 tcp
N/A 127.0.0.1:51138 tcp
N/A 127.0.0.1:51140 tcp
N/A 127.0.0.1:51142 tcp
N/A 127.0.0.1:51148 tcp
N/A 127.0.0.1:51150 tcp
N/A 127.0.0.1:51152 tcp
N/A 127.0.0.1:51155 tcp
N/A 127.0.0.1:51158 tcp
N/A 127.0.0.1:51163 tcp
N/A 127.0.0.1:51166 tcp
N/A 127.0.0.1:51169 tcp
N/A 127.0.0.1:51175 tcp
N/A 127.0.0.1:51178 tcp
N/A 127.0.0.1:51181 tcp
N/A 127.0.0.1:51183 tcp
N/A 127.0.0.1:51185 tcp
N/A 127.0.0.1:51191 tcp
N/A 127.0.0.1:51197 tcp
N/A 127.0.0.1:51199 tcp
N/A 127.0.0.1:51202 tcp
N/A 127.0.0.1:51214 tcp
N/A 127.0.0.1:51216 tcp
N/A 127.0.0.1:51221 tcp
N/A 127.0.0.1:51225 tcp
N/A 127.0.0.1:51227 tcp
US 8.8.8.8:53 asia.wargaming.net udp
US 8.8.8.8:53 molotov.tv udp
US 8.8.8.8:53 ftp.bluesea.com.bd udp
US 8.8.8.8:53 molotov.tv udp
US 8.8.8.8:53 kogama.com.br udp
US 8.8.8.8:53 account.protonvpn.com udp
US 8.8.8.8:53 kogama.com.br udp
US 8.8.8.8:53 account.protonvpn.com udp
US 8.8.8.8:53 ecampus.uesiglo21.edu.ar udp
US 8.8.8.8:53 sloty-com.mail.protection.outlook.com udp
US 8.8.8.8:53 ecampus.uesiglo21.edu.ar udp
US 8.8.8.8:53 farmasiint-com.mail.protection.outlook.com udp
N/A 127.0.0.1:51237 tcp
N/A 127.0.0.1:51240 tcp
N/A 127.0.0.1:51243 tcp
N/A 127.0.0.1:51245 tcp
N/A 127.0.0.1:51248 tcp
US 8.8.8.8:53 cscgraminnaukri.in udp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 cscgraminnaukri.in udp
US 8.8.8.8:53 play.na.leagueoflegends.com udp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 play.na.leagueoflegends.com udp
US 8.8.8.8:53 ipstresser.com udp
US 8.8.8.8:53 ipstresser.com udp
US 8.8.8.8:53 titkosviszony.com udp
US 8.8.8.8:53 titkosviszony.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 forum.generationzero.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 forum.generationzero.com udp
US 8.8.8.8:53 serviciosdigitales.imss.gob.mx udp
US 8.8.8.8:53 prepaidonline.com udp
US 8.8.8.8:53 serviciosdigitales.imss.gob.mx udp
US 8.8.8.8:53 prepaidonline.com udp
US 8.8.8.8:53 btech-loyalty360.dsquares.com udp
US 8.8.8.8:53 mail.project-infinity.cloud udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
US 8.8.8.8:53 btech-loyalty360.dsquares.com udp
US 8.8.8.8:53 emb.mbbank.com.vn udp
US 8.8.8.8:53 emb.mbbank.com.vn udp
US 8.8.8.8:53 habblet.city udp
US 8.8.8.8:53 habblet.city udp
US 8.8.8.8:53 eur.pokerstarscasino.eu udp
US 8.8.8.8:53 eur.pokerstarscasino.eu udp
US 8.8.8.8:53 flyheight.com udp
US 8.8.8.8:53 flyheight.com udp
US 8.8.8.8:53 windscribe.com udp
US 8.8.8.8:53 windscribe.com udp
US 8.8.8.8:53 dominion.games udp
US 8.8.8.8:53 help.steampowered.com udp
US 8.8.8.8:53 dominion.games udp
US 8.8.8.8:53 help.steampowered.com udp
US 8.8.8.8:53 pb-dekthai.com udp
US 8.8.8.8:53 portal.elm.sa udp
US 8.8.8.8:53 webtop.co.il udp
US 8.8.8.8:53 webtop.co.il udp
US 8.8.8.8:53 login.gog.com udp
US 8.8.8.8:53 login.gog.com udp
US 8.8.8.8:53 studio.rockcontent.com udp
US 8.8.8.8:53 studio.rockcontent.com udp
US 8.8.8.8:53 career10.successfactors.com udp
US 8.8.8.8:53 common.99taxis.mobi udp
US 8.8.8.8:53 career10.successfactors.com udp
US 8.8.8.8:53 common.99taxis.mobi udp
US 8.8.8.8:53 retail.onlinesbi.com udp
US 8.8.8.8:53 socialtools.ru udp
US 8.8.8.8:53 retail.onlinesbi.com udp
US 8.8.8.8:53 socialtools.ru udp
US 8.8.8.8:53 ptronline.co.uk udp
US 8.8.8.8:53 account.samsung.com udp
US 8.8.8.8:53 ptronline.co.uk udp
US 8.8.8.8:53 account.samsung.com udp
US 8.8.8.8:53 connect.ubisoft.com udp
US 8.8.8.8:53 connect.ubisoft.com udp
US 8.8.8.8:53 app.resumecoach.com udp
US 8.8.8.8:53 app.resumecoach.com udp
US 8.8.8.8:53 portal.trueinternet.co.th udp
US 8.8.8.8:53 portal.trueinternet.co.th udp
US 8.8.8.8:53 apps.timeclockwizard.com udp
US 8.8.8.8:53 mx0.jobware.net udp
