7/16/2021,Time12.cf,domainname,White 7/16/2021,Afdentry.workstation.eu.org,domainname,White 7/16/2021,cdn.ns.time12.cf,domainname,White 7/16/2021,east.winsproxy.com,domainname,White 7/16/2021,afdentry.workstation.eu.org,domainname,White 7/16/2021,ns1.entrydns.eu.org,domainname,White 7/16/2021,subnet.milli-seconds.com,domainname,White 7/16/2021,work.viewdns.ml,domainname,White 7/16/2021,work.queryip.cf,domainname,White 7/16/2021,microsoftfile.com,domainname,White 7/16/2021,down-flash.com,domainname,White 7/16/2021,libxqagv.ns.dns3.cf,domainname,White ceye.io fln9co.ceye.io microsofttranslator.com wbsdv95928.lithium.com d3n16yao9o6z9d.cloudfront.net
7/16/2021,\windows\system32\Physmem.sys ,filepath1,White 7/16/2021,\Windows\system32\ime\SHARED\WimBootConfigurations.ini,filepath3,White 7/16/2021,\Windows\system32\ime\IMEJP\WimBootConfigurations.ini,filepath3,White 7/16/2021,\Windows\system32\ime\IMETC\WimBootConfigurations.ini,filepath3,White 7/16/2021,\windows\system32\,filepath2,White 7/16/2021,\windows\system32\ime\,filepath2,White
7/16/2021,hklm\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32\,regkey,White 7/16/2021,hklm\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32\,regkey,White 7/16/2021,HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32\,regkey,White 7/16/2021,HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32\,regkey,White
7/16/2021,fbef9a5d1337c6ce979d31ca1411456ab5e5938a8a593436b6c91409a3c4436a,sha256,White 7/16/2021,b6488338d74248096eef15ce58bde96a13a8bd805f3ff76da679b5ef9728e7a8,sha256,White 7/16/2021,a4647fcb35c79f26354c34452e4a03a1e4e338a80b2c29db97bba4088a208ad0,sha256,White 7/16/2021,0b7b1988a07d1a7ea4b545cc97a360d1bd59c3c37a425fe30746de4278642b18,sha256,White 7/16/2021,d5b216bdd2782228c53fccc35ec661965b04c52bf6586571523f2c8781d20e94,sha256,White 7/16/2021,192.155.81.36,IP,White 7/16/2021,194.195.125.121,IP,White 7/16/2021,194.156.98.12,IP,White 7/16/2021,54.248.110.45,IP,White 7/16/2021,45.153.231.31,IP,White 7/16/2021,185.118.167.40,IP,White 7/16/2021,104.18.6.251,IP,White 7/16/2021,104.18.7.251,IP,White 7/16/2021,20.121.42.11,IP,White 7/16/2021,34.139.13.46,IP,White 7/16/2021,54.80.67.241,IP,White 7/16/2021,149.28.15.152,IP,White 7/16/2021,18.118.56.237,IP,White 7/16/2021,107.172.210.69,IP,White 7/16/2021,172.104.206.48,IP,White 7/16/2021,67.205.132.162,IP,White 7/16/2021,182.239.92.31,IP,White 7/16/2021,103.238.225.37,IP,White 7/16/2021,104.18.7.251,IP,White 7/16/2021,45.84.1.181,IP,White 7/16/2021,34.139.13.46,IP,White 7/16/2021,192.155.81.36,IP,White 7/16/2021,104.18.6.251,IP,White 7/16/2021,139.59.248.56,IP,White 7/16/2021,104.18.7.251,IP,White 7/16/2021,34.139.13.46,IP,White 7/16/2021,104.16.0.0/13,IP,White 7/16/2021,104.149.140.182,IP,White 7/16/2021,18.118.56.237,IP,White 7/16/2021,35.87.250.69,IP,White 7/16/2021,35.87.250.69,IP,White
