popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

InstallSetup10.exe

Generic Malware NSIS Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) Antivirus UPX Anti_VM PNG Format OS Processor Check MZP Format CAB CHM Format JPEG Format PE64 PE File DLL ZIP Format BMP Format icon MSOffice File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 13, 2024, 7:15 p.m. Jan. 13, 2024, 7:24 p.m.
Size 2.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 d5610fe6893c1bb0df7b32471f878839
SHA256 1be268eaff61a1b16c5707f42075e1ee1af7a8f746ee458869c977fba0f2b28d
CRC32 630372A4
ssdeep 49152:v82s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hsh:vEzX71oDCRAZUviAHImDqia7hsh
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
iplogger.com
A 172.67.188.178
A 104.21.76.57
104.21.76.57
api.ipify.org
A 64.185.227.156
CNAME api4.ipify.org
A 173.231.16.76
A 104.237.62.212
173.231.16.76
IP Address Status Action
104.21.76.57 Active Moloch
164.124.101.2 Active Moloch
173.231.16.76 Active Moloch
185.172.128.53 Active Moloch
91.92.255.226 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.103:49165 -> 173.231.16.76:80 2029622 ET POLICY External IP Lookup (ipify .org) Potential Corporate Privacy Violation
TCP 192.168.56.103:49165 -> 173.231.16.76:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2047719 ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49170 -> 185.172.128.53:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 185.172.128.53:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.172.128.53:80 -> 192.168.56.103:49170 2014819 ET INFO Packed Executable Download Misc activity
TCP 185.172.128.53:80 -> 192.168.56.103:49170 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.53:80 -> 192.168.56.103:49170 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49526 -> 104.21.76.57:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49526 -> 104.21.76.57:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49526
104.21.76.57:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=iplogger.com 58:f1:b8:44:37:6f:27:f8:01:6a:79:0e:7e:47:5b:b5:88:ec:1d:cc

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features Connection to IP address suspicious_request GET http://185.172.128.53/syncUpd.exe
request GET http://api.ipify.org/?format=fgf
request GET http://185.172.128.53/syncUpd.exe
request GET https://iplogger.com/1zteH4
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2132
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9927962624
free_bytes_available: 9927962624
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9933033472
free_bytes_available: 9933033472
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10020024320
free_bytes_available: 10020024320
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10020024320
