Malware Analysis Report

2024-10-10 13:06

Sample ID 240620-zkl49s1bqr
Target https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

UAC bypass

Process spawned unexpected child process

DcRat

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Volume Shadow Copy service COM API

Modifies registry class

Modifies registry key

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:46

Reported

2024-06-20 20:48

Platform

win10v2004-20240611-en

Max time kernel

75s

Max time network

77s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Vss\Writers\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Vss\Writers\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Vss\Writers\msedge.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\msAgentServer\Windrivercrt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\Vss\Writers\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\msAgentServer\Windrivercrt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Vss\Writers\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Vss\Writers\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\msAgentServer\Windrivercrt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\valiantspooferpaid.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\61a52ddc9dd915 C:\msAgentServer\Windrivercrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Setup\State\msedge.exe C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Windows\Setup\State\61a52ddc9dd915 C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Windows\Vss\Writers\msedge.exe C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Windows\Vss\Writers\61a52ddc9dd915 C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Windows\twain_32\MoUsoCoreWorker.exe C:\msAgentServer\Windrivercrt.exe N/A
File created C:\Windows\twain_32\1f93f77a7f4778 C:\msAgentServer\Windrivercrt.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Windows\Vss\Writers\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\msAgentServer\Windrivercrt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\msAgentServer\Windrivercrt.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A
N/A N/A C:\Windows\Vss\Writers\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Vss\Writers\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A
Token: SeDebugPrivilege N/A C:\msAgentServer\Windrivercrt.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5576 wrote to memory of 6616 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 5576 wrote to memory of 6616 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 5576 wrote to memory of 6616 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 6616 wrote to memory of 6772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6616 wrote to memory of 6772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6616 wrote to memory of 6772 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6772 wrote to memory of 6956 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 6772 wrote to memory of 6956 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 6956 wrote to memory of 1552 N/A C:\msAgentServer\Windrivercrt.exe C:\Windows\System32\cmd.exe
PID 6956 wrote to memory of 1552 N/A C:\msAgentServer\Windrivercrt.exe C:\Windows\System32\cmd.exe
PID 6772 wrote to memory of 5232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 6772 wrote to memory of 5232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 6772 wrote to memory of 5232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1552 wrote to memory of 5992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1552 wrote to memory of 5992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4324 wrote to memory of 6160 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 4324 wrote to memory of 6160 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 4324 wrote to memory of 6160 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 1552 wrote to memory of 6636 N/A C:\Windows\System32\cmd.exe C:\Windows\Vss\Writers\msedge.exe
PID 1552 wrote to memory of 6636 N/A C:\Windows\System32\cmd.exe C:\Windows\Vss\Writers\msedge.exe
PID 6160 wrote to memory of 6876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6160 wrote to memory of 6876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6160 wrote to memory of 6876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6876 wrote to memory of 7072 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 6876 wrote to memory of 7072 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 6636 wrote to memory of 4576 N/A C:\Windows\Vss\Writers\msedge.exe C:\Windows\System32\WScript.exe
PID 6636 wrote to memory of 4576 N/A C:\Windows\Vss\Writers\msedge.exe C:\Windows\System32\WScript.exe
PID 6636 wrote to memory of 5752 N/A C:\Windows\Vss\Writers\msedge.exe C:\Windows\System32\WScript.exe
PID 6636 wrote to memory of 5752 N/A C:\Windows\Vss\Writers\msedge.exe C:\Windows\System32\WScript.exe
PID 6876 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 6876 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 6876 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 6836 wrote to memory of 6140 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 6836 wrote to memory of 6140 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 6836 wrote to memory of 6140 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 280 wrote to memory of 5880 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 280 wrote to memory of 5880 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 280 wrote to memory of 5880 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 6140 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6140 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6140 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 7156 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 972 wrote to memory of 7156 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 7124 wrote to memory of 6788 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 7124 wrote to memory of 6788 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 7124 wrote to memory of 6788 N/A C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe C:\Windows\SysWOW64\WScript.exe
PID 5880 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5880 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5880 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 1200 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 6788 wrote to memory of 3152 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6788 wrote to memory of 3152 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 6788 wrote to memory of 3152 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 5148 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 3152 wrote to memory of 5148 N/A C:\Windows\SysWOW64\cmd.exe C:\msAgentServer\Windrivercrt.exe
PID 972 wrote to memory of 6944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 6944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 6944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 5884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 5884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 5884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 6320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 6320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Vss\Writers\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Vss\Writers\msedge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\msAgentServer\Windrivercrt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Vss\Writers\msedge.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/nux68zw3jsheeek/ValiantSpooferPaid.rar/file

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4376,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3856,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5348,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5804,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5796,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6108,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6036,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6360,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=7064,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7392,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7396,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7620,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7760,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7772,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7776,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8116,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=8220,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8436,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=8520,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8660,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8640,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=9236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=9308,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=9664,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=9960,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=10096,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=10236,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=10368,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10332 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=10516,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=10176,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=7148,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10732,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=9440,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=8924,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=10072,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=6888,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=9056,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=8680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=9876,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=10256,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8300,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=10300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=10464,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=11004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=7000,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ValiantSpooferPaid\" -spe -an -ai#7zMap7654:98:7zEvent2033