US 8.8.8.8:53 apps.timeclockwizard.com udp
US 8.8.8.8:53 pmprb.menpan.go.id udp
US 8.8.8.8:53 cabinet.salyk.kz udp
US 8.8.8.8:53 pmprb.menpan.go.id udp
US 8.8.8.8:53 cabinet.salyk.kz udp
US 8.8.8.8:53 eblagh.adliran.ir udp
US 8.8.8.8:53 eblagh.adliran.ir udp
US 8.8.8.8:53 online.nationalgridus.com udp
US 8.8.8.8:53 online.nationalgridus.com udp
US 8.8.8.8:53 login.blockchain.com udp
US 8.8.8.8:53 superbahis199.com udp
US 8.8.8.8:53 superbahis199.com udp
US 8.8.8.8:53 albarcollege.com udp
US 8.8.8.8:53 albarcollege.com udp
US 8.8.8.8:53 ahmdsat.com udp
US 8.8.8.8:53 ahmdsat.com udp
US 8.8.8.8:53 signup.br.leagueoflegends.com udp
US 8.8.8.8:53 signup.br.leagueoflegends.com udp
US 8.8.8.8:53 olion.cash udp
US 8.8.8.8:53 olion.cash udp
US 8.8.8.8:53 bepay.zendesk.com udp
US 8.8.8.8:53 217.172.58.13.in-addr.arpa udp
US 8.8.8.8:53 ec.infoanuncios.com udp
US 8.8.8.8:53 ec.infoanuncios.com udp
US 8.8.8.8:53 plusdede.com udp
US 8.8.8.8:53 madafaka.ru udp
US 8.8.8.8:53 plusdede.com udp
US 8.8.8.8:53 hphconnect.harvardpilgrim.org udp
US 8.8.8.8:53 hphconnect.harvardpilgrim.org udp
US 8.8.8.8:53 mxa-005e3801.gslb.pphosted.com udp
US 8.8.8.8:53 exam.etoos.com udp
US 8.8.8.8:53 siagapendis.com udp
US 8.8.8.8:53 exam.etoos.com udp
US 8.8.8.8:53 shopee.co.id udp
US 8.8.8.8:53 siagapendis.com udp
US 8.8.8.8:53 shopee.co.id udp
US 8.8.8.8:53 sso.garena.com udp
US 8.8.8.8:53 sso.garena.com udp
US 8.8.8.8:53 avoncosmetics.ro udp
US 8.8.8.8:53 avoncosmetics.ro udp
US 8.8.8.8:53 makedollars.in udp
US 8.8.8.8:53 makedollars.in udp
US 8.8.8.8:53 xflow.cc udp
US 8.8.8.8:53 xflow.cc udp
US 8.8.8.8:53 buddy4study.com udp
US 8.8.8.8:53 buddy4study.com udp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
US 8.8.8.8:53 auth.dadeschools.net udp
US 8.8.8.8:53 auth.dadeschools.net udp
US 8.8.8.8:53 kissasian.com udp
US 8.8.8.8:53 kissasian.com udp
US 8.8.8.8:53 auth.tankionline.com udp
US 8.8.8.8:53 auth.tankionline.com udp
US 8.8.8.8:53 trakt.tv udp
US 8.8.8.8:53 trakt.tv udp
US 8.8.8.8:53 slotxo.com udp
US 8.8.8.8:53 5.52.114.170.in-addr.arpa udp
US 8.8.8.8:53 slotxo.com udp
US 8.8.8.8:53 salonv.utecvirtual.edu.sv udp
US 8.8.8.8:53 salonv.utecvirtual.edu.sv udp
US 8.8.8.8:53 pt-br.facebook.com udp
US 8.8.8.8:53 pt-br.facebook.com udp
US 8.8.8.8:53 ladypopular.ro udp
US 8.8.8.8:53 ladypopular.ro udp
US 8.8.8.8:53 yggtorrent.si udp
US 8.8.8.8:53 yggtorrent.si udp
US 8.8.8.8:53 alt1.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 stakes.com udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 stakes.com udp
US 8.8.8.8:53 my.te.eg udp
US 8.8.8.8:53 my.te.eg udp
US 8.8.8.8:53 fuelly.com udp
US 8.8.8.8:53 fuelly.com udp
US 8.8.8.8:53 identi.li udp
US 8.8.8.8:53 identi.li udp
US 8.8.8.8:53 gdfplay7.com udp
US 8.8.8.8:53 grupoboticario.csod.com udp
US 8.8.8.8:53 gdfplay7.com udp
US 8.8.8.8:53 grupoboticario.csod.com udp
US 8.8.8.8:53 bajajallianzlifeonline.co.in udp
US 8.8.8.8:53 bajajallianzlifeonline.co.in udp
US 8.8.8.8:53 predeled.com udp
US 8.8.8.8:53 predeled.com udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
N/A 127.0.0.1:51250 tcp
N/A 127.0.0.1:51254 tcp
N/A 127.0.0.1:51256 tcp
N/A 127.0.0.1:51259 tcp
N/A 127.0.0.1:51270 tcp
N/A 127.0.0.1:51278 tcp
N/A 127.0.0.1:51280 tcp
N/A 127.0.0.1:51285 tcp
N/A 127.0.0.1:51291 tcp
N/A 127.0.0.1:51295 tcp
N/A 127.0.0.1:51298 tcp
N/A 127.0.0.1:51303 tcp
N/A 127.0.0.1:51306 tcp
N/A 127.0.0.1:51309 tcp
N/A 127.0.0.1:51312 tcp
N/A 127.0.0.1:51319 tcp
N/A 127.0.0.1:51328 tcp
N/A 127.0.0.1:51331 tcp
N/A 127.0.0.1:51333 tcp
N/A 127.0.0.1:51341 tcp
N/A 127.0.0.1:51346 tcp
N/A 127.0.0.1:51349 tcp
N/A 127.0.0.1:51352 tcp
N/A 127.0.0.1:51356 tcp
N/A 127.0.0.1:51361 tcp