20.121.42.11 104.149.134.38 104.149.140.180/30 118.192.48.48 122.10.117.202 144.202.112.250 149.248.7.127 158.69.253.64 54.144.37.217 54.248.110.45 54.199.117.45 107.172.210.69 172.104.206.48 108.138.19.129 172.104.46.213 138.124.180.203 34.117.254.173 34.120.57.236 34.120.243.77 34.98.122.108 34.120.85.253 104.149.134.38 8.46.116.152
SymEFASI.dat a.exe b.exe s.exe h.exe dwn.exe ff.DAT pa.DAT s.dat shark.dat shark2.dat x64.dll USOShared.xlm
0FCD7A8B37EDAD2F9090B44096D27FC8 c4bbab6d0b96a0ca7f8d520675bd273d eeddaaa11fa7231a8f4016d43530bf77 143278845a3f5276a1dd5860e7488313 069a5b09fb66a4c6cf0f62dab4e76220 da89dcefcde116e4c9569f6d367e3c73 f8eefd05b03055d2beccdde299086328 143278845a3f5276a1dd5860e7488313 069a5b09fb66a4c6cf0f62dab4e76220 dbf0bf5264ce164cd02c2da7e0151ec6 c4bbab6d0b96a0ca7f8d520675bd273d eeddaaa11fa7231a8f4016d43530bf77 143278845a3f5276a1dd5860e7488313 069a5b09fb66a4c6cf0f62dab4e76220 Da89dcefcde116e4c9569f6d367e3c73 f8eefd05b03055d2beccdde299086328 dbf0bf5264ce164cd02c2da7e0151ec6 139dbb1cb6a292abe2b162179d7e6c56 17851fbe051ba87664447e17e1e3ef61 1f18fef3235774187ab98acc7936d1c2 258fd54579185c08b3dd14ea3deec991 3f812f8f759c82bd8c313103ea02ea63 4d866a6d8aeb677a9592f0b40f3f328a 7f46277080e124b34f5887449db6a5f4 b5aa4107a1feec9707a1f6f26886fa6d e34f8c9044120d6149aca99658131d1d ebcf7556224f4fe8a726d2eb85b589cf f35b410326f97ef995a865b464141d3e c843b00b8e0ab346c558ce4894600183 8FDFD9D1D62D4B8CC863F24BBD96FD8A 2AA991C7B8DE2DBABA3962263DD6E6BE BFE8D5AA5831D7C7C1A9DBF4323DAE5E 7C33DB81BF7D0DA056364A3A8E38D9C3 D5757F377A22EFF6A1925D3D459350B0 759589512A2A31342C5BA13C61F9909D 34C4856BB61EFAF9E7920A03AE368930 66572D37219C1F03ACDB9F03D6CD0338 CF284ED3720A35E97FC528B23184E8D8 BF831B3916EF19E0BC74F4C783B7A368 8C7B2A428F1BFA6038FA4B3DE6CAF938 4804FB66406240617B0ED0B47DAE2F2F 63fb821cc4310b8bdb5d77fe24df92b1 d85a48ba367efe2781531900a9b8dbbc a1630a4d9b423268a10ac87f47dd8de6 bdd6c0902d419de4c8e1770cccab47f2 be900dddd36e4408df232bbd941cef78 50e35c62bf9f6de275f60a98a6e79cfa 8cabad1a8968358ac58ce6afdc30f9dc 844096c0aecef82c29dda3e0fad440d7 a693834690a432389811ceed601bbfb6 d8949ba3fa463607d3938f424c1cf8cd
d5bedeb401a84070a460409a19929acaaeead892 57b2c1299d79892fe313fd62428226ccbf2fc376 6f6b51e6c88e5252a2a117ca1cfb57934930166b 4edcec79780cde00df3fdac9b40a70106c3a8de5 df01f4aae885eb8126b91da7bdaa7d94696d0943 d5bedeb401a84070a460409a19929acaaeead892 57b2c1299d79892fe313fd62428226ccbf2fc376 6f6b51e6c88e5252a2a117ca1cfb57934930166b 4edcec79780cde00df3fdac9b40a70106c3a8de5 Df01f4aae885eb8126b91da7bdaa7d94696d0943 12aa9d56903f57df3802a9c79107ea9cs-1-5-18 fbef9a5d1337c6ce979d31ca1411456ab5e5938a8a593436b6c91409a3c4436a b6488338d74248096eef15ce58bde96a13a8bd805f3ff76da679b5ef9728e7a8 