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\msAgentServer\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\msAgentServer\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msAgentServer\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\msAgentServer\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\msAgentServer\msedge.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Windows\Vss\Writers\msedge.exe

"C:\Windows\Vss\Writers\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5536,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=9468,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=9272 /prefetch:8

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

"C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat" "

C:\msAgentServer\Windrivercrt.exe

"C:\msAgentServer\Windrivercrt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com udp
US 104.16.113.74:443 www.mediafire.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 2.20.12.87:443 bzib.nelreports.net tcp
US 172.67.199.186:443 the.gatekeeperconsent.com udp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 8.8.8.8:53 static.mediafire.com udp
US 104.22.74.216:443 btloader.com tcp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 translate.google.com udp
US 8.8.8.8:53 translate.google.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 8.8.8.8:53 cdn.otnolatrnup.com udp
US 104.21.42.32:443 privacy.gatekeeperconsent.com udp
US 104.21.63.106:443 www.ezojs.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
FR 13.249.9.41:443 cdn.amplitude.com tcp
US 104.16.53.110:443 cdn.otnolatrnup.com udp
GB 142.250.187.238:443 translate.google.com tcp
US 8.8.8.8:53 www.mediafiredls.com udp
US 8.8.8.8:53 www.mediafiredls.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 104.21.42.32:443 privacy.gatekeeperconsent.com udp
US 104.26.2.173:443 www.mediafiredls.com tcp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 ad-delivery.net udp
US 8.8.8.8:53 ad-delivery.net udp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 104.26.2.70:443 ad-delivery.net tcp
US 104.26.2.70:443 ad-delivery.net tcp
US 8.8.8.8:53 api.amplitude.com udp
US 8.8.8.8:53 api.amplitude.com udp
US 52.11.51.140:443 api.amplitude.com tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 74.113.16.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 186.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 87.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 216.74.22.104.in-addr.arpa udp
US 8.8.8.8:53 32.42.21.104.in-addr.arpa udp
US 8.8.8.8:53 106.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 110.53.16.104.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 41.9.249.13.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 173.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 6.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.ezoic.net udp
US 8.8.8.8:53 g.ezoic.net udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
FR 13.39.145.251:443 g.ezoic.net tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.co.uk udp
US 130.211.23.194:443 api.btloader.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 translate.googleapis.com udp
US 8.8.8.8:53 go.ezodn.com udp
US 8.8.8.8:53 go.ezodn.com udp
US 172.67.199.186:443 privacy.gatekeeperconsent.com udp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
GB 142.250.200.3:443 www.google.co.uk udp
US 172.67.142.121:443 go.ezodn.com udp
GB 142.250.187.202:443 translate.googleapis.com tcp
BE 64.233.166.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 g.ezodn.com udp
US 8.8.8.8:53 g.ezodn.com udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 ad.crwdcntrl.net udp
US 8.8.8.8:53 ad.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
GB 142.250.187.196:443 www.google.com udp
IE 52.17.55.191:443 bcp.crwdcntrl.net tcp
FR 18.155.129.56:443 tags.crwdcntrl.net tcp
US 8.8.8.8:53 translate-pa.googleapis.com udp
US 8.8.8.8:53 translate-pa.googleapis.com udp
IE 54.72.245.162:443 bcp.crwdcntrl.net tcp
GB 142.250.178.10:443 translate-pa.googleapis.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 bshr.ezodn.com udp
US 8.8.8.8:53 bshr.ezodn.com udp
GB 216.58.201.98:443 googleads.g.doubleclick.net udp