N/A 127.0.0.1:51365 tcp
N/A 127.0.0.1:51369 tcp
N/A 127.0.0.1:51374 tcp
N/A 127.0.0.1:51378 tcp
N/A 127.0.0.1:51380 tcp
N/A 127.0.0.1:51387 tcp
N/A 127.0.0.1:51389 tcp
N/A 127.0.0.1:51393 tcp
N/A 127.0.0.1:51405 tcp
N/A 127.0.0.1:51409 tcp
N/A 127.0.0.1:51411 tcp
N/A 127.0.0.1:51415 tcp
N/A 127.0.0.1:51421 tcp
N/A 127.0.0.1:51424 tcp
N/A 127.0.0.1:51426 tcp
N/A 127.0.0.1:51429 tcp
N/A 127.0.0.1:51432 tcp
N/A 127.0.0.1:51437 tcp
N/A 127.0.0.1:51439 tcp
N/A 127.0.0.1:51442 tcp
N/A 127.0.0.1:51445 tcp
N/A 127.0.0.1:51448 tcp
N/A 127.0.0.1:20129 tcp
N/A 127.0.0.1:51463 tcp
N/A 127.0.0.1:51466 tcp
N/A 127.0.0.1:51470 tcp
N/A 127.0.0.1:51476 tcp
N/A 127.0.0.1:51482 tcp
N/A 127.0.0.1:51484 tcp
N/A 127.0.0.1:51490 tcp
N/A 127.0.0.1:51494 tcp
N/A 127.0.0.1:51497 tcp
US 8.8.8.8:53 loja.levelupgames.com.br udp
US 158.81.16.60:80 myaccount.centerpointenergy.com tcp
US 104.26.8.16:80 project-infinity.cloud tcp
IT 151.100.101.215:80 stud.infostud.uniroma1.it tcp
US 165.155.116.81:80 idp.nycenet.edu tcp
DE 89.146.206.134:80 lebenslauf2go.de tcp
GB 107.154.212.223:80 sloty.com tcp
SG 172.96.191.76:80 masryonsat.net tcp
ID 111.223.252.90:80 pendaftaran.unpad.ac.id tcp
ID 149.129.224.24:80 api.julofinance.com tcp
US 104.20.221.62:80 login.gaijin.net tcp
BE 64.233.166.84:80 accounts.google.com tcp
SG 92.223.17.165:80 asia.wargaming.net tcp
US 104.26.8.16:80 project-infinity.cloud tcp
ID 149.129.233.232:80 account.kemnaker.go.id tcp
US 8.8.8.8:53 classe-numerique.fr udp
US 104.18.40.175:80 apps.trac.jobs tcp
US 8.8.8.8:53 habilitacaonet.com.br udp
US 8.8.8.8:53 epic.ecfmgepic.org udp
US 104.18.34.95:80 seminolewildcard.com tcp
US 8.8.8.8:53 62.221.20.104.in-addr.arpa udp
US 8.8.8.8:53 cbilling.in udp
N/A 127.0.0.1:51507 tcp
N/A 127.0.0.1:51510 tcp
US 8.8.8.8:53 134.206.146.89.in-addr.arpa udp
IT 151.100.101.215:80 stud.infostud.uniroma1.it tcp
US 104.26.8.16:80 project-infinity.cloud tcp
US 165.155.116.81:80 idp.nycenet.edu tcp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 81.116.155.165.in-addr.arpa udp
US 8.8.8.8:53 24.224.129.149.in-addr.arpa udp
US 8.8.8.8:53 165.17.223.92.in-addr.arpa udp
US 8.8.8.8:53 60.16.81.158.in-addr.arpa udp
US 8.8.8.8:53 loja.levelupgames.com.br udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 104.18.40.175:80 apps.trac.jobs tcp
N/A 127.0.0.1:51514 tcp
US 8.8.8.8:53 95.34.18.104.in-addr.arpa udp
US 104.26.8.16:80 project-infinity.cloud tcp
US 8.8.8.8:53 classe-numerique.fr udp
US 8.8.8.8:53 175.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 16.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 myptc.pulaskitech.edu udp
US 8.8.8.8:53 olion.cash udp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
US 8.8.8.8:53 www.unitybyhardrock.com udp
US 8.8.8.8:53 mail.albarcollege.com udp
US 8.8.8.8:53 mx3.mail.ovh.net udp
US 8.8.8.8:53 signup.br.leagueoflegends.com udp
US 8.8.8.8:53 help.steampowered.com udp
US 8.8.8.8:53 mxa-004fae02.gslb.pphosted.com udp
US 8.8.8.8:53 ssh.bluesea.com.bd udp
US 8.8.8.8:53 bluesea.com.bd udp
US 8.8.8.8:53 myptc.pulaskitech.edu udp
US 8.8.8.8:53 mail.bluesea.com.bd udp
US 8.8.8.8:53 park-mx.above.com udp
US 8.8.8.8:53 portal.trueinternet.co.th udp
US 8.8.8.8:53 mailmx.bezeqint.net udp
US 8.8.8.8:53 habilitacaonet.com.br udp
US 8.8.8.8:53 mail.kissasian.com udp
US 8.8.8.8:53 mail.zendesk.com udp
US 8.8.8.8:53 www.lebenslauf2go.de udp
US 8.8.8.8:53 login.gaijin.net udp
US 8.8.8.8:53 mail.rediffmailpro.com udp
US 8.8.8.8:53 epic.ecfmgepic.org udp
US 8.8.8.8:53 cbilling.in udp
US 8.8.8.8:53 cabinet.salyk.kz udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 madafaka.ru udp
US 8.8.8.8:53 smtp.secureserver.net udp