a4647fcb35c79f26354c34452e4a03a1e4e338a80b2c29db97bba4088a208ad0 0b7b1988a07d1a7ea4b545cc97a360d1bd59c3c37a425fe30746de4278642b18 d5b216bdd2782228c53fccc35ec661965b04c52bf6586571523f2c8781d20e94 fbef9a5d1337c6ce979d31ca1411456ab5e5938a8a593436b6c91409a3c4436a b6488338d74248096eef15ce58bde96a13a8bd805f3ff76da679b5ef9728e7a8 a4647fcb35c79f26354c34452e4a03a1e4e338a80b2c29db97bba4088a208ad0 0b7b1988a07d1a7ea4b545cc97a360d1bd59c3c37a425fe30746de4278642b18 d5b216bdd2782228c53fccc35ec661965b04c52bf6586571523f2c8781d20e94 003F9BD021FA9B54C1FD81DA0C4184B89F7DF5ECAE6ACBB3F1F618BA513D6498 10D09EE353A3365056252499498B5BC3A005C302D308A5A611E7B232CB0030B4 2642D61EA68340FB07708D610E95021B898385664924EB8E41629FAD20A9AB72 3497A3F68D1D60DFD88F88872096E37DFC6B5D20AFAA4C67ADF7AB41F12277B0 37C53A58DC97ECD684822E815A3296924B2E08C28269C0D82CCEB46A78C263CF 4739C9E8B93D0F007EA4D3EA7185A834FE62D415EDC38F0ACDCB94E510ADC709 4C139DEC35B155B0C7E116D0A58F5059042107385CF5CCB94AEAB87A1978115F 58628AA5C4D5DAD567E7673C327E5908F1DEE1AFC2D2AC5B3F211ACB40916CB0 74567F93030612A5F7262FF928CB0F139A24FBB767731BDEBC7166EFA2B5FD87 85C69A03792CAC7C00602468F0752DB5F33F01D1FFC9727A16B0A4728B5C32A6 9A52799F6C938BC97D9474A21D17A550DC174B7C38E3CC84C9A0473176168947 C0346A4097D17006D9F25D27E1B8263582930867E43C53E7EB3A17500D07D97C DF97E0733197DE3F2F65408F044028EFE2D09794A773DEA2E32FACA40527555C 12d5b55e9524e5a6a1fb68fcacf90c4b2c9c30c543e2ec165bd96ad8d86409ea 317f30bad387e64e673c188ff4ebdaf0bc8c42faf218eb6436efd14c7e105940 46271777072815b82b85fc35feafced9b9036b3b1427a7ac17993d01e72724c0 4e14267bcc3bc2b4b1226921bcf8d1e71311fae8070a0db5af64e8de6824cea4 5a476787cf193679b24d03a631e10107d1e517d883463bdce2051c1bf1b45704 6caacfd6e49e5453bed951aebcaccf5fc11f46f4c73db6437d791fd62bf653dc 909a7e023cd8ce44445f9f7a28c8aa239cc05d5b4bab508c6d4c215374add116 93df473d23aaadca8dd6e5579ef1457a73e93ab51583ccf60bd9e5a9c42e7701 a5abaa278ad33bfdb82751be586795acaf8877f85d734874a0939b902f89f6f4 eea77d0a74b229ec2add7c7d9e030c9735e13eddd5effa03ffd853d92962e924
usaherds/Logon.aspx .\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary Files\usaherds\c99cd219\8fb4a6b8 App_Web_egdio02m.dll within .\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\usaherds\c99cd219\8fb4a6b8 t.dll within .\Users\Public ntuser.dll.zip within .\TEMP cmqpxyxl within .\Windows\Temp t.dll.zip within .\TEMP cmxnot1n within .\Windows\Temp 1pkub5lt within .\Windows\Temp x.dll.zip within .\TEMP versions.txt within \Sites\USAHerds\usaherds\versions.txt Change rights to process C:\windows\system32\spoolsv.exe W3WP.exe->ipconfig /all W3WP.exe->netstat -ano -p tcp Reg save hklm\sam C:\ProgramData\SAM Reg save hklm\system C:\ProgramData\SYSTEM Dropped files in C:\programdata including users.dat