free_bytes_available: 10020024320
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10020052992
free_bytes_available: 10020052992
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10023243776
free_bytes_available: 10023243776
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10023243776
free_bytes_available: 10023243776
root_path: C:
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10023243776
free_bytes_available: 10023243776
root_path: C:
total_number_of_bytes: 34252779520
1 1 0
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\Math.dll
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\syncUpd[1].exe
file C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file C:\Users\test22\AppData\Local\Temp\InstallSetup10.exe
file C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\Math.dll
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\nsh1DB2.tmp
file C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $DÝ~²¼á¼á¼áî…á¼áî“áO¼áî”á%¼á'zká ¼á¼á[¼áîšá¼áî„á¼áîá¼áRich¼áPEL!îŸcà  †bý( @à"‡g|Öd xÐ`É |.text `.rdataB? @Š@@.data,àÊ@À.tlsÍ  Ú@À.rsrcx° Òä@@VD$P‹ñè—Ǽ¡B‹Æ^ÂÌÌÌÌÌÌÌǼ¡Bé¡ÌÌÌÌÌV‹ñǼ¡BèŽöD$t VèåƒÄ‹Æ^ÂÌÌÌÌÌÌÌÌÌÌÌ̍ ‹D$QR‹T$  QRèăÄÃÌÌÌÌ̍ ‹D$QR‹T$  QRè7ƒÄÃÌÌÌÌÌf‹f‰ ÃÌÌÌÌÌÌÌÌ̍Pf‹ƒÀf…Éuõ+ÂÑøÃÌÌÌÌÌÌÌÌÌÌÌÌÌV‹ñ3ÉÇFÇFf‰N‹ÈWyIf‹ƒÁf…Òuõ+ÏÑùQèÛ_‹Æ^ÃÌÌÌÌÌ̃~r ‹FPèƒÄ3ÉÇFÇFf‰NÃÌÌÌÌÌÌÌÌ̋ÈVqf‹ƒÁf…Òuõ+΋t$ÑùQè^ÂÌÌÌÌÌÌÌÌÌÌÌÌ̀|$t*ƒr$GS‹…öv 6QSjP觃ÄS蓃Ä[3ÒÇG‰wf‰TwÂÌÌÌÌÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌS‹ØW…ÛtI‹VFƒúr‹ë‹È;Ùr4ƒúr‹ë‹È‹~ y;Ëvƒúr‹‹T$ +ØRÑûS‹Æ‹Îè”_[ÂU‹l$‹ý‹Æè1„Àt6‹N~ƒùr‹ë‹ÇíUSÉQPèÚ‹T$ ƒÄƒ~‰Vr‹?3Àf‰/]_‹Æ[ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ3҃x‰Hr‹@f‰HÃf‰THÃÌÌÌÌÌÌÌPèzYÃÌÌÌÌÌÌÌÌSU‹l$ V‹ØW‹ñ9ksèµ ‹{‹D$+ý;Çs‹ø;óu/ƒÈÿè‹Å3Ûè_‹Æ^][‹Æèc„ÀtLƒ{r‹KëKƒ~nr‹Eë‹Å‹T$ Q?SQ‹N RPèóƒÄƒ~‰~r‹m3Àf‰+_‹Æ^][ÂÌÌÌÌÌÌÌÌÌÌV‹ðÿþÿÿvè¿‹F;Çs‹FPWVè.3Ò;×À÷Ø^Åÿu"‰~ƒør‹v3É3Ò;×Àf‰÷Ø^ÃÆ3Éf‰3Ò;×À÷Ø^ÃÌÌÌÌV…ÿt*‹rBƒþr‹ë‹È;ùrƒþr‹‹JH;×v°^Ã2À^ÃÌÌÌÌÌÌÌÌÌÌÌÌ̃ìW‹ø9^sèk ‹F+Ã;Çs‹ø…ÿvi‹NUnƒùr ‹U‰T$ë‰l$ƒùr ‹U‰T$ ë‰l$ ‹T$+ÇÀP;B+ËPÉQ‹L$YRèR ‹F+ǃă~‰Fr‹m3Éf‰LE]‹Æ_ƒÄÃ̋@ÃÌÌÌÌÌÌÌÌÌÌÌ̸þÿÿÃÌÌÌÌÌÌÌÌÌÌU‹ìjÿhÀ”Bd¡PƒìSVW¡áB3ÅPEôd£‰eð‹E ‹}‹ðƒÎþþÿÿv‹ðë"‹_¸«ªªª÷æ‹ËÑéÑê;Ñs¸þÿÿ+Á;Øw43ۍN‰]ü;Ëw3ɍ PèoƒÄ‹ØëWƒÈÿ3Ò÷ñƒøsäMìQM܉]ìèG hàÕBUÜRÇEܼ¡Bè)‹E H‰eð‰E ÆEüèù‰E踐@Ë}‹u ‹]è‹M…Év#ƒr‹GëGÉQPT6RSè~‹MƒÄƒr‹GPè^‹MƒÄG3҉‰w‰Oƒþr‹Ã3Òf‰H‹Môd‰ Y_^[‹å] ‹uƒ~r ‹FPèƒÄ3ÉQÇFÇFQf‰NèeÌÌÌÌÌÌÌÌÌ̃xr‹@ÃÀÃÌ̸ÿÿÿÃÌÌÌÌÌÌÌÌÌ̍ ‹D$QR QVèȃċÆÃÌÌÌÌÌÌ̃ì…Éw3ɍ RèƒÄƒÄÃÈÿ3Ò÷ñƒøsä$PL$ÇD$èê hàÕBL$QÇD$ ¼¡BèÊÌÌÌÌÌÌÌÌÌÌÌÌÌÌ̋D$VP‹ñè' Ǽ¡B‹Æ^ÂÌÌÌÌÌÌÌQŠD$YÃÌÌÌÌÌÌÌÌ̍ ‹D$QR QV諃ċÆÃÌÿ%€ Bÿ%t Bÿ%x Bÿ%@ Bÿ% Bÿ% Bÿ% Bÿ% Bÿ%  Bÿ%$ Bÿ%( Bÿ%, Bÿ%0 Bÿ%4 Bÿ%8 Bÿ%< Bÿ%| Bÿ%D Bÿ%H Bÿ%L Bÿ%P Bÿ%T Bÿ%X Bÿ%\ Bÿ%` Bÿ%d Bÿ%h Bÿ%t¡Bÿ% Bÿ% B‹ÿU‹ì‹E Š‹Mˆ]ËÿU‹ì]é‹ÿU‹ìÿuÿuÿu ÿuè+ ‹EƒÄ]ËÿU‹ìÿuÿuÿu ÿuè ‹EƒÄ]ËAËÿU‹ìÿuèé Y]‹ÿU‹ìƒ}Vt+‹qAƒþr‹ë‹Ð9Urƒþr‹‹IÈ;Mv°ë2À^]ƒÈÿËÿU‹ì‹Mƒì …Éw 3ÉQèYÉÃÈÿ3Ò÷ñƒøsëjMôèB÷ÿÿhàÕBEôPèÏ̋ÿU‹ìQŠEÿÉËÿU‹ìÿuÿuÿu ÿuè ÿÿÿƒÄ]ËÿU‹ìÿuÿuÿu