Malware Analysis Report

2024-12-07 13:04

Sample ID 241113-yw9t2ayenk
Target f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759
SHA256 f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759
Tags
quasar 5-11 discovery spyware trojan stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759

Threat Level: Known bad

The file f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759 was found to be: Known bad.

Malicious Activity Summary

quasar 5-11 discovery spyware trojan stealer

Quasar payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar RAT

Quasar family

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates processes with tasklist

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 20:09

Reported

2024-11-13 20:11

Platform

win7-20241010-en

Max time kernel

146s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2444 created 1176 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\Explorer.EXE
PID 2444 created 1176 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SonicOval C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
File opened for modification C:\Windows\SubscribeInvention C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
File opened for modification C:\Windows\XxxContests C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
File opened for modification C:\Windows\SysAug C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
File opened for modification C:\Windows\BermudaRough C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Office loads VBA resources, possible macro or embedded object present

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2856 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2856 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 2856 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 2856 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 2856 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 2856 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2444 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe

"C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Throat Throat.bat & Throat.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 571069

C:\Windows\SysWOW64\findstr.exe

findstr /V "WIDESCREENALLIANCEEXPANDRNA" Appeared

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Titten + ..\Funded + ..\Attending + ..\Controls + ..\Cliff + ..\Comply + ..\Sept + ..\Hold + ..\Legislation + ..\Anti + ..\Politics + ..\Days + ..\Conducted + ..\Dollars + ..\Traveling + ..\Announced + ..\Sink + ..\Contamination + ..\Beginner + ..\Rev + ..\Salt + ..\Genealogy + ..\Quebec + ..\Peak + ..\Initiatives + ..\Detector + ..\Fails + ..\Replacing + ..\Omaha + ..\Most + ..\Mp + ..\Funny + ..\Complaints + ..\Pearl + ..\Moms + ..\Doctor + ..\Iowa + ..\Properly + ..\Vi + ..\Excessive + ..\Till U

C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif

Vbulletin.pif U

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Gains" /tr "wscript //B 'C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url" & echo URL="C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Gains" /tr "wscript //B 'C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Зарубежные контракты.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 WyLKnzKjEWaHUQskIiknaxMa.WyLKnzKjEWaHUQskIiknaxMa udp
US 8.8.8.8:53 crostech.ru udp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp
RU 5.8.11.91:4782 crostech.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\Throat

MD5 bc78b8e4cc9fcc8a384ab6582da083dd
SHA1 5f64ebc4f066435faf5c63d724710729b69c8d2e
SHA256 ec8f2e41f3f26f71a1949738d2c6a7ebc4f950bc7fc54bbcf19e88a6b71074d0
SHA512 ace38e17731859c1c9918d2dce81ec449e9e71376fb99e1336f2ec218706e04ece8ed96039edc491e20af1f404a195d3dc74e04eacda906f58ed82f9d352b3c4

C:\Users\Admin\AppData\Local\Temp\Appeared

MD5 48901ff4137de02ab63bf3f479eee712
SHA1 355382872a136b9d7f76953047f26b97106cd3ab
SHA256 bf4f37ade5306c5ea081debfb581c2109da98a5649465189af99d85362075141
SHA512 271ed832e5595cbbf431015bb13f017b5b2ee511afd0ec4300812b27501f698e7007533cbd6bbe42fafea990d291321902c2ba340d8462811c8b08ff3e4fd893

C:\Users\Admin\AppData\Local\Temp\Regarded

MD5 95978812784740d8240eeed48d44b289
SHA1 e5f3ac84c79ac34cd6a523074b339c76b50c82bd
SHA256 5337b8872ba1d7498e3351f33c1fae56a13bea9e3c41dc3dc26b416955a7d1b5
SHA512 f14c20511ac096d35a286734240c38daea47f1601c813aec82f68029c1fc735fca53bc0b2a5db9187cbb5bfe40c663b43ddbe61f0e46bea921315fa11b796209

C:\Users\Admin\AppData\Local\Temp\Titten

MD5 fce0d1d7223d484363f03f5e85ced606
SHA1 b8ab18c6b685dc0182517d77de458146cbfad1d1
SHA256 1f04b26b72edf3ecd10d3aca3b187d35bd6c388ba060e438d334986c2c11319a
SHA512 a1e15e1bfa563105e221e88b995a11eae554cba4470cfa1494980ee0da7503280a8460a400d0425bb9348d1390cf75b4fdfc137a59938dd2a317a53231097505

C:\Users\Admin\AppData\Local\Temp\Funded

MD5 7489394e40ceb830f8a4c29b874d7cf4
SHA1 7dec1503e9ff2d7ed7dfacafeb259541049bb1a6
SHA256 37f5694ef974c6f1b6461447cdc9dd2502a02fb2b57eaecf9f92d0c9221d103c
SHA512 ebccd057e27fb645300c4ba4af363df3c2a84f4b7156e8b99d51fe5f5433c5bf5b7b3acf921468c4ebc2f4c2d2aab49216b1f9cea069a69b33369d2e5ec2c6f1

C:\Users\Admin\AppData\Local\Temp\Attending

MD5 81119d4db4e7be6c8e7cf387f8b0a1ce
SHA1 536584ddf5da7289c00a03882887bf9f5023269e
SHA256 d99b173cae06cdbe24d94bde1def96d836eed194235bfd4d165f85d18d6b9d30
SHA512 800782232b5a0537315faed6d62650c82b8f0f749fda4277b62713c8fc00acaa2d20f09818e1d2e7df9ae0de12b7bf962837e7ad9f20c92f9466f1d634df5ab8

C:\Users\Admin\AppData\Local\Temp\Controls

MD5 5a8372f2f907f3fa3a86d753cdf1567f
SHA1 82da724f7dc9885d7cd59409b153be1658cb9191
SHA256 635c1621c70ca449b3a2677110683497de01f4018fec359fbb194c126b00fc96
SHA512 9f21352d66ee82f393fb38ff12f9559d9b1015a63dcee4cba0c5df540487e053ca1cd679ea48eb7cc9502a283cda1e371832d341c37be62c690cb513e5dcdb4a

C:\Users\Admin\AppData\Local\Temp\Cliff

MD5 47c898661110109d45e7927ec13005e2
SHA1 78bb01280947a9f8aa18bd0379d94b8abee28df3
SHA256 4ff10e51eac35068fc3c35d351ee5a03e80a030a315a2750fbc40db26bbc8ace
SHA512 abc673a8363f03f22b30e4129336d57743e9e54f07615356077600919eeaab97c0265da724224660e6a7619f3790718d7dc0ea27e74babad65e5625258fce890

C:\Users\Admin\AppData\Local\Temp\Comply

MD5 6fe0f4ea7551c09222c55667b05cb681
SHA1 6f0b0c3d608415387efb86a9dcd393cbac2b1900
SHA256 005eaeb89297f43042f4017ffba8ca3d64f57d3f295b85ebf4a55bc984e8ab44
SHA512 36ac669d1d378e821ce8a51323e2b5c6c492fefd7811fb0fe7f466c11fae7790e06d2070da9a4aac43179b7e97d3daa5e489f79aa84b791b9821599fc4c00d6c