US 104.21.87.79:443 bshr.ezodn.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 70.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 251.145.39.13.in-addr.arpa udp
US 8.8.8.8:53 140.51.11.52.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 121.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.129.155.18.in-addr.arpa udp
US 8.8.8.8:53 191.55.17.52.in-addr.arpa udp
US 8.8.8.8:53 162.245.72.54.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 79.87.21.104.in-addr.arpa udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 bcp.crwdcntrl.net udp
US 8.8.8.8:53 www.mediafire.com udp
IE 34.247.240.165:443 bcp.crwdcntrl.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.mediafire.com udp
FR 13.39.145.251:443 g.ezoic.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 script.4dex.io udp
US 8.8.8.8:53 script.4dex.io udp
US 8.8.8.8:53 tlx.3lift.com udp
US 8.8.8.8:53 tlx.3lift.com udp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 ghb.adtelligent.com udp
US 8.8.8.8:53 ghb.adtelligent.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 hb.yellowblue.io udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 prebid.smilewanted.com udp
US 8.8.8.8:53 prebid.cootlogix.com udp
US 8.8.8.8:53 prebid.cootlogix.com udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.jsdelivr.net udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 cdn.id5-sync.com udp
US 8.8.8.8:53 oa.openxcdn.net udp
US 8.8.8.8:53 oa.openxcdn.net udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 cdn.prod.uidapi.com udp
US 8.8.8.8:53 cdn.prod.uidapi.com udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
US 8.8.8.8:53 cdn-ima.33across.com udp
US 8.8.8.8:53 cdn-ima.33across.com udp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net udp
US 104.26.8.169:443 script.4dex.io tcp
US 104.18.36.155:443 htlb.casalemedia.com tcp
DE 51.89.9.251:443 onetag-sys.com tcp
DE 18.157.230.4:443 tlx.3lift.com tcp
FR 185.255.84.150:443 hb-api.omnitagjs.com tcp
US 67.207.94.117:443 prebid.cootlogix.com tcp
US 67.207.94.117:443 prebid.cootlogix.com tcp
US 67.207.94.117:443 prebid.cootlogix.com tcp
US 67.207.94.117:443 prebid.cootlogix.com tcp
US 67.207.94.117:443 prebid.cootlogix.com tcp
GB 185.64.190.77:443 hbopenbid.pubmatic.com tcp
NL 145.40.97.66:443 prebid.a-mo.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 34.102.146.192:443 oa.openxcdn.net tcp
FR 18.244.28.8:443 hb.yellowblue.io tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 104.22.30.209:443 prebid.smilewanted.com tcp
US 107.151.11.18:443 ghb.adtelligent.com tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
US 104.22.52.86:443 cdn.id5-sync.com tcp
FR 99.86.95.185:443 cdn.prod.uidapi.com tcp
US 104.18.35.167:443 cdn-ima.33across.com tcp
NL 178.250.1.3:443 static.criteo.net tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 oajs.openx.net udp
US 8.8.8.8:53 oajs.openx.net udp
US 104.26.8.169:443 script.4dex.io tcp
US 8.8.8.8:53 cadmus.script.ac udp
US 8.8.8.8:53 cadmus.script.ac udp
US 34.120.107.143:443 oajs.openx.net tcp
US 104.18.22.145:443 cadmus.script.ac tcp
US 8.8.8.8:53 id5-sync.com udp
US 8.8.8.8:53 id5-sync.com udp
DE 162.19.138.118:443 id5-sync.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 226.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 169.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.64.185.in-addr.arpa udp
US 8.8.8.8:53 155.36.18.104.in-addr.arpa udp
US 8.8.8.8:53 192.146.102.34.in-addr.arpa udp
US 8.8.8.8:53 229.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 87.70.96.34.in-addr.arpa udp
US 8.8.8.8:53 150.84.255.185.in-addr.arpa udp
US 8.8.8.8:53 8.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 66.97.40.145.in-addr.arpa udp
US 8.8.8.8:53 209.30.22.104.in-addr.arpa udp
US 8.8.8.8:53 251.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 4.230.157.18.in-addr.arpa udp
US 8.8.8.8:53 86.52.22.104.in-addr.arpa udp
US 8.8.8.8:53 167.35.18.104.in-addr.arpa udp
US 8.8.8.8:53 185.95.86.99.in-addr.arpa udp
US 8.8.8.8:53 3.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 117.94.207.67.in-addr.arpa udp
US 8.8.8.8:53 18.11.151.107.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.mediafire.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.196:443 www.google.com udp
US 104.18.36.155:443 htlb.casalemedia.com udp
DE 51.89.9.251:443 onetag-sys.com udp
