Malware Analysis Report

2025-01-18 16:08

Sample ID 241203-xmvhbatrbr
Target ab676161000051749ada1bd6edd3c5be101aae38.jpeg
SHA256 90ab33c550a9c69608e013d9b599f8acbfc41a813219c76b84f60695686b631a
Tags
crimsonrat darkcomet revengerat warzonerat guest discovery evasion infostealer persistence privilege_escalation rat rezer0 stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90ab33c550a9c69608e013d9b599f8acbfc41a813219c76b84f60695686b631a

Threat Level: Known bad

The file ab676161000051749ada1bd6edd3c5be101aae38.jpeg was found to be: Known bad.

Malicious Activity Summary

crimsonrat darkcomet revengerat warzonerat guest discovery evasion infostealer persistence privilege_escalation rat rezer0 stealer trojan

Revengerat family

RevengeRAT

Darkcomet

Warzonerat family

Darkcomet family

Modifies WinLogon for persistence

CrimsonRat

CrimsonRAT main payload

WarzoneRat, AveMaria

Crimsonrat family

Warzone RAT payload

ReZer0 packer

RevengeRat Executable

Modifies Windows Firewall

Sets file to hidden

Executes dropped EXE

Uses the VBS compiler for execution

Drops startup file

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Program crash

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 18:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 18:58

Reported

2024-12-03 19:07

Platform

win10v2004-20241007-en

Max time kernel

279s

Max time network

503s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ab676161000051749ada1bd6edd3c5be101aae38.jpg

Signatures

CrimsonRAT main payload

Description Indicator Process Target
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Crimsonrat family

crimsonrat

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

RevengeRAT

trojan revengerat

Revengerat family

revengerat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
N/A N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master (1)\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .." C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master (1)\\The-MALWARE-Repo-master\\RAT\\NJRat.exe\" .." C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" C:\Windows\SysWOW64\notepad.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\notepad.exe N/A
File created C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4376 set thread context of 3816 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2284 set thread context of 4836 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 376 set thread context of 116 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 116 set thread context of 2184 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 468 set thread context of 1648 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1648 set thread context of 780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3424 set thread context of 4812 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4812 set thread context of 4616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1396 set thread context of 1804 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1804 set thread context of 2088 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 34 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 35 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 36 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 34 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 35 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: 36 N/A C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Windupdt\winupdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 3132 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2396 wrote to memory of 1004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ab676161000051749ada1bd6edd3c5be101aae38.jpg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ConvertFromUnblock.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffed59646f8,0x7ffed5964708,0x7ffed5964718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5804 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,4439481029278017795,4893670426530931094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30D0.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C5A.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT" +s +h

C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe

"C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1)\The-MALWARE-Repo-master\RAT" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h9dab4iy.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc816E67323ACF4A62BCD7113A8ABBE77.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nmhmgrco.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB16A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9163FE6A496B4B2A8171689AEAD0829F.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5jddz2dy.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2E1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F1C3FC1C234C6BB6E9AAFA5FFDEDCD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pgulfdyq.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9664568527814192924490CDE8139D8.TMP"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l3w77z0u.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB591.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AAE748BB7724CEEABBE68AEE7983AD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tol3ulso.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB717.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BE80655C1F44010867648FD159C88A1.TMP"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plhrxx5m.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB969.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB401F77B224646C7A74BDAF250AC41.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fwpjp6ef.cmdline"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DB9CD4AA8C94D45B92B9850284CEA35.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3qdzcu0-.cmdline"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5188 -ip 5188

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2570CEA1D4E43BEBE849D6AD1D67AFF.TMP"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tiky86fi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C8EA0248E5948F793E5519AF9BAE33.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wyk21u65.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC204.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40BC2E0DDB904CA0803388FA42D24474.TMP"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6644 -ip 6644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b8flxycy.cmdline"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5140BFC5C2645E490482A249C3976D1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zqmmc0ww.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7036 -ip 7036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 160

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2EBC4211BCF440A49D58DEAE7FC59896.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uy4m5aej.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F260A4C16FD494AB23DD0DD82F9B9EC.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ifaxc1vj.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10CB569F867A4B7FAEE907271B419D.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\as7jetxq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB3C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc592CA24D364B4194A9C79372C9E16C0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gj70rp29.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D60A97EE07940C5B0E7F9ACD6D5139.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aajjyypy.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEB6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9814A8A028D94070A065C1AC87D59257.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qp4rqgd6.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD01E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D038C52AAB345F0A0122C605645E1.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3cnf-imp.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD250.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5604E4C8A59D42B7A01B5ACE3215ABBE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eygonjl3.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3755C77BE7AA437E9593962B7EA70C4.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8292 -ip 8292