C:\Users\Admin\AppData\Local\Temp\Sept

MD5 88469c0f0eb032ac910d3ae4c5275018
SHA1 bdfb3437b84b3788417574dfa85ea45ac045bddd
SHA256 d3ad13a726d563c86cf3b84cf9fd9e5184393180ad310116a8d71e4c3ced5df3
SHA512 307104d342639c3435fb24bb5029392a6bca7460e965a117129fda474536e18fac6eb8ece2a891a6ebd2145dbfbe4886605534104f05c454a8921e1617d94698

C:\Users\Admin\AppData\Local\Temp\Hold

MD5 647ed9b1dd2a47cffa1d0f9ae5ce2350
SHA1 61200772bd7708707f66f9fbedd44b5e4b4d0c27
SHA256 c3795523f56fc46fbad2eb5068034414d58ce8b138890157dd9226c5daa4e2d5
SHA512 3ec18f2b6c00a76b596da83c129e4da607d9f10ef8a2b44e38ff12e9403b6bfa939a1e9bb9b4acc699b5a23b58c4fc4c5abae55dfc846cba3f71d5e049dda073

C:\Users\Admin\AppData\Local\Temp\Legislation

MD5 1b2c35303c36a5b3b93eea6798989b33
SHA1 2628842871b11f5287abf714b1164dfad916f068
SHA256 4f592cb6dd718c7b30b44867469f88deb906c15d8d8c20fdcd61fc4d1f69ccfe
SHA512 6c435629757cb1711ffe328f305ad251eed78122618848702a3345ec5eb4705c6ae6f23f373084b4cf0ee38aad19e951ddedc996877c3378530c408db8a51f90

C:\Users\Admin\AppData\Local\Temp\Anti

MD5 ff14b749bd000ab79704917149f62613
SHA1 1d4b7d31be66a6510b6a340516505500a88bda5e
SHA256 c2d3b6c4b91edb327db70fc561ac8761b334c6943db97d44cd7dbff14c058a64
SHA512 cbf27ab76b9d458bc4072c1292df32ea458b9aa0d4335a0b8deda0db1b764cc17558b4f453f4f66fc42453c89cdcfbc8482e3797e87ca6be911c153a6626229e

C:\Users\Admin\AppData\Local\Temp\Politics

MD5 6a89d314f53c35763a8d9dd1157dabe7
SHA1 dc605d884cb99006834b9f29a3e78490c1d616d7
SHA256 1713b10f3393aefc7253f56680e180e62b11d7c05921ae63fedbb9fc60a3cc96
SHA512 306e729d1fda5711e7bc03b56c36f8229cad13e36f4f8876121f68fdd76abe744dfd2238fe239ec34059763ca9ff20349210790c0ea8e6296651aecdaff4116c

C:\Users\Admin\AppData\Local\Temp\Days

MD5 9a502490133d2a0d956d6f17e1d5b64c
SHA1 c9e931ea37e7536c6880718a9422060f8637c49d
SHA256 ad4b705199e23a88a943a16caba4e3a3ec31312663b03224c148466a723fdfcc
SHA512 7efc4bce0581dca6dcb190b0fcc244f830c1db471a452df478ddb5925ee1f61372615410015f6fd414a4b204c1d3ebd437479e3ae7641529b7ed058b498a5265

C:\Users\Admin\AppData\Local\Temp\Conducted

MD5 4aec7b00e0d1c9b3c286f8ec9acf7aaa
SHA1 18dc5d3e363609d847f04fc698d6c9d219e1eabf
SHA256 987582d2715b0f02789f253c18e30f07ceedf0d1c755d51fc76ec9176f050d0b
SHA512 39e72239eaa4130834bd16e65a7a3aca1a71f8f4087c91d9c7c2a4c6dbf048c23e431d868daeffe6b54d9e0fc58fca21b23ec3cdbaa6780954a92312df08d514

C:\Users\Admin\AppData\Local\Temp\Dollars

MD5 ed3362e23598d32779b85d55fea7831b
SHA1 b6f6180c7dd2ce74f6dd73e6ec0f66ca1aad3dd6
SHA256 1f8466c768ec7dc87f22dabe49c44262f29ab02c9ba6fb377cf32934ed4b0f0e
SHA512 d6cb542911a214dc356f651ab63b152ce0f8eefc3ea715310388b0a39cd2e6b70e84524368b3f50042176993b6229106082ba7f041342e2c4d58b7f7b2782aa4

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 a6c38ca74a31744847362f8fef9cd567
SHA1 5b1e32043829093eb875e01e874176f8128375af
SHA256 cb0e9260264fbfa7e48410a0ff8419c900e5d34c02b0d8385b90f1e95c4ec43c
SHA512 aa18dd168555b16643dc4e2b532569db7db035ab96edfeeddd5f7103ea42fc5b563337cee3efef7d007c3ee289baa71b4bc72bef0d3bd9f713392cc5a47d8325

C:\Users\Admin\AppData\Local\Temp\Announced

MD5 44358f3db6578c4c13449b830fffc7bf
SHA1 cedd167bbff7d7ad5f892b3ac732be59ff0ded94
SHA256 8caadc3971c5a62243da447c9fa210ab7c6b32585b6149d718a9e055075bdf9e
SHA512 870ac8a96857880c5d2cc0f14d1e4971e101c33409af1feaecf7efc013ae2ddb38172eb41e12a8a32e7a2990a6ecd248281b44035241375dc17aaac13bb665b8

C:\Users\Admin\AppData\Local\Temp\Sink

MD5 6de4778abe93e8af49c7983677692d83
SHA1 f8024dffed58eba0ba11ddd7e9cd690425f1cd64
SHA256 aba3793b5ce1d34f5b93237d0bb3c790ca14872b4cdf587793ed53fa93f534dc
SHA512 33329891cd42206e6c3f81b252cf9de237afd40587ea05f5a554e5bc286affaeb94a1e865a58399dcf19d47529ad2a1c9490b71af586a45ba241f1673ad4556d

C:\Users\Admin\AppData\Local\Temp\Contamination

MD5 9e2f61f75788e50ee805cd773c4179a8
SHA1 4b95d4efacccf062dc1c063858e7b92fd00e1d56
SHA256 6b3c7126ba8591f5326cde2c98cff53232761bf1eb6b41d479ff11e8d5de02fc
SHA512 8202a9b0ca23c2a6b2022a8bf43e7745afc32c7adfec3a9c39f8b14581733d9e24d7d0fe7dfb7ae178b627cbc5fa48694f211b1353d83a62e1c35cb8d5e1f8e4

C:\Users\Admin\AppData\Local\Temp\Beginner

MD5 dd6b4d4c095bc63b9336fbe98f67bd78
SHA1 ca81e5d94b7abce1576a7dcdbff506809120b15f
SHA256 ca490c0df0ea110c5b68f9fac197479d21c96f06eacc36f41da991538f4b97db
SHA512 f4665fd28fbc5298a022ed33d92c94e2458b94baf5968b188621fb8dc30e325c7abf518ff2eda1026a8e755e4858b0fcc4688a4b88dd47c5c02451e4409a8f98