ÿuèÿÿÿƒÄ]ËÁ‹ÿU‹ìƒy‹E‰Ar‹IëƒÁÆ]ÂjþXËÿU‹ìjÿuèGÿÿÿYY]‹ÿU‹ìQÿuüÿuÿuÿu ÿuèqÿÿÿƒÄÉËÿU‹ìQÿuüÿuÿuÿu ÿuèmÿÿÿƒÄÉËÿU‹ì€}V‹ñt)ƒ~r#ƒ} FW‹8vÿu WjPè–ÿÿÿƒÄWèp Y_ÿu ‹ÎÇFè@ÿÿÿ^]Âj ¸@”Bè;‹ù‰}è‹uƒÎƒþþv‹uë%3Òj‹Æ[÷ó‹O‰MìÑmì‹Uì;Âs jþX+Â;Èw4 ƒeüFP‹Ïè ÿÿÿ‹Øë)‹E‹Mè‰E@‰eðPÆEüèðþÿÿ‰Eì¸Q@Ë}è‹u‹]ìƒ} vƒr‹GëGÿu PFPSèÑþÿÿƒÄjj‹Ïèÿÿÿÿu ‹Ï‰_‰wèyþÿÿè%‹Mè3öVjèÜþÿÿVVèåÌjjèËþÿÿÃj¸†”Bè‹ñ‰uðè¼ÿuƒeüN ÇÈ¡Bè‹Æèуyr‹AÍAÃy$r‹AÍAËÿV‹ñjjN ÇÈ¡Bèbþÿÿ‹Î^雋ÿU‹ìV‹ñèÔÿÿÿöEtVèæ Y‹Æ^]‹ÿU‹ìVÿu‹ñè_ÿÿÿÇÔ¡B‹Æ^]ÂÇÔ¡Bé˜ÿÿÿ‹ÿU‹ìV‹ñÇÔ¡Bè…ÿÿÿöEtVè— Y‹Æ^]‹ÿU‹ìVÿu‹ñèÿÿÿÇà¡B‹Æ^]ÂÇà¡BéIÿÿÿ‹ÿU‹ìV‹ñÇà¡Bè6ÿÿÿöEtVèH Y‹Æ^]‹ÿU‹ìVÿu‹ñèÁþÿÿ
request_handle: 0x00cc000c
1 1 0
host 185.172.128.53
host 91.92.255.226
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
file C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file c:\Windows\Temp\fwtsqmfile01.sqm
file C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file c:\Windows\Temp\fwtsqmfile00.sqm
file C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file C:\Windows\Prefetch\PW.EXE-1D40DDAD.pf
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file C:\Windows\Prefetch\AgGlFgAppHistory.db
file C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file C:\Windows\Prefetch\AgRobust.db
file C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
file C:\Windows\Prefetch\7ZG.EXE-0F8C4081.pf
file C:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
file C:\Windows\Prefetch\AgGlGlobalHistory.db
file C:\Windows\Prefetch\ReadyBoot\Trace4.fx
file C:\Users\test22\AppData\Local\Temp\nsiC56F.tmp
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\Math.dll
file C:\Users\test22\AppData\Local\Temp\nsiC570.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\nscC416.tmp
file C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file C:\Users\test22\AppData\Local\Temp\nsh1DB2.tmp
file C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\desktop.ini
file C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file C:\Windows\Prefetch\AgAppLaunch.db
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\syncUpd[1].exe
file C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file c:\Windows\Temp\TS_7FC6.tmp
file C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AdPostInjectAsync[1].nhn
file C:\Windows\Prefetch\AgGlGlobalHistory.db
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\ipsec[4].htm
file C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\invalidcert[1]
file C:\Windows\Prefetch\DLLHOST.EXE-97F6A314.pf
file C:\Users\test22\AppData\Local\Temp\UserInfoSetup(201804051522349E8).log
file c:\Windows\Temp\TS_88E1.tmp
file C:\Users\test22\AppData\Local\Temp\RD25B7.tmp
file C:\Windows\Prefetch\JAVAWS.EXE-FE17358E.pf
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\TopNav[1].js
file C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf
dead_host 91.92.255.226:80