Sample File: MD5 hash: 35f864c78809db8ac3dc8e646c57df26 SHA1 hash: 127042472e86dbe86cd8ed429a6c975c438be542 SHA256 hash: 303ad8c115d9a5706637638802b3d2df8a28bbab8b255e761605f0f997a0029a SSDEEP hash: 3072:CEPWExY0+WWO0B+DiMBR3iYyTruDjAOMZo5h8pnXS2:BxY0+LJUDiWS1/zZZoqi Filename(s): xuzyww.doc Filetype: Word Document Mutex IOCs: Global\.net clr networking Local\{6A5E21FF-C1FA-2C95-9B3E-8520FF528954} Local\{722AD44B-2987-7426-43C6-6DE8275AF19C} Local\{FCF9E212-2B0D-8EC0-95F0-8FA2992433F6} {5E6EC9EA-2502-40CD-9F72-297443C66DE8} {76F64C5E-5D7B-1845-970A-E1CCBBDEA5C0} {82FB0C97-F984-04EA-93D6-3D78776AC12C} {AE7A4847-3582-10AE-2FC2-3944D3167DB8} Registry Key IOCs: Application Application\PowerShell HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT\.bin HKEY_CLASSES_ROOT\AutoRegister HKEY_CLASSES_ROOT\CLSID HKEY_CLASSES_ROOT\CLSID\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4} HKEY_CLASSES_ROOT\CLSID\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}\TypeLib HKEY_CLASSES_ROOT\CLSID\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}\Version HKEY_CLASSES_ROOT\Clsid\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4} HKEY_CLASSES_ROOT\Clsid\{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}\Control HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CLASSES_ROOT\TypeLib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4} HKEY_CLASSES_ROOT\TypeLib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4}\1.0 HKEY_CLASSES_ROOT\TypeLib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4}\1.0\0 HKEY_CLASSES_ROOT\TypeLib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4}\1.0\0\win32 HKEY_CLASSES_ROOT\TypeLib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4}\1.0\0\win64 HKEY_CLASSES_ROOT\Typelib HKEY_CLASSES_ROOT\Typelib\{8405D0DF-9FDD-4829-AEAD-8E2B0A18FEA4} HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client32 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client64 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Config HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Files HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Files\E1317AC5E1EBDE4D0E HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Ini HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Keys HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Kill HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\LastTask HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Run HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Scr HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\TorClient HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\apiMM1M0 HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\{70017650-0FA6-225C-19A4-B3765D18970A} HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\{E12FFA4A-CC07-BBA0-DEA5-C01FF2A9F4C3} HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\189cba75c69c634996739bac92103ebb HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\1a8bd43e654f65418fbafadeef063a57 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\1cfb96c6c96b454ebff73da2e9f63f51 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\467888fc50a6c6448d6cc0cf7b5307d6 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\48dea081c9634a43a6861907855add5c HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\55aad8d134512d438564aa678cb92d66 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\71b0295bef58e344911262b243f005ac HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoIndent HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoQuickTips2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoStatement2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoValueTips2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CodeBackColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CodeForeColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\DragDropInEditor HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\EndProcLine HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontCharSet HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontFace HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontHeight HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FullModuleView HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\IndicatorBar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\IndicatorColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\OBGroupMembers HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\OBSearchHeight HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\SyntaxChecking HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\TabWidth HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER\Software\Microsoft\Windows Mail HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Salt HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Store Root HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\apiMM1M0 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\DisableOrpcDebugging7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\StackVersion HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DNSLookupOrder HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpSearchList HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SearchList HKEY_PERFORMANCE_DATA HKEY_USERS HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client32 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\AppDataLow\Software\Microsoft\3632F5D8-1D04-D8B6-57CA-A18C7B9E6580\Client64 HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_USERS\S-1-5-21-2345716840-1148442690-1481144037-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData HardwareEvents HardwareEvents\PowerShell Internet Explorer Internet Explorer\PowerShell Key Management Service Key Management Service\PowerShell Media Center Media Center\PowerShell OAlerts OAlerts\PowerShell Security System System\PowerShell Windows PowerShell Windows PowerShell\PowerShell Domain IOCs: google.com intraders-support.at myip.opendns.com resolver1.opendns.com ron4law.com IP IOCs: 50.87.144.227 208.67.222.222 17.57.146.20 78.31.63.30 31.5.167.149 46.214.214.39 89.215.156.222 62.121.105.162 89.133.228.92 37.34.176.37 89.17.225.163 62.141.241.11 89.190.74.198 172.217.21.238 95.222.167.189 URL IOCs: http://ron4law.com/Drsstor.bin intraders-support.at/images/WuRSBbFjG0pj4JYX/sI9w9BOQXLr3cLM/XlHwDGrmmUX0zOgbax/ErFjlom80/AtqNswhjrTQnZ3YzXnrJ/LD2QqgHYZH_2B698KzS/53rWacE7F5jTyV8MJJpkou/VKuF5nMFkMYQM/tr4dC4JP/_2B0y226Hm5e3CQhFHDjQ6U/InrIIHsi1_2F/4e.gif google.com/ File IOCs: Filenames: C:\ C:\Users C:\Users\aETAdzjz C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\cache\data_0 C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\cache\data_1 C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\cache\data_2 C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\cache\data_3 C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\cache\index C:\Users\aETAdzjz\AppData\Local\Temp\1320.bi1 C:\Users\aETAdzjz\AppData\Local\Temp\1320.tmp C:\Users\aETAdzjz\AppData\Local\Temp\CDFD.bin C:\Users\aETAdzjz\AppData\Local\Temp\CDFD.tmp C:\Users\aETAdzjz\AppData\Local\Temp\E3A6.bin C:\Users\aETAdzjz\AppData\Local\Temp\E3A6.tmp C:\Users\aETAdzjz\AppData\Local\Temp\VBE C:\Users\aETAdzjz\AppData\Local\Temp\Word8.0 C:\Users\aETAdzjz\AppData\Roaming/system64.dll C:\Users\aETAdzjz\AppData\Roaming\Microsoft C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6 C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypore6\bdeskmgr.dll C:\Users\aETAdzjz\AppData\Roaming\Microsoft\{F5FB2C3C-D05C-EF89-82F9-0493D63D7877} C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\prefs.js C:\Users\aETAdzjz\AvGcpVlPprpjYv.bin C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 C:\Windows C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\SYSTEM32\ntdll.dll C:\Windows\System32 C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\system32\c_1252.nls C:\Windows\system32\regsvr32.exe Normal \\.\mailslot\sl64 \\.\pipe\{CE377949-D5DC-3008-CFE2-D96473361DD8} MD5 hashes: 32bcb7b01b57de70fa2a93d38b5b99fd 5016784605ad3fd883fbdfdd5fbd469f 64c662633aaa9e4a880c44701c01e59e 6bc4fa61b013340783e5fd3f7221fe80 dc0fa5ccd45eacf5863cca0ad142e447 ef8fd8948825bfa3bd8422d6b1a669b2 f64076fe8eef1bac743a54af32b42671 SHA1 hashes: 30100663d3d88d7399948f7f92602efcb70b5a86 572cafce1a3aa6ce28f3905591629280d5bb814c 6e6770a03a3cb4a1a1df25bc6d37c23a71a26bf6 8d285f4bc1c1dc82c1148602df3d93d76e57a0dc a5ff11ec560d61564c47a1a03a12d78d67646efa a6cf6d28d3a35d4ce8de8e7a5f0d85a1bb923bbc a706d693eabcc9c13dfc31c6f3f4e79d513a4264 SHA256 hashes: 14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8 bd7ed14a8f197e8c0b4690a2c2aa75343aba96634f9fb3c0e541d2658ca4bd7f bedd441ee7ea62f7387f4afbb11487ef3fba0a8ed929142f763baaf4162f89de c1d396f73f54a6cfd4301a8fce8d2e94aba01fd396d92897847151513a2429cd ce8e158c2c30a8641d6ff7838adbff96c0e592f885b2dbdd382266555fb032a4 d592b31a833ea3a26843a69078cf610dd56f175677bc0a3e79d537cbe1b8ad70 edeeabad894a37ae4189f1d30ebd8265bf91a0783b32dda9878ba5669844be19 SSDEEP hashes: 12288:1VtF21kgh6j10JGCDn3NVEoYFA5rId7ipJC:1VtEjcMfTpYC5cmHC 12288:HV64/cqCH8lSxkIgIfOR6j5GmhOngOYL0pt3A2G:H84/cp8kxk6f+6QmI5P3 12288:INVtF21kgh6j10JGCDn3NVEoYFA5rId7ipJC:INVtEjcMfTpYC5cmHC 12:Jw/fADe08AWyHurHiR7Tv7/HurHSR7P7v:vyy37/b7v 3:cPLgeqnhARtt7TSjjhThARtmQLXXXLKSLEt11/v:o0eqnWbtChWbnLXXXLKSYx/v 6:5jXM2siiIPu8CnY9JZF7FFMSrczZdllv8MCEujGec7PlpSbBMV/xt+kZl+l9:5jXM2sifIYD1WSw3Lv8MOjGL7Plp8S5Y 96:5W3tkMNqizJzzYOs1SZGN4Y+VB4ljZUbFos5oF5p809mglJK9FIQJM:wdkMYG7tl5Wf809m2J2FIQJM