C:\Users\Admin\AppData\Local\Temp\Rev

MD5 e2a6d7d55d8f7a7d4ee2e92db2caed7f
SHA1 4695c02a2745e01911a3a44d23dd95a335678065
SHA256 20481a58b1b68ee1adad572609d5c4abc059056106d91a39db3d0bb42a8cb393
SHA512 4c9f939a2d69cefdadf62e161092a3ce42b2625ecf8e92885eaad37f0a0a43bfc3fc5b0ce882c9703d3f81c45c1e35811099140c8399320c02b2d8a3f15300ab

C:\Users\Admin\AppData\Local\Temp\Salt

MD5 d08e88773658af85e208b1e12b7ee06f
SHA1 93446306d6bbf1c303809fe7428e28987494814c
SHA256 343390a42a6cc696c06721bfd39f58fcd324f8066f7dd1372434c92c7705710e
SHA512 a326fa17922bb975300d5e14ef89dda3ce0ea798472035a7235aebcda3488bd180f2c5dfc52fcf0586fe4e04b607ffb78b30797e7835105f25e14026429c96f9

C:\Users\Admin\AppData\Local\Temp\Genealogy

MD5 662dc6ddf4eab50722ac5e5b2215be77
SHA1 7492fb640b4bd5cdfdba0c782adb98d92cca0567
SHA256 fa4041cccf0335aca4f848c38003f424e291960eb91692dd1e2886cd3813f33e
SHA512 a174e37ab505c5dbc64f92f539053c10a71d539789d8bb2ad9d73914e09cd9cb8154883fd7c3b17ce9cf1e70a50f54f6f99e1ca26f5a55edd2b516ee84fe6f2f

C:\Users\Admin\AppData\Local\Temp\Quebec

MD5 55ef1ba78e6da565625c825bc14b8ff1
SHA1 b409b57fd67db68362fef1e3212d56832eab0ae0
SHA256 a898b3513ec803b54207fc5e6db5a580242fffec5473d79edab24e145b6cbecb
SHA512 82a9fa3bb8664feb32160302bcd8faf8a520655b793211841212fdac96e5e99ddebfbb5db4b9061fa86d8549f4e436480ca9d933091fb1a04fe1d64034e2eed9

C:\Users\Admin\AppData\Local\Temp\Peak

MD5 7e77bc3361454afa60ac901f899528e1
SHA1 36f16ee2ddb0ff66dc5e83b832d739c49f1a547a
SHA256 7aa6c1265aef04c6f01a2a52cc2d2a6e34461085da4e414470396c82bbf0e42c
SHA512 9c5af58465f31356f43a688c1260349b3563856c89f6c38c21895b06afddc16f403819ce5414b2c3a6e25801254324f7dc970d64d59f3a4cf3774f181f9bdf04

C:\Users\Admin\AppData\Local\Temp\Initiatives

MD5 4a6b89eed5ed37679bea3c31563ccac5
SHA1 9cc61a87d9d1f27b65ece09f96fee2c63f894a98
SHA256 78419c3aac38e1894d64d3ba6d2aaea2aff537cd7e8aa1d95dbd9bd15ab4310c
SHA512 e9804f48a95c74cb31b94911fb76a4f93c316f6b9ffd5020c30dfb74aa05d25c30ff0d772da550674dfd3f2b4b609c7086abb4920e6ce2af956af40bbb9afcd7

C:\Users\Admin\AppData\Local\Temp\Detector

MD5 fba4e6d1cb8adbc442db995c937bfda1
SHA1 5b0f309b175c6b34b315f3fa8f330a05d8b92dc8
SHA256 164275d6c158a347b1a12adb92a99ea15aeff66b89d8ff3c71d269d0e6026538
SHA512 a51fdd5b8438ebcc2d0fbe4b43eaab2a56c55c5af3b66d827bbb26ef9e8ea02272ef19eeee2a138e7d618877fb7ff24dff833d8f1e98d4dc39ab465d7ce869b3

C:\Users\Admin\AppData\Local\Temp\Fails

MD5 07f0c62b7e1cbe6c9038eabc740deb17
SHA1 095a23a899e835a53434f7a559aca3348b2f6d45
SHA256 a69820a8bbe25d624c9e31c2a25a703ab37d32e24b53bbb563fe08c245e401bb
SHA512 a6880231facc5635c8daef487623785b921cb5906638bb03f00884eae7cbf783db810b2405cb1c6ce21c5d1a8700963d3fe85f440d34b04f3ffc481760c964c7

C:\Users\Admin\AppData\Local\Temp\Replacing

MD5 c35a8ebaa0edc04daf9a430f502ba879
SHA1 48c1bbe6ccc28adcd93c879d84833387fba7d238
SHA256 9424107acb9b5fe41e827a6ab19a2cb0d354e26fc637aae71c434cf6f3f26f92
SHA512 20622163832fb108d943d3fef277bf9c4b80593eaa5a840ca4366037df8090e0185fc12c2f54f68e7b7987003ad7b821f8f04d33e080f82aeffc283ee8da60b9

C:\Users\Admin\AppData\Local\Temp\Omaha

MD5 05f8a2ad46477d5447c8af2ecac164e4
SHA1 56d4f4d45c4b6e07f691e2cadfe88e2e0d40c4a8
SHA256 19c7c347e0d63cbb95f190173cd58bd581537a389798dcf9dc5f98fd30882f16
SHA512 6c2fd75c1a360b2c7878b623f93a0676853c037e81dd151bbe600ffe6744f4ab9023320f42406678e5550ff2b989d402649ab8b2ee8bb8970b622bf8fbb962e2

C:\Users\Admin\AppData\Local\Temp\Most

MD5 7cc622fda35f9818f8c10368c5b987a2
SHA1 4247474947b863df751b14c35d43ad2ca3efd2cc
SHA256 0be5be4c5c59f9b357a1a6b2152e945dc4e23621a9a30430a53e482dd3cfc69c
SHA512 72bfa039caa2c54700ce56416b8e6458a8b391d8e38d456f34942c69777f9a1beb7a34dd87e6f5631f97a9cfe07bb11464ff8b477f2438308a34c2903abe3122

C:\Users\Admin\AppData\Local\Temp\Mp

MD5 8c0d64b6ac828ba4ebcb34666e0fad8d
SHA1 5cbf65613e2aca6d39c6f431c7ce47b3b16eb484
SHA256 0aa31937d7a12fe2a2ef188aa9264b15e9ad46c44b3c1b56bd5c905b25ab8e3d
SHA512 bb6b0de27151ada4edfdd9f9b88c32da1a66285a2fd63bb84222039715656b7fdfc5047ec5ae5f7d51d58e5af5539ebcdd53cb7c333eb8cc303c48fe682e6881