US 8.8.8.8:53 grupoboticario.csod.com udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 pb-dekthai.com udp
US 8.8.8.8:53 connect.ubisoft.com udp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 eu-smtp-inbound-1.mimecast.com udp
US 8.8.8.8:53 career10.successfactors.com udp
US 8.8.8.8:53 login.gog.com udp
TR 195.46.154.244:80 farmasiint.com tcp
US 8.8.8.8:53 mx.transip.email udp
US 8.8.8.8:53 ftp.bluesea.com.bd udp
US 8.8.8.8:53 account.kemnaker.go.id udp
US 8.8.8.8:53 emb.mbbank.com.vn udp
US 8.8.8.8:53 mx2.zohomail.com udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 8.8.8.8:53 serviciosdigitales.imss.gob.mx udp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 sso.emea.teleperformance.com udp
US 8.8.8.8:53 prepaidonline.com udp
US 8.8.8.8:53 bithourly.net udp
US 8.8.8.8:53 farmasiint-com.mail.protection.outlook.com udp
US 8.8.8.8:53 spamassassin02.titkosviszony.com udp
US 8.8.8.8:53 gdfplay7.com udp
US 8.8.8.8:53 cabinet.salyk.kz udp
US 8.8.8.8:53 grupoboticario.csod.com udp
US 8.8.8.8:53 play.na.leagueoflegends.com udp
US 8.8.8.8:53 sloty-com.mail.protection.outlook.com udp
SG 92.223.17.165:80 asia.wargaming.net tcp
US 8.8.8.8:53 pb-dekthai.com udp
US 8.8.8.8:53 route2.mx.cloudflare.net udp
US 8.8.8.8:53 olion.cash udp
US 8.8.8.8:53 app-vlc.hotmart.com udp
US 8.8.8.8:53 myptc.pulaskitech.edu udp
US 8.8.8.8:53 pt-br.facebook.com udp
US 8.8.8.8:53 bluesea.com.bd udp
US 172.67.216.115:80 ipstresser.com tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 52.1.1.237:80 app-vlc.hotmart.com tcp
US 172.67.70.60:80 fuelly.com tcp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
US 162.159.138.6:80 bepay.zendesk.com tcp
GB 23.214.154.77:80 help.steampowered.com tcp
US 8.8.8.8:53 pop.salonv.utecvirtual.edu.sv udp
US 8.8.8.8:53 mail.account.samsung.com udp
US 8.8.8.8:53 mail.ipstresser.com udp
US 8.8.8.8:53 cscgraminnaukri.in udp
US 8.8.8.8:53 shopee.co.id udp
US 8.8.8.8:53 emb.mbbank.com.vn udp
US 8.8.8.8:53 ftp.retail.onlinesbi.com udp
US 8.8.8.8:53 ftp.play.na.leagueoflegends.com udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 imap.rl-itdept01-ukftxamwrq.app02-21.logmein.com udp
US 8.8.8.8:53 account.samsung.com udp
US 8.8.8.8:53 ftp.adobeid.services.adobe.com udp
US 8.8.8.8:53 signup.br.leagueoflegends.com udp
US 8.8.8.8:53 madafaka.ru udp
US 8.8.8.8:53 help.steampowered.com udp
US 8.8.8.8:53 tools.worldposta.com udp
US 8.8.8.8:53 myptc.pulaskitech.edu udp
GB 163.70.147.22:80 pt-br.facebook.com tcp
US 199.59.243.225:80 ahmdsat.com tcp
US 172.67.156.97:80 slotxo.com tcp
IN 3.7.158.175:80 buddy4study.com tcp
SG 54.255.23.190:80 siagapendis.com tcp
US 45.60.156.127:80 portal.trueinternet.co.th tcp
IN 192.12.109.69:80 retail.onlinesbi.com tcp
US 99.83.203.169:80 eur.pokerstarscasino.eu tcp
BG 193.203.198.157:80 ladypopular.ro tcp
US 162.159.137.232:80 discord.com tcp
SG 202.181.90.248:80 shopee.co.id tcp
US 15.197.192.55:80 xflow.cc tcp
US 158.81.16.60:80 myaccount.centerpointenergy.com tcp
US 104.20.53.127:80 ecampus.uesiglo21.edu.ar tcp
US 172.67.165.28:80 ec.infoanuncios.com tcp
FR 13.249.9.51:80 passport.twitch.tv tcp
GB 3.9.51.5:80 signup.br.leagueoflegends.com tcp
US 172.67.3.215:80 trakt.tv tcp
US 172.67.70.60:80 fuelly.com tcp
US 8.8.8.8:53 mx3.mail.ovh.net udp
US 8.8.8.8:53 asia.wargaming.net udp
US 8.8.8.8:53 www.farmasi.com.tr udp
US 8.8.8.8:53 115.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 serviciosdigitales.imss.gob.mx udp
US 8.8.8.8:53 ssh.bluesea.com.bd udp
US 8.8.8.8:53 pb-dekthai.com udp
US 8.8.8.8:53 ftp.pendaftaran.unpad.ac.id udp
US 8.8.8.8:53 vestibulinhoetec.com.br udp
US 8.8.8.8:53 m.hoyolab.com udp
US 172.67.182.74:80 yggtorrent.si tcp