US 8.8.8.8:53 ghb1.adtelligent.com udp
US 8.8.8.8:53 ghb1.adtelligent.com udp
US 34.120.107.143:443 oajs.openx.net udp
DE 142.132.249.188:443 ghb1.adtelligent.com tcp
US 8.8.8.8:53 1cf10096c79c802f86055aeae81c677a.safeframe.googlesyndication.com udp
US 8.8.8.8:53 1cf10096c79c802f86055aeae81c677a.safeframe.googlesyndication.com udp
US 8.8.8.8:53 1cf10096c79c802f86055aeae81c677a.safeframe.googlesyndication.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 google-bidout-d.openx.net udp
US 8.8.8.8:53 www.mediafire.com udp
N/A 224.0.0.251:5353 udp
US 34.98.64.218:443 google-bidout-d.openx.net tcp
US 34.98.64.218:443 google-bidout-d.openx.net tcp
GB 172.217.169.65:443 1cf10096c79c802f86055aeae81c677a.safeframe.googlesyndication.com tcp
GB 172.217.169.65:443 1cf10096c79c802f86055aeae81c677a.safeframe.googlesyndication.com tcp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 143.107.120.34.in-addr.arpa udp
US 8.8.8.8:53 145.22.18.104.in-addr.arpa udp
US 8.8.8.8:53 118.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 66.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 188.249.132.142.in-addr.arpa udp
US 8.8.8.8:53 218.64.98.34.in-addr.arpa udp
US 8.8.8.8:53 65.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
NL 178.250.1.11:443 gum.criteo.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 ag.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
US 8.8.8.8:53 gem.gbc.criteo.com udp
FR 178.250.7.13:443 dnacdn.net tcp
NL 185.235.87.96:443 ag.gbc.criteo.com tcp
NL 185.235.87.187:443 gem.gbc.criteo.com tcp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 11.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 13.7.250.178.in-addr.arpa udp
US 8.8.8.8:53 96.87.235.185.in-addr.arpa udp
US 8.8.8.8:53 187.87.235.185.in-addr.arpa udp
US 8.8.8.8:53 download1324.mediafire.com udp
US 8.8.8.8:53 download1324.mediafire.com udp
US 205.196.123.12:443 download1324.mediafire.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 205.196.123.12:443 download1324.mediafire.com tcp
US 104.16.53.110:443 otnolatrnup.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 sync.cootlogix.com udp
US 8.8.8.8:53 sync.cootlogix.com udp
US 8.8.8.8:53 sync.cootlogix.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 www.mediafire.com udp
NL 79.127.227.46:443 id.a-mx.com tcp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 prebid.a-mo.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
US 8.8.8.8:53 www.mediafire.com udp
FR 185.255.84.152:443 visitor.omnitagjs.com tcp
US 67.202.105.23:443 ssc-cms.33across.com tcp
US 172.67.14.119:443 csync.smilewanted.com tcp
US 159.223.152.254:443 sync.cootlogix.com tcp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 8.8.8.8:53 js-sec.indexww.com udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 hbx.media.net udp
US 8.8.8.8:53 hbx.media.net udp
DE 51.89.9.252:443 onetag-sys.com tcp
US 8.8.8.8:53 hbx.media.net udp
US 8.8.8.8:53 www.mediafire.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 gum.criteo.com udp
US 8.8.8.8:53 cm.adform.net udp
US 8.8.8.8:53 cm.adform.net udp
US 8.8.8.8:53 cm.adform.net udp
US 8.8.8.8:53 www.mediafire.com udp
NL 147.75.84.158:443 prebid.a-mo.net tcp
DE 49.12.126.50:443 s.console.adtarget.com.tr tcp
US 13.248.245.213:443 eb2.3lift.com tcp
GB 2.21.188.239:443 ads.pubmatic.com tcp
US 104.18.38.76:443 js-sec.indexww.com tcp
GB 2.21.188.27:443 hbx.media.net tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 67.202.105.23:443 ssc-cms.33across.com tcp
FR 185.255.84.152:443 visitor.omnitagjs.com tcp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
DK 37.157.5.133:443 cm.adform.net tcp
DE 51.89.9.252:443 onetag-sys.com tcp
US 13.248.245.213:443 eb2.3lift.com tcp
GB 2.21.188.239:443 ads.pubmatic.com tcp
GB 2.21.188.27:443 hbx.media.net tcp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 ups.analytics.yahoo.com udp
US 8.8.8.8:53 id.hadron.ad.gt udp
US 8.8.8.8:53 id.hadron.ad.gt udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 id.crwdcntrl.net udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
US 8.8.8.8:53 lb.eu-1-id5-sync.com udp
DK 37.157.5.133:443 cm.adform.net tcp
US 104.22.4.69:443 id.hadron.ad.gt tcp
US 35.71.131.137:443 match.adsrvr.org tcp
DE 3.75.62.37:443 ups.analytics.yahoo.com tcp