C:\Users\Admin\AppData\Local\Temp\Funny

MD5 b15a1f9e654b0e0f6a9053a4483786c7
SHA1 00091975be54cf385600c54630759b39bcac4986
SHA256 dca2c70566f14f2a636ab69a23bcb614e36e86ba5220b2285dbd4a4358dab947
SHA512 7cd7bbc28e7ee6c90d787b19cbd9aaa75f0b4af73fe658f88608e78d03f950df477cb42b8275fd48a6f1f9014fe69ae14db4a124212ab252d65ecf66b58a6406

C:\Users\Admin\AppData\Local\Temp\Complaints

MD5 7b85ce30ee2739423b68323fc325d904
SHA1 d0b4ccf102638e7f2569ce4d737a8abec68458e9
SHA256 4810ecca735ca346e87fc81eb249843fbff9ffaf7261deb2554506bf78499a9a
SHA512 e39cd1d36074c82550cf2dc4a0ac87572474da1a9acd167646663c1793b2525bc3d7d80306fcf12fe4853924c9cea0d14d046506ff5eced0b65c7709530d7b36

C:\Users\Admin\AppData\Local\Temp\Pearl

MD5 4dcc6a2a21551d46cf4d77e40736c640
SHA1 6682d9070065ae89f32c9de048ab8d246ce98436
SHA256 def6ccda2d0473102e9ae9bb96498aad5b1339d7c3de0e4b608526c7ad34b9e1
SHA512 4124ce3eeb1f13eea24d4e1bd4077b0f43017cd2c418a00849a5e63a57b5b53630bfc1ab5a17dc18b46b21686ff422bedf2a3f0a053d8506cb02582d440812a2

C:\Users\Admin\AppData\Local\Temp\Moms

MD5 a79d2617cf6a467d6f5aa6c7089fe258
SHA1 58aa8dba21059bc606364714872f854e6a7e4da1
SHA256 19097bbe1bce652bcd052a5c6eb0c538849ef82aef167be5b825408c8edab362
SHA512 bfce2d2b49e62f1e27db8430e86ed740194371b6c881a7df4d0e6fecb5969cb32219ddfcf407e85a8d0f278344464b45d317b8480d359bbf549a9a1b8ed4cffb

C:\Users\Admin\AppData\Local\Temp\Doctor

MD5 f80a405e15adda8054d3dc3483467794
SHA1 15d1d29fe54007e6a03c25fee6dc6692d36b43d6
SHA256 0b4728cf83a08cfada05340eaf9c040f7a7ffc04702a0123c0627888685e5935
SHA512 485e4b85d85944a947d1504559d8b5eb0e888b6f714fe4b1d2d50669b49641b6b5adfbb0a35b08d3df4a8b35dfc0c9146da343ecc1e26c41950fce429645488a

C:\Users\Admin\AppData\Local\Temp\Iowa

MD5 43dd20f3abdf2c195010ae1db65e9f3a
SHA1 5e8c69e6a0bcd4a4f8daaec177bc5bc9546f5f98
SHA256 04093ff60d23fd05a80a4233225d8cfd7a691d4dd45ee07dff0680ddd477ba9f
SHA512 db4d3e0197ab8fe97e4d805250c7cbba46f4e23351fb6abc5b873861a22dad38c08b9158ad64336172909d74bc4b9309a44aa966284f9d34a191f58a358656ce

C:\Users\Admin\AppData\Local\Temp\Properly

MD5 5ec1b927338df45000eb8a12372816f4
SHA1 b1721089d50b7f0a9a57c706096118fd611e39c3
SHA256 33dd87323bfe7fbd08a7d542a492986ec8573835d375953c1466767e11c71dd2
SHA512 80e238ee81fbe795d4a3fcb64f6c7cf4c47d71063981630dfc022054eb6e682185f30b482ced0ca80f43c5a4371cef879c3a884e4264a6faf4bcc05b361709f8

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 c223367496856dacd1ed4ac68a7819fa
SHA1 fba9ddfff426f7a8a940cf8b665f414663d921fd
SHA256 63850a35746868667e6506e831e7dba17834de0561774449af6c721408a26b88
SHA512 e1393c1b802115347479a20555b4a693bef40dc733c71266d17a54ca8eb491b4c06626436ecdbdc6032f2281611133153f7c38dedf30210f0b79e687d795350c

C:\Users\Admin\AppData\Local\Temp\Excessive

MD5 6a18adde062868b14652ba58cbdc72d5
SHA1 a2b1545a44f8684f4a49e0398c065f833d0ca12c
SHA256 fbb3fea32ac9f74f3f6757c5c384a61b34e04620a5cb92a35e364f025a5adbe6
SHA512 7c23829b7eba522b3daf7c8911c9352c71acc569642eaa2df36f7b057612e6409e88f8cf89b1ded4bea7fef50cd46c909946c2fca8a2ad2afe8b337c9825725a

C:\Users\Admin\AppData\Local\Temp\Till

MD5 9e2878ffdddf63c811f3d78a9bda2fdf
SHA1 23dc0d80d8092c36fc2f822afc7bc11ec719ede6
SHA256 82c69c904aa0ecc92a10c65682ad738c74f8e9749f48ad1e2586925b695f5010
SHA512 56ec0f9413bdf5fad9122f0aa14a37396fd90247f8694f365f27097ead15a909b380105b78243fe0f4f74526bd1c26188d2efc08a23a4f93f4163c5d9ba148d4

\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\571069\U

MD5 361e9d8fd1013adfe42e7fbd11d9cb2c
SHA1 12ae94c75dc1385c710d431e1ddd834762333951
SHA256 afc393ace513b87715cb03fa3465a994aaddd4aaed871b7f41fd4f6a5d38538e
SHA512 f3089f016ae764c442a8745fb593337ca5f34e603493b1e7a658c628996ea85ce88db88bad5e138773797f4a98b36750d198d1be0639e74d9b2062237b2d4791

\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2180-343-0x0000000000340000-0x000000000069C000-memory.dmp

memory/2180-345-0x0000000000340000-0x000000000069C000-memory.dmp

memory/2180-346-0x0000000000340000-0x000000000069C000-memory.dmp

memory/2660-350-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Зарубежные контракты.doc

MD5 35dabf85eaec23bbab9b79149ae3f56e
SHA1 38aef59599957bcbe57115ca4cf33da499ee7dbd
SHA256 944c70ca9464caebeabc4652cfad5baab11b1dc06c8e5921cdd5d8399ce92933
SHA512 976aae65a8d5006e2c69286f761f4e166d8e9397a85fc10de2be1cda7df55981ee7772575b5209fc3f012f592d1493dab851e552ce61de2713b52b691e852f5a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 20:09

Reported

2024-11-13 20:11

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4288 created 3436 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\Explorer.EXE
PID 4288 created 3436 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5060 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 5060 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 5060 wrote to memory of 4288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif
PID 5060 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5060 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 5060 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 4288 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4412 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4412 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 4288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 4288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 4288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 4288 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe
PID 1716 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1716 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe

"C:\Users\Admin\AppData\Local\Temp\f1bedec9834e6b7457571b68587406b042b071cb244958afbbf4543b29c49759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Throat Throat.bat & Throat.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 571069

C:\Windows\SysWOW64\findstr.exe

findstr /V "WIDESCREENALLIANCEEXPANDRNA" Appeared

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Titten + ..\Funded + ..\Attending + ..\Controls + ..\Cliff + ..\Comply + ..\Sept + ..\Hold + ..\Legislation + ..\Anti + ..\Politics + ..\Days + ..\Conducted + ..\Dollars + ..\Traveling + ..\Announced + ..\Sink + ..\Contamination + ..\Beginner + ..\Rev + ..\Salt + ..\Genealogy + ..\Quebec + ..\Peak + ..\Initiatives + ..\Detector + ..\Fails + ..\Replacing + ..\Omaha + ..\Most + ..\Mp + ..\Funny + ..\Complaints + ..\Pearl + ..\Moms + ..\Doctor + ..\Iowa + ..\Properly + ..\Vi + ..\Excessive + ..\Till U

C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif

Vbulletin.pif U

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Gains" /tr "wscript //B 'C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url" & echo URL="C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeroSense.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Gains" /tr "wscript //B 'C:\Users\Admin\AppData\Local\AeroSense Innovations\AeroSense.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Зарубежные контракты.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 WyLKnzKjEWaHUQskIiknaxMa.WyLKnzKjEWaHUQskIiknaxMa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 crostech.ru udp
RU 5.8.11.91:4782 crostech.ru tcp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 91.11.8.5.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.202:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 202.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Throat

MD5 bc78b8e4cc9fcc8a384ab6582da083dd
SHA1 5f64ebc4f066435faf5c63d724710729b69c8d2e
SHA256 ec8f2e41f3f26f71a1949738d2c6a7ebc4f950bc7fc54bbcf19e88a6b71074d0
SHA512 ace38e17731859c1c9918d2dce81ec449e9e71376fb99e1336f2ec218706e04ece8ed96039edc491e20af1f404a195d3dc74e04eacda906f58ed82f9d352b3c4

C:\Users\Admin\AppData\Local\Temp\Appeared

MD5 48901ff4137de02ab63bf3f479eee712
SHA1 355382872a136b9d7f76953047f26b97106cd3ab
SHA256 bf4f37ade5306c5ea081debfb581c2109da98a5649465189af99d85362075141
SHA512 271ed832e5595cbbf431015bb13f017b5b2ee511afd0ec4300812b27501f698e7007533cbd6bbe42fafea990d291321902c2ba340d8462811c8b08ff3e4fd893

C:\Users\Admin\AppData\Local\Temp\Regarded

MD5 95978812784740d8240eeed48d44b289
SHA1 e5f3ac84c79ac34cd6a523074b339c76b50c82bd
SHA256 5337b8872ba1d7498e3351f33c1fae56a13bea9e3c41dc3dc26b416955a7d1b5
SHA512 f14c20511ac096d35a286734240c38daea47f1601c813aec82f68029c1fc735fca53bc0b2a5db9187cbb5bfe40c663b43ddbe61f0e46bea921315fa11b796209

C:\Users\Admin\AppData\Local\Temp\Titten

MD5 fce0d1d7223d484363f03f5e85ced606
SHA1 b8ab18c6b685dc0182517d77de458146cbfad1d1
SHA256 1f04b26b72edf3ecd10d3aca3b187d35bd6c388ba060e438d334986c2c11319a
SHA512 a1e15e1bfa563105e221e88b995a11eae554cba4470cfa1494980ee0da7503280a8460a400d0425bb9348d1390cf75b4fdfc137a59938dd2a317a53231097505

C:\Users\Admin\AppData\Local\Temp\Funded

MD5 7489394e40ceb830f8a4c29b874d7cf4
SHA1 7dec1503e9ff2d7ed7dfacafeb259541049bb1a6
SHA256 37f5694ef974c6f1b6461447cdc9dd2502a02fb2b57eaecf9f92d0c9221d103c
SHA512 ebccd057e27fb645300c4ba4af363df3c2a84f4b7156e8b99d51fe5f5433c5bf5b7b3acf921468c4ebc2f4c2d2aab49216b1f9cea069a69b33369d2e5ec2c6f1

C:\Users\Admin\AppData\Local\Temp\Attending

MD5 81119d4db4e7be6c8e7cf387f8b0a1ce
SHA1 536584ddf5da7289c00a03882887bf9f5023269e
SHA256 d99b173cae06cdbe24d94bde1def96d836eed194235bfd4d165f85d18d6b9d30
SHA512 800782232b5a0537315faed6d62650c82b8f0f749fda4277b62713c8fc00acaa2d20f09818e1d2e7df9ae0de12b7bf962837e7ad9f20c92f9466f1d634df5ab8

C:\Users\Admin\AppData\Local\Temp\Controls

MD5 5a8372f2f907f3fa3a86d753cdf1567f
SHA1 82da724f7dc9885d7cd59409b153be1658cb9191
SHA256 635c1621c70ca449b3a2677110683497de01f4018fec359fbb194c126b00fc96
SHA512 9f21352d66ee82f393fb38ff12f9559d9b1015a63dcee4cba0c5df540487e053ca1cd679ea48eb7cc9502a283cda1e371832d341c37be62c690cb513e5dcdb4a

C:\Users\Admin\AppData\Local\Temp\Comply

MD5 6fe0f4ea7551c09222c55667b05cb681
SHA1 6f0b0c3d608415387efb86a9dcd393cbac2b1900
SHA256 005eaeb89297f43042f4017ffba8ca3d64f57d3f295b85ebf4a55bc984e8ab44
SHA512 36ac669d1d378e821ce8a51323e2b5c6c492fefd7811fb0fe7f466c11fae7790e06d2070da9a4aac43179b7e97d3daa5e489f79aa84b791b9821599fc4c00d6c

C:\Users\Admin\AppData\Local\Temp\Cliff

MD5 47c898661110109d45e7927ec13005e2
SHA1 78bb01280947a9f8aa18bd0379d94b8abee28df3
SHA256 4ff10e51eac35068fc3c35d351ee5a03e80a030a315a2750fbc40db26bbc8ace
SHA512 abc673a8363f03f22b30e4129336d57743e9e54f07615356077600919eeaab97c0265da724224660e6a7619f3790718d7dc0ea27e74babad65e5625258fce890

C:\Users\Admin\AppData\Local\Temp\Hold

MD5 647ed9b1dd2a47cffa1d0f9ae5ce2350
SHA1 61200772bd7708707f66f9fbedd44b5e4b4d0c27
SHA256 c3795523f56fc46fbad2eb5068034414d58ce8b138890157dd9226c5daa4e2d5
SHA512 3ec18f2b6c00a76b596da83c129e4da607d9f10ef8a2b44e38ff12e9403b6bfa939a1e9bb9b4acc699b5a23b58c4fc4c5abae55dfc846cba3f71d5e049dda073