Files

memory/2156-2-0x0000000000850000-0x000000000085B000-memory.dmp

memory/2156-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2156-1-0x0000000000A10000-0x0000000000B10000-memory.dmp

memory/3300-4-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/2156-5-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA31.exe

MD5 b6297922e4d7e05d1b009613d201883e
SHA1 b6c739fd153f0078e115386bd0f87d784c1b5588
SHA256 91a101f00488af2027b7fee5bfe9a14f290bcc401d183d352c9de40625af3700
SHA512 ab503a34d096ba5b6695505054e12ddf16ddd1407c1737d0fb5655b21947bab4de49e546b0ee1bbc9cdd581b8f32522ec720d27fa0fe9b79796ea0e3a6e3be79

memory/3884-15-0x0000000000CA0000-0x000000000114E000-memory.dmp

memory/3884-16-0x00000000777E4000-0x00000000777E5000-memory.dmp

memory/3884-17-0x0000000000CA0000-0x000000000114E000-memory.dmp

memory/3884-19-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/3884-18-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/3884-20-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/3884-21-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/3884-22-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/3884-23-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/3884-24-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/3884-27-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/3884-26-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/3884-32-0x0000000000CA0000-0x000000000114E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F52E.dll

MD5 b0fb18cfcac1983582e7fd67b2843ce8
SHA1 ca29cf7cee80be38c5d667d5e8c00e6ea11b3294
SHA256 4132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45
SHA512 4d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9

memory/3752-36-0x0000000002B60000-0x0000000002B66000-memory.dmp

memory/3752-37-0x0000000010000000-0x00000000102CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE76.exe

MD5 996c2b1fb60f980ea6618aeefbe4cebf
SHA1 a8553f7f723132a1d35f7a57cae1a2e267cbc2ac
SHA256 f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50
SHA512 4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056

memory/3752-43-0x0000000004A10000-0x0000000004B3B000-memory.dmp

memory/2904-47-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3752-46-0x0000000004B40000-0x0000000004C4F000-memory.dmp

memory/2772-49-0x0000000002490000-0x0000000002647000-memory.dmp

memory/2904-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3752-54-0x0000000004B40000-0x0000000004C4F000-memory.dmp

memory/2904-55-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2772-45-0x00000000022D0000-0x000000000248C000-memory.dmp

memory/2904-56-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2904-57-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\F52E.dll

MD5 4df0328552dc0b92f1de868ce2c403b2
SHA1 70c8958e04aa39ae014f4a3b872dd8767bd53787
SHA256 0d3631ed4e8fc19b9bb69109bb1d22ea063c665e678b30fe89a6aa4c7327f061
SHA512 ece5b5cf68a6e2247b1f83240b54758e5620153a944283c4251cd5d1f2ad45a7c0c062322f7ab934c1a839a0ec1accc28298db89c32e6fa2bb7ed3087a463267

memory/2904-58-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2904-61-0x00000000009E0000-0x00000000009E6000-memory.dmp

memory/3752-63-0x0000000010000000-0x00000000102CE000-memory.dmp

memory/2904-64-0x0000000002E10000-0x0000000002F3B000-memory.dmp

memory/2904-65-0x0000000002F40000-0x000000000304F000-memory.dmp

memory/2904-68-0x0000000002F40000-0x000000000304F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\376A.exe

MD5 6bca42e5eb66bfe3afe72372a6321bf4
SHA1 dabcb08da88d6ceb695ae8139b8a2536878d64f8
SHA256 c348697434d4f5836faaa00ab05f2d0990b24ca359577187a8144809f0abc00a
SHA512 031cff5e0dea4920934b02a25b029c9cec9a740a52179d6a18fd0fe2e648b964c2a685cc0754271a089e7ab29eb7529fce0695c7060c646105370cc40d0e3ad4