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8292 -s 148

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8776 -ip 8776

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8776 -s 192

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 8704 -ip 8704

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8704 -s 416

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 10096 -ip 10096

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10096 -s 140

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 11224 -ip 11224

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11224 -s 416

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qvyxlui4.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES620D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5251B408C0BD4C06BE1D58B60881A8C.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7dwbd9u.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6559.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12738B642034B3AB36EFB12385D88.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krhozhn0.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES676C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B761006FDB04A73967B4DFA6311D21D.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 11840 -ip 11840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r23oh7ri.cmdline"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11840 -s 376

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1D6A0B9DD354182AFA7B0D979E35712.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\az8mwxsf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DA6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5041423CF0944A79CD6AF565A2BEC20.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a_giukjn.cmdline"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1C02DFE2A39438B828C9B90454CC980.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pstqrava.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7140.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED546828F4A49008ECDCD375DB2CDA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fcm7uyuo.cmdline"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D2FBF8E163C4275AF297B98133A893C.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hqyjze-b.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7557.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9C3CB872A67489EB66B67AD149DBDB.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zy8izdur.cmdline"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES773B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc901AE392F56D498BB465CB3E6287B265.TMP"

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 11364 -ip 11364

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11364 -s 416

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt" +s +h

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\Windupdt\winupdate.exe

"C:\Windows\system32\Windupdt\winupdate.exe"

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 88.221.134.251:443 www.bing.com tcp
US 8.8.8.8:53 251.134.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 88.221.135.58:443 th.bing.com tcp
GB 95.101.143.202:443 r.bing.com tcp
GB 95.101.143.202:443 r.bing.com tcp
GB 88.221.135.58:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.23:443 login.microsoftonline.com tcp
US 8.8.8.8:53 58.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
GB 88.221.135.58:443 th.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 desktop.github.com udp
US 185.199.111.153:443 desktop.github.com tcp
US 185.199.111.153:443 desktop.github.com tcp
US 8.8.8.8:53 images.ctfassets.net udp
NL 18.239.36.12:443 images.ctfassets.net tcp
NL 18.239.36.12:443 images.ctfassets.net tcp
NL 18.239.36.12:443 images.ctfassets.net tcp
NL 18.239.36.12:443 images.ctfassets.net tcp
NL 18.239.36.12:443 images.ctfassets.net tcp
NL 18.239.36.12:443 images.ctfassets.net tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
NL 18.239.83.98:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 153.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 12.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 98.83.239.18.in-addr.arpa udp
US 8.8.8.8:53 113.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 23.73.138.209:443 aefd.nelreports.net tcp
US 8.8.8.8:53 209.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 23.73.138.209:443 aefd.nelreports.net udp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:6128 tcp
US 3.135.250.11:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:8761 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:11614 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 23.73.137.233:443 aefd.nelreports.net udp
US 8.8.8.8:53 233.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 www.bonzi.link udp
FR 151.106.4.82:443 www.bonzi.link tcp
FR 151.106.4.82:443 www.bonzi.link tcp
FR 151.106.4.82:443 www.bonzi.link udp
US 8.8.8.8:53 d36ee2fcip1434.cloudfront.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 82.4.106.151.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.14:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
GB 172.217.16.226:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
GB 172.217.169.1:443 ep2.adtrafficquality.google tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.1:443 ep2.adtrafficquality.google udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 1.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 142.250.187.225:443 tpc.googlesyndication.com tcp
GB 142.250.187.225:443 tpc.googlesyndication.com udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 bonzi.link udp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:15822 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.146.103.81:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
GB 172.217.16.226:443 ep1.adtrafficquality.google udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.57.198:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:17443 tcp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:8761 tcp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.57.198:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.57.198:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.57.198:19521 0.tcp.ngrok.io tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

\??\pipe\LOCAL\crashpad_2396_MYYIXZVCXQMJFOTR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4521a1561364371e94d4c821e2ed330a
SHA1 bea8710651e92667a327ee95a98f82653a206cb6
SHA256 8ea3a39f94b7daeac5116a05495930771d7dee354eeaafcc54178fdf6019dc63
SHA512 0f304f29783b193bae3c1a7efb2bacf87430ba93609029d6ebf6ee66b5c9a19097656deb03e1e6ea33866cd17382fa50a808be279fb779c0fcf42979f137eca3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5e4aa8ad39ce04749a6330098460ab83
SHA1 01ec2c8d5cd15c029ddeb25449b1646265777b22
SHA256 6bf4c6200642536eb71048ce2b3f47fcf89ced723ec593ade5cc0ff770a69a07
SHA512 cd96a698b49cad347ffded7d8bacea96e38f1a66d40d07b691a96dca0c53196c0a6dc02de73906ad8a0e4e197d7e182b99f081bf2db6653860954685ee31a458