C:\Users\Admin\AppData\Local\Temp\Sept

MD5 88469c0f0eb032ac910d3ae4c5275018
SHA1 bdfb3437b84b3788417574dfa85ea45ac045bddd
SHA256 d3ad13a726d563c86cf3b84cf9fd9e5184393180ad310116a8d71e4c3ced5df3
SHA512 307104d342639c3435fb24bb5029392a6bca7460e965a117129fda474536e18fac6eb8ece2a891a6ebd2145dbfbe4886605534104f05c454a8921e1617d94698

C:\Users\Admin\AppData\Local\Temp\Days

MD5 9a502490133d2a0d956d6f17e1d5b64c
SHA1 c9e931ea37e7536c6880718a9422060f8637c49d
SHA256 ad4b705199e23a88a943a16caba4e3a3ec31312663b03224c148466a723fdfcc
SHA512 7efc4bce0581dca6dcb190b0fcc244f830c1db471a452df478ddb5925ee1f61372615410015f6fd414a4b204c1d3ebd437479e3ae7641529b7ed058b498a5265

C:\Users\Admin\AppData\Local\Temp\Politics

MD5 6a89d314f53c35763a8d9dd1157dabe7
SHA1 dc605d884cb99006834b9f29a3e78490c1d616d7
SHA256 1713b10f3393aefc7253f56680e180e62b11d7c05921ae63fedbb9fc60a3cc96
SHA512 306e729d1fda5711e7bc03b56c36f8229cad13e36f4f8876121f68fdd76abe744dfd2238fe239ec34059763ca9ff20349210790c0ea8e6296651aecdaff4116c

C:\Users\Admin\AppData\Local\Temp\Anti

MD5 ff14b749bd000ab79704917149f62613
SHA1 1d4b7d31be66a6510b6a340516505500a88bda5e
SHA256 c2d3b6c4b91edb327db70fc561ac8761b334c6943db97d44cd7dbff14c058a64
SHA512 cbf27ab76b9d458bc4072c1292df32ea458b9aa0d4335a0b8deda0db1b764cc17558b4f453f4f66fc42453c89cdcfbc8482e3797e87ca6be911c153a6626229e

C:\Users\Admin\AppData\Local\Temp\Legislation

MD5 1b2c35303c36a5b3b93eea6798989b33
SHA1 2628842871b11f5287abf714b1164dfad916f068
SHA256 4f592cb6dd718c7b30b44867469f88deb906c15d8d8c20fdcd61fc4d1f69ccfe
SHA512 6c435629757cb1711ffe328f305ad251eed78122618848702a3345ec5eb4705c6ae6f23f373084b4cf0ee38aad19e951ddedc996877c3378530c408db8a51f90

C:\Users\Admin\AppData\Local\Temp\Conducted

MD5 4aec7b00e0d1c9b3c286f8ec9acf7aaa
SHA1 18dc5d3e363609d847f04fc698d6c9d219e1eabf
SHA256 987582d2715b0f02789f253c18e30f07ceedf0d1c755d51fc76ec9176f050d0b
SHA512 39e72239eaa4130834bd16e65a7a3aca1a71f8f4087c91d9c7c2a4c6dbf048c23e431d868daeffe6b54d9e0fc58fca21b23ec3cdbaa6780954a92312df08d514

C:\Users\Admin\AppData\Local\Temp\Dollars

MD5 ed3362e23598d32779b85d55fea7831b
SHA1 b6f6180c7dd2ce74f6dd73e6ec0f66ca1aad3dd6
SHA256 1f8466c768ec7dc87f22dabe49c44262f29ab02c9ba6fb377cf32934ed4b0f0e
SHA512 d6cb542911a214dc356f651ab63b152ce0f8eefc3ea715310388b0a39cd2e6b70e84524368b3f50042176993b6229106082ba7f041342e2c4d58b7f7b2782aa4

C:\Users\Admin\AppData\Local\Temp\Rev

MD5 e2a6d7d55d8f7a7d4ee2e92db2caed7f
SHA1 4695c02a2745e01911a3a44d23dd95a335678065
SHA256 20481a58b1b68ee1adad572609d5c4abc059056106d91a39db3d0bb42a8cb393
SHA512 4c9f939a2d69cefdadf62e161092a3ce42b2625ecf8e92885eaad37f0a0a43bfc3fc5b0ce882c9703d3f81c45c1e35811099140c8399320c02b2d8a3f15300ab

C:\Users\Admin\AppData\Local\Temp\Beginner

MD5 dd6b4d4c095bc63b9336fbe98f67bd78
SHA1 ca81e5d94b7abce1576a7dcdbff506809120b15f
SHA256 ca490c0df0ea110c5b68f9fac197479d21c96f06eacc36f41da991538f4b97db
SHA512 f4665fd28fbc5298a022ed33d92c94e2458b94baf5968b188621fb8dc30e325c7abf518ff2eda1026a8e755e4858b0fcc4688a4b88dd47c5c02451e4409a8f98

C:\Users\Admin\AppData\Local\Temp\Funny

MD5 b15a1f9e654b0e0f6a9053a4483786c7
SHA1 00091975be54cf385600c54630759b39bcac4986
SHA256 dca2c70566f14f2a636ab69a23bcb614e36e86ba5220b2285dbd4a4358dab947
SHA512 7cd7bbc28e7ee6c90d787b19cbd9aaa75f0b4af73fe658f88608e78d03f950df477cb42b8275fd48a6f1f9014fe69ae14db4a124212ab252d65ecf66b58a6406

C:\Users\Admin\AppData\Local\Temp\Mp

MD5 8c0d64b6ac828ba4ebcb34666e0fad8d
SHA1 5cbf65613e2aca6d39c6f431c7ce47b3b16eb484
SHA256 0aa31937d7a12fe2a2ef188aa9264b15e9ad46c44b3c1b56bd5c905b25ab8e3d
SHA512 bb6b0de27151ada4edfdd9f9b88c32da1a66285a2fd63bb84222039715656b7fdfc5047ec5ae5f7d51d58e5af5539ebcdd53cb7c333eb8cc303c48fe682e6881

C:\Users\Admin\AppData\Local\Temp\Most

MD5 7cc622fda35f9818f8c10368c5b987a2
SHA1 4247474947b863df751b14c35d43ad2ca3efd2cc
SHA256 0be5be4c5c59f9b357a1a6b2152e945dc4e23621a9a30430a53e482dd3cfc69c
SHA512 72bfa039caa2c54700ce56416b8e6458a8b391d8e38d456f34942c69777f9a1beb7a34dd87e6f5631f97a9cfe07bb11464ff8b477f2438308a34c2903abe3122

C:\Users\Admin\AppData\Local\Temp\Omaha

MD5 05f8a2ad46477d5447c8af2ecac164e4
SHA1 56d4f4d45c4b6e07f691e2cadfe88e2e0d40c4a8
SHA256 19c7c347e0d63cbb95f190173cd58bd581537a389798dcf9dc5f98fd30882f16
SHA512 6c2fd75c1a360b2c7878b623f93a0676853c037e81dd151bbe600ffe6744f4ab9023320f42406678e5550ff2b989d402649ab8b2ee8bb8970b622bf8fbb962e2