C:\Users\Admin\AppData\Local\Temp\376A.exe

MD5 f6e4c8cd26710fed940c182f9da0c9c1
SHA1 7458c638a33d79677e5f55d2108212779b55d06e
SHA256 69d3da358977a702c9cc23368430d5548bb72c199f31b2696a3a41c631578001
SHA512 b6055e9a3030a3600ad7f48e27fa69619524fcd2975cd9bbc04276609edee67cb9a9a8176ec5cdcca5c306d6f74c7d56d22bc7ba5e6015f81aa53d17e4cad936

memory/764-75-0x0000000000700000-0x0000000000C9E000-memory.dmp

memory/764-77-0x0000000073170000-0x000000007385E000-memory.dmp

memory/764-78-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/764-79-0x0000000005BD0000-0x00000000060FC000-memory.dmp

memory/764-80-0x0000000005520000-0x0000000005540000-memory.dmp

memory/764-76-0x0000000005600000-0x000000000569C000-memory.dmp

memory/764-81-0x0000000005710000-0x000000000594A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5104-87-0x0000000000E00000-0x00000000012AE000-memory.dmp

memory/5104-89-0x00000000049A0000-0x00000000049A1000-memory.dmp

memory/5104-88-0x0000000000E00000-0x00000000012AE000-memory.dmp

memory/5104-90-0x00000000049B0000-0x00000000049B1000-memory.dmp

memory/5104-91-0x0000000004990000-0x0000000004991000-memory.dmp

memory/5104-92-0x00000000049D0000-0x00000000049D1000-memory.dmp

memory/5104-94-0x0000000004980000-0x0000000004981000-memory.dmp

memory/5104-93-0x0000000004970000-0x0000000004971000-memory.dmp

memory/5104-95-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/5104-96-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/5104-97-0x00000000049E0000-0x00000000049E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F00.exe

MD5 335a4e93da9525ca826c55ed2d895edb
SHA1 a9dab3c0d0ceb7afe87bcafa64bd60d09f02e848
SHA256 bcda23a97e9cafce4b5a314859453d6f10731171e5f11b5766bb268da05aa892
SHA512 a303a0be5eddcd9a96ba1a1db4bd58bd92b19206dd079d2a2473c80744e83523c8e4e78005c468b5ff4b2a3dc35e38024bd68d5259fdee9de16156a154f7d5a6

C:\Users\Admin\AppData\Local\Temp\8F00.exe

MD5 ffa00d51e3c494262790ff62c4b0ecc1
SHA1 67efcaea156e58ded3f30c9d76708a8b28de6c4a
SHA256 7c48a615d3bcd024025bf9095d739ef90e02ee0bdbec08d4496966ba3124447f
SHA512 761d9946bd48f4b2b6021d11fdd02edb4fa7f4bd83200c01a6378694ada057af67fbeea7bd2b94bdba94fd73d31ba5bb2b82b99efbefaabf9eecbf1e22478ae5

memory/4984-102-0x0000000000300000-0x0000000000FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9887.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/4984-111-0x0000000001540000-0x0000000001541000-memory.dmp

memory/4984-107-0x0000000001530000-0x0000000001531000-memory.dmp

memory/4984-116-0x0000000001570000-0x0000000001571000-memory.dmp

memory/4984-118-0x0000000001580000-0x0000000001581000-memory.dmp

memory/5104-119-0x0000000000E00000-0x00000000012AE000-memory.dmp

memory/4984-123-0x0000000003040000-0x0000000003041000-memory.dmp

memory/4984-125-0x0000000000300000-0x0000000000FE1000-memory.dmp

memory/3484-120-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/4984-121-0x0000000003030000-0x0000000003031000-memory.dmp

memory/3484-126-0x0000000001B10000-0x0000000001C10000-memory.dmp

memory/3484-127-0x0000000003680000-0x00000000036EB000-memory.dmp

memory/3484-128-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/5100-135-0x0000000000260000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0E5.exe

MD5 ed405b69dc78d7703197e7ef76c4ceb3
SHA1 ad971b8e600585fbcbaafad2b50c76ed486c84b4
SHA256 419e364c1116dc6dfb7135a90bd883bcc31ec9ddf969fdea7c2688623d3f8c88
SHA512 d7f79aacb2884889b61a000a1b8a7d10922d73c5e1ae318e21253c4635f5c23314f38eaa21ef269c66bf171526be3ba0c633a5d72f2d4945faf6cd6e053d0b65

C:\Users\Admin\AppData\Local\Temp\A0E5.exe

MD5 507d3872e4909f6e3f72d7cc2e502e78
SHA1 e4cdb05b2a4750c7694f39c38df67a0af7535fe4
SHA256 dcc5994819a3ac71139e22b9af167ed8e400978ff3f2a6d84e231b3b3116c889
SHA512 5992d8b114537e909e6bee4a510518e8a2f27771c4b9341a6f3148b61f16f90c6553c7584e745d89c5000b0871f8835058a6e08766567ce51def8fd13f766f48

memory/4984-131-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/5100-139-0x0000000073170000-0x000000007385E000-memory.dmp