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 117d993f4f1b45994fbaf21b81926467
SHA1 ccb4870dd9e68aae1b12ba67c8d5106240157624
SHA256 a48fa5f05eb733bc36815d47bf809babc196549943120062cb40ff2483b90208
SHA512 4e5afc20905e09a4c3ace51d77816c2063ba94ea3e56e116d7075f78bd2a6ff9e92354d37fad8500c439e6c4e193fbd7ab60e8c3e0b0e744ed4b8ccff18297cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e4807c922891083315040ea58ca09b7
SHA1 169faa230738a3c69135123ec716c03ab9d86cd4
SHA256 d8330340e885273a32ee4cb2a4fe4de7efe6cdbdea0749cee51f33eee5ea65d4
SHA512 39518c107ea84db7f957487ace1c348f6bb2c44c9463a1123e9beb3e40b4be257679c81ae3d8475822bb90f6b22e74a92ad5783b5224cee6eb8fccd8f2860eff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 c813a1b87f1651d642cdcad5fca7a7d8
SHA1 0e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256 df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512 af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 b275fa8d2d2d768231289d114f48e35f
SHA1 bb96003ff86bd9dedbd2976b1916d87ac6402073
SHA256 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1
SHA512 d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 95dcbadcdba648acc0cc8ae5080fe261
SHA1 7632a8318ed0a60c3619988483e4d0cd74c430f8
SHA256 cc1152fb060333d035d7fcc384493d3df710c0245f44ace65ec3282653a6d88b
SHA512 9ebdbd6d4cc3102f3f11df7cd6c15bdb8bb18f7aa85164d4edde73079525c2322b0ba060c60a50de08989a069ee840ef51f4ead081e7459daf2e0885d9281d69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5846e7.TMP

MD5 a66b0c24b5fe54bf9db2c8df8b28bebc
SHA1 178a1d8b21374bb302a2fa604f2db0b876638f88
SHA256 552fb122813531e5862c0e1349636a1b410cbce43f886ad6256331d82203855f
SHA512 7f147abcc596d408439a34596fa8c58cfba632e61a7565a5f13cc19e171f073993bdf56299d92c1ee63d241b9d673fcc489cd97185856de2bef6c8298e647815

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e0afd26267fed14d63100852b8e10367
SHA1 1c8d6ff73f7773310de68e9932c747a226b98d76
SHA256 c114b43e8c9a39a914572f461463966c5fe64709a185d081216b73175c1e445a
SHA512 3bd70e83d646fea87a138b7792b5414def8600471199b8cca1ded8a156f083885d3591d81fed4b511fa14b13c2ca5ef3d557d9b315b23e7a06a8205e75ec7743

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 dcc13e096885e2192da2ddae75ba5b26
SHA1 56bf42f76e81ebdc98f418788d239e7fef36326a
SHA256 dd359fd72402c351b879f263e6fd703008e6d641776ee6bb46a853199173f725
SHA512 15a357ecefce6278417d0d7dd6359a39882178226dcae1bd6514594837be7fde8773fa944c35764cd0f6cbeb43303158a5cb0aef9e9445718eb6cc49b10676da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 4a6a239f02877981ae8696fbebde3fc9
SHA1 5f87619e1207d7983c8dfceaac80352d25a336cf
SHA256 ac546e02b937ee9ac6f6dd99081db747db7af6a4febf09cbe49e91452d9257b8
SHA512 783cf2ae4ba57031c7f4c18bdac428a1074bb64f6eb8cef126ad33f46c08767deeac51917bef0f1595295b9f8a708cb297b7cf63fc3f7db0aa4ac217ce10f7cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 a6dd8c31c1b2b06241a71e43a49a41a6
SHA1 dc871c551fa802ed8dfcc0e754b3d4d373fddd88
SHA256 0def324bda1cf4872a205e006d8fd6aafddb19880c1678bf66f18b304eeda99c
SHA512 f3437729f25077e830e5381e4468ce8222dc893ece8527159721f07e5f85977acde921af3d47ae07ac9f35e3ad06ae06faaa23d715a207d76ba6746c55aeddbc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 06b438d5e1a8ac9850ebaa924c67684e
SHA1 943849718ba03f7788c14ec43fb29cf503a0b0e3
SHA256 406f8ac9d271e8e74ff9b7dd5bd4f36d6782cd3d036fb9f62f8a252a6050f946
SHA512 0d21fe32b24b27807e96ef5c963dd1e78a89646638217c37ae0075689ad6f683895f942ae3d9b0542e74a9af22bb3756a885606c70d7ed351385bb2770533ee3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 22256a39137265de5999977301d59c9f
SHA1 45ba2aba4a663e98610ada3918a504a48f7f1832
SHA256 bcfee24d8918d8f10cb048b7182e71c7ef750dcdc7f3bbc9ed46f0b1d6fb8007
SHA512 3b0ab6b4c9aa458486a1fda5a8d57b07dede4dd8e2b24eaa225ba2086c56663e2015d3bd98b9c7585d4656003629548b43636d1e0ab603ae689abf315f2edc24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4b28072da6fcafdf10d2046109d25114
SHA1 e59176e9aeecd788ebde515e6167934b1c701fdc
SHA256 a471372413f471056c5f97becf44bd1c612f7a4a8e4c2ebd54ce64d1408d785b
SHA512 09c744ecdfffd6280a561a19c21cc1c367a7faa78dbbc74f006760e5c1bfa0cda6952c3b1cf107b66a993e3f9d17f9d3172d57af03519cb889e1e007536ae831