C:\Users\Admin\AppData\Local\Temp\Replacing

MD5 c35a8ebaa0edc04daf9a430f502ba879
SHA1 48c1bbe6ccc28adcd93c879d84833387fba7d238
SHA256 9424107acb9b5fe41e827a6ab19a2cb0d354e26fc637aae71c434cf6f3f26f92
SHA512 20622163832fb108d943d3fef277bf9c4b80593eaa5a840ca4366037df8090e0185fc12c2f54f68e7b7987003ad7b821f8f04d33e080f82aeffc283ee8da60b9

C:\Users\Admin\AppData\Local\Temp\Fails

MD5 07f0c62b7e1cbe6c9038eabc740deb17
SHA1 095a23a899e835a53434f7a559aca3348b2f6d45
SHA256 a69820a8bbe25d624c9e31c2a25a703ab37d32e24b53bbb563fe08c245e401bb
SHA512 a6880231facc5635c8daef487623785b921cb5906638bb03f00884eae7cbf783db810b2405cb1c6ce21c5d1a8700963d3fe85f440d34b04f3ffc481760c964c7

C:\Users\Admin\AppData\Local\Temp\Detector

MD5 fba4e6d1cb8adbc442db995c937bfda1
SHA1 5b0f309b175c6b34b315f3fa8f330a05d8b92dc8
SHA256 164275d6c158a347b1a12adb92a99ea15aeff66b89d8ff3c71d269d0e6026538
SHA512 a51fdd5b8438ebcc2d0fbe4b43eaab2a56c55c5af3b66d827bbb26ef9e8ea02272ef19eeee2a138e7d618877fb7ff24dff833d8f1e98d4dc39ab465d7ce869b3

C:\Users\Admin\AppData\Local\Temp\Initiatives

MD5 4a6b89eed5ed37679bea3c31563ccac5
SHA1 9cc61a87d9d1f27b65ece09f96fee2c63f894a98
SHA256 78419c3aac38e1894d64d3ba6d2aaea2aff537cd7e8aa1d95dbd9bd15ab4310c
SHA512 e9804f48a95c74cb31b94911fb76a4f93c316f6b9ffd5020c30dfb74aa05d25c30ff0d772da550674dfd3f2b4b609c7086abb4920e6ce2af956af40bbb9afcd7

C:\Users\Admin\AppData\Local\Temp\Peak

MD5 7e77bc3361454afa60ac901f899528e1
SHA1 36f16ee2ddb0ff66dc5e83b832d739c49f1a547a
SHA256 7aa6c1265aef04c6f01a2a52cc2d2a6e34461085da4e414470396c82bbf0e42c
SHA512 9c5af58465f31356f43a688c1260349b3563856c89f6c38c21895b06afddc16f403819ce5414b2c3a6e25801254324f7dc970d64d59f3a4cf3774f181f9bdf04

C:\Users\Admin\AppData\Local\Temp\Quebec

MD5 55ef1ba78e6da565625c825bc14b8ff1
SHA1 b409b57fd67db68362fef1e3212d56832eab0ae0
SHA256 a898b3513ec803b54207fc5e6db5a580242fffec5473d79edab24e145b6cbecb
SHA512 82a9fa3bb8664feb32160302bcd8faf8a520655b793211841212fdac96e5e99ddebfbb5db4b9061fa86d8549f4e436480ca9d933091fb1a04fe1d64034e2eed9

C:\Users\Admin\AppData\Local\Temp\Genealogy

MD5 662dc6ddf4eab50722ac5e5b2215be77
SHA1 7492fb640b4bd5cdfdba0c782adb98d92cca0567
SHA256 fa4041cccf0335aca4f848c38003f424e291960eb91692dd1e2886cd3813f33e
SHA512 a174e37ab505c5dbc64f92f539053c10a71d539789d8bb2ad9d73914e09cd9cb8154883fd7c3b17ce9cf1e70a50f54f6f99e1ca26f5a55edd2b516ee84fe6f2f

C:\Users\Admin\AppData\Local\Temp\Salt

MD5 d08e88773658af85e208b1e12b7ee06f
SHA1 93446306d6bbf1c303809fe7428e28987494814c
SHA256 343390a42a6cc696c06721bfd39f58fcd324f8066f7dd1372434c92c7705710e
SHA512 a326fa17922bb975300d5e14ef89dda3ce0ea798472035a7235aebcda3488bd180f2c5dfc52fcf0586fe4e04b607ffb78b30797e7835105f25e14026429c96f9

C:\Users\Admin\AppData\Local\Temp\Contamination

MD5 9e2f61f75788e50ee805cd773c4179a8
SHA1 4b95d4efacccf062dc1c063858e7b92fd00e1d56
SHA256 6b3c7126ba8591f5326cde2c98cff53232761bf1eb6b41d479ff11e8d5de02fc
SHA512 8202a9b0ca23c2a6b2022a8bf43e7745afc32c7adfec3a9c39f8b14581733d9e24d7d0fe7dfb7ae178b627cbc5fa48694f211b1353d83a62e1c35cb8d5e1f8e4

C:\Users\Admin\AppData\Local\Temp\Sink

MD5 6de4778abe93e8af49c7983677692d83
SHA1 f8024dffed58eba0ba11ddd7e9cd690425f1cd64
SHA256 aba3793b5ce1d34f5b93237d0bb3c790ca14872b4cdf587793ed53fa93f534dc
SHA512 33329891cd42206e6c3f81b252cf9de237afd40587ea05f5a554e5bc286affaeb94a1e865a58399dcf19d47529ad2a1c9490b71af586a45ba241f1673ad4556d

C:\Users\Admin\AppData\Local\Temp\Announced

MD5 44358f3db6578c4c13449b830fffc7bf
SHA1 cedd167bbff7d7ad5f892b3ac732be59ff0ded94
SHA256 8caadc3971c5a62243da447c9fa210ab7c6b32585b6149d718a9e055075bdf9e
SHA512 870ac8a96857880c5d2cc0f14d1e4971e101c33409af1feaecf7efc013ae2ddb38172eb41e12a8a32e7a2990a6ecd248281b44035241375dc17aaac13bb665b8

C:\Users\Admin\AppData\Local\Temp\Traveling

MD5 a6c38ca74a31744847362f8fef9cd567
SHA1 5b1e32043829093eb875e01e874176f8128375af
SHA256 cb0e9260264fbfa7e48410a0ff8419c900e5d34c02b0d8385b90f1e95c4ec43c
SHA512 aa18dd168555b16643dc4e2b532569db7db035ab96edfeeddd5f7103ea42fc5b563337cee3efef7d007c3ee289baa71b4bc72bef0d3bd9f713392cc5a47d8325