memory/4984-138-0x0000000003050000-0x0000000003051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 c7118610fefdaad90083c662bd4ef37f
SHA1 9c051ff43747b8b52032b3cbe4d5b9a1edf8b9a5
SHA256 333836d1c49ef069087f74844295e31ac2273b5337c2c2d70eb3c8f74901af14
SHA512 7afa9b4b623927dee5a46ce471eb73dfa295dd989f789accf274526c618e2996ed5bd0d0a1930d84395a01412ccd966eca51359187e5612d18a988206e09d256

memory/5100-158-0x0000000073170000-0x000000007385E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 ff53af18de2bfc3453e218b054926e5d
SHA1 8a095ca30837e43708bbbff4d89595bea57f97fc
SHA256 a72946fd5e817180bd554edb719ede7f9d9bb71f2b3afafd66792f817b4a1c9d
SHA512 921f4962c256afd82bc9ebea4e8f43f84210a9fcff185b3fa0337c3c370009db91c410eb40bfb9a6028722192692f75afb867e5e1358d17c5004c01f6dc828ab

memory/4604-154-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 e9885e9acf8d5dc31e928df20a1f1c8a
SHA1 adb4fa31cd41668d024e31498a403d8265bdb648
SHA256 5b74625a1cd0f269fcbf551cbd5c4470d96d9f32cbf0a5c807816965ab655770
SHA512 e3bc810d8ecba2f8976031f73ad0a2d8ab84656404a8b3500b66b3a5b1cb423f0f6b80cfc2bd7dd3621a1ed81b1982d54161782268216572cc2b72ea7b168461

C:\Users\Admin\AppData\Local\Temp\A981.exe

MD5 3aef73f7235c49f5c233591ee0132b7b
SHA1 47d62e19f96fc323d22f5cb153f29097a521ab9e
SHA256 25586cdae0033053b4e8ebc44f0e2f396a58e0bd3e4e80a1a8f0453dd843756a
SHA512 e27de3b8f90f05240507ed6c762a7d6f122d0005cde6753195855a306947e096e7015f85d11d0204c96fd6ca00d5e12fe76d2ef424423fae97e33a667157d5e3

C:\Users\Admin\AppData\Local\Temp\A981.exe

MD5 8abf48438b61456fc36a6aa49eea0234
SHA1 8e18d62ea2bff92be528b045abfb1f6863bdaf68
SHA256 a1474fa7386ad1fe168b8bac33650d345a536e602d3e2a9d6919caf57ab31877
SHA512 7a239bf580abd98f5ec608783142c931f3cf8102c8776c1c773208f44df0b3a1f60951764e3b8f686b98c9b78ebf596417fd9da6f7411d7ece48b2a79d3be7dc

memory/316-156-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp

MD5 11292ce7f6dc3908b42abac623600d17
SHA1 d738e5475199564968d3cde0df90a3fd3f0819d0
SHA256 a3150d1c52a5362eedcabee10c0140d6ae7b391376efa2dbdc923e861dbd568e
SHA512 f9e17889b141da051a31645952efa146779a366befa5a20fb43669f610404a8301e4dc56b4c7748265e19fc3b6746d6a84aed56fabb358962eea01782e66d6f1

C:\Users\Admin\AppData\Local\Temp\is-PJ0FH.tmp\A981.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 d0071888451e7faff1da3f0465021560
SHA1 6d01522d7be5b27b8022d12eb6254f81e8440101
SHA256 667a1530efc4d2801d3cf1f9684671ad64e442199e814b35d00dfe850e97e25d
SHA512 db0b1ab87f5f23a780f1299c0762e30cfd5ab01d5ff3c73cf2f3620324a6c01b566769f3748d9dae1baf4fe32d91af2327e6b58d902adee6c47c5d86cfc672ae

\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0eca92264aba7cb1a427a949c60d960c
SHA1 c74b8d840289cf8742ab1c46a8a07eb735b18b3d
SHA256 34e5900430f2734c7adf0449e81846647e8a75fd8e29025b2d970f90fbc284fa
SHA512 c0070c0c9e9b5a3a9727a912d6304666d82e0df6786fe933b778fd75a8e3c89aa6ef96801bdf52e2aa50e3b51113b3021a82d56c282e98c0cf498e942e67135f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 8797aa2e2071a68bad19e87bc5ffbfde
SHA1 7ec594cc608ebe2d8b02904884f3c49516a4a557
SHA256 8012deedc605cb859912ab19c907ae170397b6c673d44c7aaabdd81ab87674a4
SHA512 cabc364faf55796d20faded4304b845ab3b17fab3b222115a13081cf3e99c67c505f9788a1463673a52ed78a9f2b64e11d132e73165e67aa9be4da6db69d2ec3

C:\Users\Admin\AppData\Local\Temp\is-SU88B.tmp\april.tmp

MD5 4df57aaf92a50f25127408e03415e9ae
SHA1 8f7670cfae2f405be830c8ec5f06856358d301a1
SHA256 d247810adf596b210b373af971bfeeeebea4f574cf2175d87d4899dcfa6e405c
SHA512 a2bbb20f3d41b86f01455640c188b2c80d2bf8559ffd335e4cbeac7d70b8d88da3f75432e19a3597ffb79c183c32e1f071f0d259b277caf9173cf60479d312b5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