DE 162.19.138.119:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 c3.a-mo.net udp
US 8.8.8.8:53 c3.a-mo.net udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
DE 79.127.216.47:443 c3.a-mo.net tcp
US 20.189.173.15:443 tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
DE 162.19.138.118:443 lb.eu-1-id5-sync.com tcp
US 8.8.8.8:53 dnacdn.net udp
US 8.8.8.8:53 dnacdn.net udp
FR 178.250.7.13:443 dnacdn.net tcp
US 8.8.8.8:53 sync.adtelligent.com udp
US 8.8.8.8:53 sync.adtelligent.com udp
US 8.8.8.8:53 sync.adtelligent.com udp
US 8.8.8.8:53 12.123.196.205.in-addr.arpa udp
US 8.8.8.8:53 46.227.127.79.in-addr.arpa udp
US 8.8.8.8:53 119.14.67.172.in-addr.arpa udp
US 8.8.8.8:53 152.84.255.185.in-addr.arpa udp
US 8.8.8.8:53 252.9.89.51.in-addr.arpa udp
US 8.8.8.8:53 213.245.248.13.in-addr.arpa udp
US 8.8.8.8:53 158.84.75.147.in-addr.arpa udp
US 8.8.8.8:53 76.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 50.126.12.49.in-addr.arpa udp
US 8.8.8.8:53 254.152.223.159.in-addr.arpa udp
US 8.8.8.8:53 239.188.21.2.in-addr.arpa udp
US 8.8.8.8:53 23.105.202.67.in-addr.arpa udp
US 8.8.8.8:53 27.188.21.2.in-addr.arpa udp
US 8.8.8.8:53 133.5.157.37.in-addr.arpa udp
US 8.8.8.8:53 137.131.71.35.in-addr.arpa udp
US 8.8.8.8:53 69.4.22.104.in-addr.arpa udp
US 8.8.8.8:53 37.62.75.3.in-addr.arpa udp
US 8.8.8.8:53 119.138.19.162.in-addr.arpa udp
US 8.8.8.8:53 47.216.127.79.in-addr.arpa udp
GB 185.83.71.234:443 sync.adtelligent.com tcp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 otnolatrnup.com udp
US 8.8.8.8:53 assets.a-mo.net udp
US 8.8.8.8:53 assets.a-mo.net udp
US 8.8.8.8:53 rtb.mfadsrvr.com udp
US 8.8.8.8:53 rtb.mfadsrvr.com udp
US 8.8.8.8:53 sync.mathtag.com udp
US 8.8.8.8:53 sync.mathtag.com udp
US 104.19.159.19:443 assets.a-mo.net tcp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
GB 142.250.187.202:443 translate-pa.googleapis.com udp
US 216.200.232.253:443 sync.mathtag.com tcp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 js-sec.indexww.com udp
NL 35.214.199.88:443 rtb.mfadsrvr.com tcp
US 172.64.151.101:443 ssum-sec.casalemedia.com tcp
US 172.64.151.101:443 ssum-sec.casalemedia.com tcp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 woreppercomming.com udp
US 8.8.8.8:53 static.smilewanted.com udp
US 8.8.8.8:53 static.smilewanted.com udp
FR 18.155.129.103:443 woreppercomming.com tcp
US 8.8.8.8:53 gum.aidemsrv.com udp
US 8.8.8.8:53 gum.aidemsrv.com udp
US 8.8.8.8:53 gum.aidemsrv.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
DE 51.89.9.252:443 onetag-sys.com udp
US 8.8.8.8:53 onetag-sys.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 104.17.44.93:443 gum.aidemsrv.com udp
US 8.8.8.8:53 pixel-eu.rubiconproject.com udp
US 8.8.8.8:53 pixel-eu.rubiconproject.com udp
US 172.64.151.101:443 ssum-sec.casalemedia.com udp
US 8.8.8.8:53 234.71.83.185.in-addr.arpa udp
US 8.8.8.8:53 19.159.19.104.in-addr.arpa udp
US 8.8.8.8:53 88.199.214.35.in-addr.arpa udp
US 8.8.8.8:53 101.151.64.172.in-addr.arpa udp
US 8.8.8.8:53 253.232.200.216.in-addr.arpa udp
US 8.8.8.8:53 103.129.155.18.in-addr.arpa udp
US 8.8.8.8:53 93.44.17.104.in-addr.arpa udp
NL 69.173.156.148:443 pixel-eu.rubiconproject.com tcp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
NL 185.89.210.20:443 secure.adnxs.com tcp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
NL 185.89.210.20:443 secure.adnxs.com tcp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
US 8.8.8.8:53 www.ovardu.com udp
US 8.8.8.8:53 www.ovardu.com udp
GB 51.140.244.186:443 app-edge.smartscreen.microsoft.com tcp
US 2.20.12.106:443 player.aniview.com tcp
US 104.21.96.72:443 www.ovardu.com udp
US 8.8.8.8:53 secure-assets.rubiconproject.com udp
US 8.8.8.8:53 secure-assets.rubiconproject.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
ES 23.60.223.190:443 secure-assets.rubiconproject.com tcp
ES 23.60.223.190:443 secure-assets.rubiconproject.com tcp
US 8.8.8.8:53 ssbsync.smartadserver.com udp
US 8.8.8.8:53 ssbsync.smartadserver.com udp
US 8.8.8.8:53 ssbsync.smartadserver.com udp
US 8.8.8.8:53 visitor.omnitagjs.com udp
FR 149.202.238.101:443 ssbsync.smartadserver.com tcp
FR 149.202.238.101:443 ssbsync.smartadserver.com tcp
US 8.8.8.8:53 eus.rubiconproject.com udp
US 8.8.8.8:53 eus.rubiconproject.com udp