C:\Users\Admin\AppData\Local\Temp\Complaints

MD5 7b85ce30ee2739423b68323fc325d904
SHA1 d0b4ccf102638e7f2569ce4d737a8abec68458e9
SHA256 4810ecca735ca346e87fc81eb249843fbff9ffaf7261deb2554506bf78499a9a
SHA512 e39cd1d36074c82550cf2dc4a0ac87572474da1a9acd167646663c1793b2525bc3d7d80306fcf12fe4853924c9cea0d14d046506ff5eced0b65c7709530d7b36

C:\Users\Admin\AppData\Local\Temp\Pearl

MD5 4dcc6a2a21551d46cf4d77e40736c640
SHA1 6682d9070065ae89f32c9de048ab8d246ce98436
SHA256 def6ccda2d0473102e9ae9bb96498aad5b1339d7c3de0e4b608526c7ad34b9e1
SHA512 4124ce3eeb1f13eea24d4e1bd4077b0f43017cd2c418a00849a5e63a57b5b53630bfc1ab5a17dc18b46b21686ff422bedf2a3f0a053d8506cb02582d440812a2

C:\Users\Admin\AppData\Local\Temp\Doctor

MD5 f80a405e15adda8054d3dc3483467794
SHA1 15d1d29fe54007e6a03c25fee6dc6692d36b43d6
SHA256 0b4728cf83a08cfada05340eaf9c040f7a7ffc04702a0123c0627888685e5935
SHA512 485e4b85d85944a947d1504559d8b5eb0e888b6f714fe4b1d2d50669b49641b6b5adfbb0a35b08d3df4a8b35dfc0c9146da343ecc1e26c41950fce429645488a

C:\Users\Admin\AppData\Local\Temp\Moms

MD5 a79d2617cf6a467d6f5aa6c7089fe258
SHA1 58aa8dba21059bc606364714872f854e6a7e4da1
SHA256 19097bbe1bce652bcd052a5c6eb0c538849ef82aef167be5b825408c8edab362
SHA512 bfce2d2b49e62f1e27db8430e86ed740194371b6c881a7df4d0e6fecb5969cb32219ddfcf407e85a8d0f278344464b45d317b8480d359bbf549a9a1b8ed4cffb

C:\Users\Admin\AppData\Local\Temp\Iowa

MD5 43dd20f3abdf2c195010ae1db65e9f3a
SHA1 5e8c69e6a0bcd4a4f8daaec177bc5bc9546f5f98
SHA256 04093ff60d23fd05a80a4233225d8cfd7a691d4dd45ee07dff0680ddd477ba9f
SHA512 db4d3e0197ab8fe97e4d805250c7cbba46f4e23351fb6abc5b873861a22dad38c08b9158ad64336172909d74bc4b9309a44aa966284f9d34a191f58a358656ce

C:\Users\Admin\AppData\Local\Temp\Properly

MD5 5ec1b927338df45000eb8a12372816f4
SHA1 b1721089d50b7f0a9a57c706096118fd611e39c3
SHA256 33dd87323bfe7fbd08a7d542a492986ec8573835d375953c1466767e11c71dd2
SHA512 80e238ee81fbe795d4a3fcb64f6c7cf4c47d71063981630dfc022054eb6e682185f30b482ced0ca80f43c5a4371cef879c3a884e4264a6faf4bcc05b361709f8

C:\Users\Admin\AppData\Local\Temp\Vi

MD5 c223367496856dacd1ed4ac68a7819fa
SHA1 fba9ddfff426f7a8a940cf8b665f414663d921fd
SHA256 63850a35746868667e6506e831e7dba17834de0561774449af6c721408a26b88
SHA512 e1393c1b802115347479a20555b4a693bef40dc733c71266d17a54ca8eb491b4c06626436ecdbdc6032f2281611133153f7c38dedf30210f0b79e687d795350c

C:\Users\Admin\AppData\Local\Temp\Excessive

MD5 6a18adde062868b14652ba58cbdc72d5
SHA1 a2b1545a44f8684f4a49e0398c065f833d0ca12c
SHA256 fbb3fea32ac9f74f3f6757c5c384a61b34e04620a5cb92a35e364f025a5adbe6
SHA512 7c23829b7eba522b3daf7c8911c9352c71acc569642eaa2df36f7b057612e6409e88f8cf89b1ded4bea7fef50cd46c909946c2fca8a2ad2afe8b337c9825725a

C:\Users\Admin\AppData\Local\Temp\Till

MD5 9e2878ffdddf63c811f3d78a9bda2fdf
SHA1 23dc0d80d8092c36fc2f822afc7bc11ec719ede6
SHA256 82c69c904aa0ecc92a10c65682ad738c74f8e9749f48ad1e2586925b695f5010
SHA512 56ec0f9413bdf5fad9122f0aa14a37396fd90247f8694f365f27097ead15a909b380105b78243fe0f4f74526bd1c26188d2efc08a23a4f93f4163c5d9ba148d4

C:\Users\Admin\AppData\Local\Temp\571069\Vbulletin.pif

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

C:\Users\Admin\AppData\Local\Temp\571069\U

MD5 361e9d8fd1013adfe42e7fbd11d9cb2c
SHA1 12ae94c75dc1385c710d431e1ddd834762333951
SHA256 afc393ace513b87715cb03fa3465a994aaddd4aaed871b7f41fd4f6a5d38538e
SHA512 f3089f016ae764c442a8745fb593337ca5f34e603493b1e7a658c628996ea85ce88db88bad5e138773797f4a98b36750d198d1be0639e74d9b2062237b2d4791

memory/1716-339-0x0000000000700000-0x0000000000A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\571069\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/1716-342-0x0000000005450000-0x00000000059F4000-memory.dmp

memory/1716-343-0x0000000004F90000-0x0000000005022000-memory.dmp

memory/1716-344-0x0000000005040000-0x000000000504A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Зарубежные контракты.doc

MD5 35dabf85eaec23bbab9b79149ae3f56e
SHA1 38aef59599957bcbe57115ca4cf33da499ee7dbd
SHA256 944c70ca9464caebeabc4652cfad5baab11b1dc06c8e5921cdd5d8399ce92933
SHA512 976aae65a8d5006e2c69286f761f4e166d8e9397a85fc10de2be1cda7df55981ee7772575b5209fc3f012f592d1493dab851e552ce61de2713b52b691e852f5a

memory/1716-353-0x0000000006660000-0x0000000006C78000-memory.dmp

memory/4816-355-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/4816-356-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/4816-354-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/4816-357-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/4816-358-0x00007FFDEAA30000-0x00007FFDEAA40000-memory.dmp

memory/1716-359-0x0000000006200000-0x0000000006250000-memory.dmp

memory/4816-360-0x00007FFDE83A0000-0x00007FFDE83B0000-memory.dmp

memory/4816-361-0x00007FFDE83A0000-0x00007FFDE83B0000-memory.dmp

memory/1716-362-0x0000000006470000-0x0000000006522000-memory.dmp

memory/1716-378-0x00000000075E0000-0x000000000761C000-memory.dmp

memory/1716-377-0x0000000007580000-0x0000000007592000-memory.dmp

memory/1716-379-0x0000000007690000-0x00000000076F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\TCD7CF0.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810