C:\Users\Admin\AppData\Local\Temp\is-GRETI.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Email Box Organizer\is-Q786A.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/2156-215-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2116-206-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GRETI.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/5104-189-0x0000000000E00000-0x00000000012AE000-memory.dmp

memory/764-217-0x0000000007440000-0x00000000075D2000-memory.dmp

memory/764-216-0x0000000073170000-0x000000007385E000-memory.dmp

memory/764-223-0x00000000055E0000-0x00000000055F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 df7d343d7847d68ac1dc0e6cdabcbb56
SHA1 27920c700f995bb21066c6b43506ca6b76be8621
SHA256 afbd870158993713ae58d4832c5905e00868eb9bf90573cb5008756da0c219de
SHA512 a53892a4cd8e55c5a8d1ef8a58189e6d9a28e5dc7e0a26da6972ecd3b01e2a7020a4705790a22fd34ad3635d1b60746ec5e65766bb939af45a8954fa43f4e1cd

memory/764-226-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/5116-227-0x0000000000400000-0x0000000000448000-memory.dmp

memory/764-225-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/764-224-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/764-232-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/764-230-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/764-235-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/5116-236-0x0000000000400000-0x0000000000448000-memory.dmp

memory/5116-234-0x0000000000400000-0x0000000000448000-memory.dmp

memory/5116-238-0x0000000001310000-0x0000000001350000-memory.dmp

memory/5116-237-0x0000000001310000-0x0000000001350000-memory.dmp

memory/764-233-0x0000000073170000-0x000000007385E000-memory.dmp

memory/3484-242-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3k0.0.exe

MD5 eae8f1cff410a54725527cd0e759ce41
SHA1 9537e90abd8c6da642f8c26b56fe35997add10f3
SHA256 415a23efec7414a0d75d07b7f57f4af8a3c92deafd35e61226b1efa12cf22f94
SHA512 2d735aac10c0638fc903aa073f12fa5346e1283c8463aa91371967c63047fac15deec8b4bf0f425eb63a9e1e75f6e7116e490c4677797551395b91e95167e5cc

C:\Users\Admin\AppData\Local\Temp\D092.exe

MD5 0139acb5d04d78be7263030c28adcb7c
SHA1 6bd18aea4c66615bf2f3e64eeb0f36dc07623b5d
SHA256 387cd1ae4ec475a18991fddb7adb46be6a6e397ee6ee4f26f050f8f73d2d72bb
SHA512 5071f867dfc04a7bcad9955a921195b975c12d33fc6d8e353d942a02df292a1cb342690e7bb897f4fed1757c8a321afb784acc03bb5223c907422a7c3d826b92

memory/4604-263-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3k0.1.exe

MD5 751f807e555a1c06dd2b8cb1f5297de8
SHA1 7e0af7a0df81bf657d7a46372cab7ead49efdc28
SHA256 79a3d83590ba6ff505d255c855093cb41c1185c35e437bee3d2d8652a5839c3c
SHA512 92ee075e84fa1a4e905e50f9ae8e13f62eeccbc786f31eb41595fe76cc9e99d1d32ab7bc0fc9c669355635f18bea9bc5822243c277ab8a1ddaac1a6f3ba7515a

memory/4608-260-0x0000000000400000-0x000000000049B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

C:\Users\Admin\AppData\Local\Temp\E8FD.exe

MD5 5edc27f4fb945833e627a554407746a1
SHA1 ce0f744e2a827d7ba428562f7fd4932e6f144cbc
SHA256 608f8c358e578d87c5668673eff699f5bceb5a9fff9a9b51a0da6b1be51b1466
SHA512 4deea18efe3c586f7a7ceb240819b88fc17ea3ad1bef238eec9c7d4d2ab50e3b4040cf4cf544fd82e0607da41b83fde156205904faf5a3b329df461fcbbc3c50

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5cf4tcg.5n3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\ProgramData\nss3.dll

MD5 82a4b498a1dc1fde068c3e0aa2fd62ea
SHA1 7f2e76329f294bafb7b98d0ee7c9fd9612f53a2b
SHA256 03c964cce04ad4843161863b7edcca5ec875b9b113161db886a1945252c8faff
SHA512 48b341a58cc8cbbb2fc66f3cc9efb92a04dae9698c65183f9562a5ff917463aacb13de4e6df4a8bbf48965a2612f8106aeecedb10b8e9d341f48cd5de860ea75

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\CAAKFIIDGI.exe

MD5 42b838cf8bdf67400525e128d917f6e0
SHA1 a578f6faec738912dba8c41e7abe1502c46d0cae
SHA256 0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512 f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 0e82665af2b5fb32d0f44731689e4242
SHA1 3598cb67ba0ec0def68deb9306ac803390909c00
SHA256 6a8815b2dd74277d3c4cce7d277226602e381c73710c4bd37f071a602c2997e9
SHA512 73ed8ed727bc6cb779012380a9c24ccf964b2d6889b88badafd6c4adffb8a08bb96d94948294a581e14be4eb33b8139880beedd6381cf589a98a75f2853a635a

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 b7772d02793bbb067d1eaf2906f314ec
SHA1 bf50feea17e2fa2991103bd5c5131373425922d8
SHA256 4627f68903772107f83b282d95585da2c3726e0c0ac02d721bcf9a5af28542b3
SHA512 bb68406d7d0252b5cfa69292025561e9e3f7682ea20f9229655e20e10a93ecc7bde6311ceedd73e8d05a067fafabfdd10614bf5b45abfa3e39dcba6e307890b5