US 8.8.8.8:53 eus.rubiconproject.com udp
US 8.8.8.8:53 dis.criteo.com udp
US 8.8.8.8:53 dis.criteo.com udp
US 8.8.8.8:53 api-2-0.spot.im udp
US 8.8.8.8:53 api-2-0.spot.im udp
US 8.8.8.8:53 creativecdn.com udp
US 8.8.8.8:53 sync.1rx.io udp
US 8.8.8.8:53 sync.1rx.io udp
US 8.8.8.8:53 x.bidswitch.net udp
US 8.8.8.8:53 x.bidswitch.net udp
US 8.8.8.8:53 match.prod.bidr.io udp
US 8.8.8.8:53 match.prod.bidr.io udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 b1sync.zemanta.com udp
US 8.8.8.8:53 b1sync.zemanta.com udp
NL 35.214.199.88:443 rtb.mfadsrvr.com udp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
US 8.8.8.8:53 s.console.adtarget.com.tr udp
GB 2.21.189.68:443 eus.rubiconproject.com tcp
NL 178.250.1.9:443 dis.criteo.com tcp
NL 185.184.8.90:443 creativecdn.com tcp
US 3.33.220.150:443 match.adsrvr.org tcp
FR 99.86.91.65:443 api-2-0.spot.im tcp
NL 46.228.174.117:443 sync.1rx.io tcp
US 8.8.8.8:53 image8.pubmatic.com udp
US 8.8.8.8:53 image8.pubmatic.com udp
US 64.202.112.63:443 b1sync.zemanta.com tcp
US 8.8.8.8:53 sync.srv.stackadapt.com udp
US 8.8.8.8:53 sync.srv.stackadapt.com udp
IE 52.213.189.168:443 match.prod.bidr.io tcp
NL 35.214.149.91:443 x.bidswitch.net tcp
US 8.8.8.8:53 cdn.indexww.com udp
US 8.8.8.8:53 cdn.indexww.com udp
NL 198.47.127.18:443 image8.pubmatic.com tcp
US 54.221.116.2:443 sync.srv.stackadapt.com tcp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 ads.stickyadstv.com udp
US 8.8.8.8:53 ads.stickyadstv.com udp
US 8.8.8.8:53 pixel.rubiconproject.com udp
US 8.8.8.8:53 cs.admanmedia.com udp
US 8.8.8.8:53 cs.admanmedia.com udp
US 8.8.8.8:53 t.adx.opera.com udp
US 8.8.8.8:53 t.adx.opera.com udp
US 8.8.8.8:53 ssbsync-global.smartadserver.com udp
US 8.8.8.8:53 ssbsync-global.smartadserver.com udp
NL 198.47.127.18:443 image8.pubmatic.com tcp
US 8.8.8.8:53 spl.zeotap.com udp
US 8.8.8.8:53 spl.zeotap.com udp
US 80.77.87.161:443 cs.admanmedia.com tcp
NL 82.145.213.8:443 t.adx.opera.com tcp
US 8.8.8.8:53 cm.g.doubleclick.net udp
US 8.8.8.8:53 cm.g.doubleclick.net udp
NL 35.214.149.91:443 x.bidswitch.net tcp
US 104.22.50.98:443 spl.zeotap.com tcp
NL 69.173.156.149:443 pixel-eu.rubiconproject.com tcp
US 80.77.87.161:443 cs.admanmedia.com tcp
NL 81.17.55.170:443 ssbsync-global.smartadserver.com tcp
NL 154.57.158.115:443 ads.stickyadstv.com tcp
NL 35.214.149.91:443 x.bidswitch.net tcp
GB 142.250.178.2:443 cm.g.doubleclick.net tcp
US 8.8.8.8:53 s.company-target.com udp
US 8.8.8.8:53 s.company-target.com udp
US 8.8.8.8:53 sync-tm.everesttech.net udp
US 8.8.8.8:53 sync-tm.everesttech.net udp
US 8.8.8.8:53 cs-server-s2s.yellowblue.io udp
US 8.8.8.8:53 cs-server-s2s.yellowblue.io udp
US 8.8.8.8:53 sync.aniview.com udp
US 8.8.8.8:53 sync.aniview.com udp
US 8.8.8.8:53 ap.lijit.com udp
US 8.8.8.8:53 ap.lijit.com udp
GB 142.250.178.2:443 cm.g.doubleclick.net tcp
US 151.101.130.49:443 sync-tm.everesttech.net tcp
US 8.8.8.8:53 jadserve.postrelease.com udp
US 8.8.8.8:53 jadserve.postrelease.com udp
US 44.214.224.191:443 cs-server-s2s.yellowblue.io tcp
US 34.96.71.22:443 s.company-target.com tcp
US 8.8.8.8:53 bttrack.com udp
US 8.8.8.8:53 bttrack.com udp
US 96.46.186.182:443 sync.aniview.com tcp
IE 99.80.49.43:443 ap.lijit.com tcp
US 8.8.8.8:53 id.rlcdn.com udp
US 8.8.8.8:53 id.rlcdn.com udp
US 8.8.8.8:53 id.a-mx.com udp
US 8.8.8.8:53 id.a-mx.com udp
IE 52.211.208.72:443 jadserve.postrelease.com tcp
US 192.132.33.67:443 bttrack.com tcp
US 8.8.8.8:53 s.amazon-adsystem.com udp
US 8.8.8.8:53 s.amazon-adsystem.com udp
US 35.244.174.68:443 id.rlcdn.com tcp
NL 79.127.227.46:443 id.a-mx.com tcp
US 8.8.8.8:53 sync.a-mo.net udp
US 8.8.8.8:53 sync.a-mo.net udp
GB 142.250.178.2:443 cm.g.doubleclick.net udp
US 52.46.128.147:443 s.amazon-adsystem.com tcp
US 80.77.87.161:443 cs.admanmedia.com tcp
US 8.8.8.8:53 token.rubiconproject.com udp
US 8.8.8.8:53 token.rubiconproject.com udp
US 8.8.8.8:53 148.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 20.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 72.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 106.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 190.223.60.23.in-addr.arpa udp
US 8.8.8.8:53 101.238.202.149.in-addr.arpa udp
US 8.8.8.8:53 9.1.250.178.in-addr.arpa udp
US 8.8.8.8:53 90.8.184.185.in-addr.arpa udp
US 8.8.8.8:53 65.91.86.99.in-addr.arpa udp
US 8.8.8.8:53 117.174.228.46.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 68.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 168.189.213.52.in-addr.arpa udp
US 8.8.8.8:53 91.149.214.35.in-addr.arpa udp
US 8.8.8.8:53 63.112.202.64.in-addr.arpa udp
US 8.8.8.8:53 18.127.47.198.in-addr.arpa udp
US 8.8.8.8:53 2.116.221.54.in-addr.arpa udp
US 8.8.8.8:53 8.213.145.82.in-addr.arpa udp
US 8.8.8.8:53 98.50.22.104.in-addr.arpa udp
US 8.8.8.8:53 149.156.173.69.in-addr.arpa udp
US 8.8.8.8:53 170.55.17.81.in-addr.arpa udp
US 8.8.8.8:53 115.158.57.154.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 49.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 22.71.96.34.in-addr.arpa udp
NL 145.40.97.67:443 sync.a-mo.net tcp
US 8.8.8.8:53 43.49.80.99.in-addr.arpa udp
US 8.8.8.8:53 72.208.211.52.in-addr.arpa udp
US 8.8.8.8:53 68.174.244.35.in-addr.arpa udp
US 8.8.8.8:53 191.224.214.44.in-addr.arpa udp
US 8.8.8.8:53 182.186.46.96.in-addr.arpa udp
NL 69.173.156.149:443 token.rubiconproject.com tcp
US 8.8.8.8:53 rtb-csync.smartadserver.com udp
US 8.8.8.8:53 rtb-csync.smartadserver.com udp
NL 89.149.193.105:443 rtb-csync.smartadserver.com tcp
US 8.8.8.8:53 id.rtb.mx udp
US 8.8.8.8:53 id.rtb.mx udp
US 8.8.8.8:53 ow.pubmatic.com udp
US 8.8.8.8:53 ow.pubmatic.com udp
NL 185.64.189.116:443 ow.pubmatic.com tcp
NL 79.127.227.46:443 id.rtb.mx tcp
NL 185.89.210.20:443 ib.adnxs.com tcp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 secure-assets.rubiconproject.com udp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 8.8.8.8:53 sync.aniview.com udp
US 8.8.8.8:53 pixel-sync.sitescout.com udp
US 8.8.8.8:53 pixel-sync.sitescout.com udp
US 8.8.8.8:53 pixel-sync.sitescout.com udp
US 8.8.8.8:53 player.aniview.com udp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 8.8.8.8:53 eus.rubiconproject.com udp
US 34.36.216.150:443 pixel-sync.sitescout.com tcp
US 34.36.216.150:443 pixel-sync.sitescout.com tcp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 8.8.8.8:53 sync.search.spotxchange.com udp
US 34.36.216.150:443 pixel-sync.sitescout.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 sync.smartadserver.com udp
US 8.8.8.8:53 sync.smartadserver.com udp
US 8.8.8.8:53 sync.smartadserver.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
NL 81.17.55.173:443 sync.smartadserver.com tcp
NL 81.17.55.173:443 sync.smartadserver.com tcp
US 8.8.8.8:53 67.33.132.192.in-addr.arpa udp
US 8.8.8.8:53 147.128.46.52.in-addr.arpa udp
US 8.8.8.8:53 67.97.40.145.in-addr.arpa udp
US 8.8.8.8:53 105.193.149.89.in-addr.arpa udp
US 8.8.8.8:53 116.189.64.185.in-addr.arpa udp
US 8.8.8.8:53 173.55.17.81.in-addr.arpa udp
US 8.8.8.8:53 150.216.36.34.in-addr.arpa udp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
NL 69.173.156.149:443 token.rubiconproject.com tcp
US 8.8.8.8:53 pixel.rubiconproject.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 ice.360yield.com udp
US 8.8.8.8:53 ice.360yield.com udp
US 8.8.8.8:53 ice.360yield.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 u.openx.net udp
US 8.8.8.8:53 u.openx.net udp
US 8.8.8.8:53 u.openx.net udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
IE 34.255.242.185:443 ice.360yield.com tcp
IE 34.255.242.185:443 ice.360yield.com tcp
US 34.98.64.218:443 u.openx.net tcp
IE 99.80.49.43:443 ap.lijit.com tcp
US 8.8.8.8:53 ap.lijit.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 34.98.64.218:443 u.openx.net udp
US 8.8.8.8:53 cm.adform.net udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 us.shb-sync.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 8.8.8.8:53 s.ad.smaato.net udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.2.110.33:443 us.shb-sync.com tcp
FR 18.164.52.4:443 s.ad.smaato.net tcp
US 8.8.8.8:53 185.242.255.34.in-addr.arpa udp
US 8.8.8.8:53 csync.smilewanted.com udp
US 8.8.8.8:53 33.110.2.8.in-addr.arpa udp
US 8.8.8.8:53 4.52.164.18.in-addr.arpa udp
US 8.8.8.8:53 161.87.77.80.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 80.77.87.161:443 cs.admanmedia.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 a0998438.xsph.ru udp
RU 141.8.192.6:80 a0998438.xsph.ru tcp
RU 141.8.192.6:80 a0998438.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\Downloads\ValiantSpooferPaid\valiantspooferpaid.exe

MD5 957ba1a651b750713d78d437ed8a3c7a
SHA1 14fdc69fc21dc9516931f5227d5d66ac1598c69a
SHA256 7b6a4e1d88e9c477ac1b77f3255a9daa54c083830ad81687cd45b2f237b8237c
SHA512 c1ee2c80192b3f6a501d9958f49565111bdd7ee962fd05e5aab6af5fffc8bb41fb11f56ad590d60915271ecf2e9f774dd58472b6431b9cbebebfc9596efc85b5

C:\msAgentServer\sFM4S27zDOBzhYps42TIAnTFMK8Zul.vbe

MD5 1ec6b23ee71cd4838514f2984cfbec8f
SHA1 0bdf20ddab114712d7b846535896ac7865a48401
SHA256 d1aebe6120e77195acccb1a39d91e079c83128b54b200d8aaf55e38c852a27ab
SHA512 d673e5ec51cc6ba73289bcc0d126653ce0e650f79bd119e83d68ddae012be40c4dd3793fa6e897b078365c0ce3c4f6efb1c331736ebd2f3b6873a662978dc736

C:\msAgentServer\7Hr4JaIGGzbo4YnxbteHZfQH0TIt.bat

MD5 e1f65135829b69dd7821d59410d13e2a
SHA1 24b0c9b6360afd46c770aec60807e4796bcd31fa
SHA256 addde1c2adf45d57e91d73e20f95087a07ef6f1b0287894a207f54ce57b841a7
SHA512 020241921bd533ef833ccc34a34f4404e2278e586168dc064b74827abf125640783e6b9d00318a955f4a525236d2540a26775b1a980c5be5f4137b79ba1aa985

C:\msAgentServer\Windrivercrt.exe

MD5 cc022adec49e3a4e30ef5a2574f06349
SHA1 2eb9f31932785a8c31bf505daff842749a34692a
SHA256 a931aa10f393de1169f4616686b3f02c3323f064be3edb69d160dc3e0fe67759
SHA512 7146be48b4ead35d0d1e150784ac2acfaaf14c7c04690f8059ad61787a0eec2bdd04ab84f45f76a5498c5aed80d14a244a7ca4f1781ba0424d8a5f828f80aef0

memory/6956-16-0x0000000000D60000-0x0000000000EFE000-memory.dmp

memory/6956-17-0x0000000002FC0000-0x0000000002FDC000-memory.dmp

memory/6956-18-0x000000001C1C0000-0x000000001C210000-memory.dmp

memory/6956-19-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

memory/6956-20-0x000000001BB20000-0x000000001BB30000-memory.dmp

memory/6956-21-0x000000001BB30000-0x000000001BB38000-memory.dmp

memory/6956-22-0x000000001BB60000-0x000000001BB70000-memory.dmp

memory/6956-23-0x000000001BB40000-0x000000001BB4A000-memory.dmp

memory/6956-24-0x000000001BB50000-0x000000001BB5C000-memory.dmp

memory/6956-25-0x000000001BB70000-0x000000001BB82000-memory.dmp

memory/6956-26-0x000000001C740000-0x000000001CC68000-memory.dmp

memory/6956-27-0x000000001C210000-0x000000001C21C000-memory.dmp

memory/6956-28-0x000000001C220000-0x000000001C22C000-memory.dmp

memory/6956-32-0x000000001C460000-0x000000001C46C000-memory.dmp

memory/6956-31-0x000000001C350000-0x000000001C358000-memory.dmp

memory/6956-30-0x000000001C340000-0x000000001C34E000-memory.dmp

memory/6956-29-0x000000001C330000-0x000000001C33A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\N2kvYgGXaz.bat

MD5 8c3b13d359bb173bb5ab1a3f0e64ce4a
SHA1 7be96cd1b1ecce693241c94451e50cef78669782
SHA256 c3cfc036cb03ba918900264a958892434d0ec34d296275f129230a5d79de53c5
SHA512 d2b11049081878f90fc9f1cc7e8c2170d5b547bdfa5f940752dd059cb63160de27b0131221c3d9422d44c6c9b3a8265f9c5bc9f7766fee76f1579c3b61ff9fb9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windrivercrt.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

C:\Users\Admin\AppData\Local\Temp\a95e41f4-e9f2-461e-bc97-edbe74c69a00.vbs

MD5 8ecbeb29643548c6d49cfcbae2c5e681
SHA1 59ed891b200f1cd678ec02c2ebd7c67244c6cc4f
SHA256 0481c32b420db2b67230872548832bce5e2a173b6dba47dfb7734df607956176
SHA512 34342885467a97f91435dd83e5d82ae0aa54916f4af9bb64b0c26a67f5e765df3de4fe85b72c77d62518d15ea28a5cd1db2f432e9bbf33422cbc541c7026fdb1

C:\Users\Admin\AppData\Local\Temp\6c53e1cd-0b14-4089-b381-1276ebbef57f.vbs

MD5 6af0004dc7b894ed9bc161e5c129dc5a
SHA1 567d65792f0dbf31a35ec0a60a94676e87c48d76
SHA256 b7346fe2e5d2b752a680d6824ddf873a9af357ac4b567361b8d3a2f048b89a4f
SHA512 0295a143d5844c0933753c14861433c85ec574a43b0adb64e32f88a0f5b528190258c1136337b64a66f252eb5ae7041cfee685429d7259c235659593d0f1609e