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f0ced44c61be500c254035785ef03741
SHA1 6caba673850981960f787927c54db88af9f8b51c
SHA256 3d91a297379d1264d5b1119e5298d2487227d712281124a28d3b3c516f2e82d7
SHA512 e56e24d6e85769dd4d5d43ac2b593e99d659676fc8b57b7d48183507c1c885dcb7450f3fa2214c07b2e755cf84f60fb3c45adccd40b3e2a2bff191a1e54186d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 68cf2d5444a47f65fc8bbbb644c29396
SHA1 413ceebb220dfcd3cb183447c1b9bc4aec9cb3bb
SHA256 3b7c3ff58db5a928101fbd51e04c6250c5ccfb1c286a61e82e5a0dc2f0ee9624
SHA512 43cc03c09b38217e81fb9695780c31f523bc5d65a7fe3b75f9d81a86da982e088343faaaa2a96545b9682441fc150e2da8b4b9774c5d2329003e459a49a09cf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 aa8f9e579874e0fa31161db427dc7a0f
SHA1 b87fc0c5b412a6fbc38a113836289df9d46475a0
SHA256 44ee8a74bdeae503cb4be319de74b55e806b12b02538e9086a12241a0c0d9671
SHA512 34715804c7f78e1174ecc24856b834d4cc089529713d9ede410423971ae4f26d29e2f461a65bb0920e2eda54923d4dd86996e8dff57b239f7d189ed26df5cbf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7a6d20fca4403269af821ea7031bad8f
SHA1 81a42239cf18c6305410346a7daf3a747828abbe
SHA256 caa6796998c28716666992bf7bb46266803806a67d367eaadde7b44d53c7a53f
SHA512 e93474c38bfa9010030dfa48ec0dcd2e2f3dc25b16696b0c5d444366468c7de07a99baf1116624f139cbfd4d152c7b0757a7a7bae8028c899cd67ef0568e035b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 188a456ef03c3a1056f5a1fad8f37b61
SHA1 490bf07be8e9b9083d40f48bbc5a1cbe53b4be92
SHA256 c4d4d8d3201fbab436472a2945fb81ae4c78db2af9e0b70cff319d9245350335
SHA512 07634ed6399246f464d740afca036698d0fb0a0efc43d46ff48aa4ab91ecb7acc83fff61d08a0ce9f127adaedfe3408ca995c06d2c29638952a93274e02f5abc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 331fb05c69d96623d2abe5f33c0076f3
SHA1 baa3076ca3514f8db99d0ec2c2c996864877361c
SHA256 bce437f936d11ca642ec429b96cf28670f95e11baa858c6ae32fd2a14ed52cec
SHA512 a196eef4a6c19223aa350104a5f8e818511a60328ad5bd7cc34605c9be904d36e276ebdce8ef33927f0220e471e8b50728a2074df0e79524df107761543ceade

memory/4376-798-0x0000000000F20000-0x0000000000F76000-memory.dmp

memory/4376-799-0x0000000006170000-0x0000000006714000-memory.dmp

memory/4376-800-0x0000000005D60000-0x0000000005DF2000-memory.dmp

memory/4376-801-0x00000000058D0000-0x00000000058D8000-memory.dmp

memory/4376-802-0x0000000006720000-0x00000000067BC000-memory.dmp

memory/4376-803-0x0000000006090000-0x00000000060B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp30D0.tmp

MD5 1118048f2edd5c51379c845045dd864b
SHA1 ce9b139e9cb500e26b9264066aefabc311c63d1a
SHA256 3b4432d624f03b8573061e87d99dc2f4a31ed95ebbeb19a10c2ea4a1c5e6dcb7
SHA512 af0ab81c5cfd004157663d90f914fa64dd723351ddbf44e9a20c4842eaec6a7b83623d700535a0fd6749c70a103677008dbda138c3ec05054537fbe2f1f8275c

memory/3816-809-0x0000000000400000-0x0000000000553000-memory.dmp

memory/3816-811-0x0000000000400000-0x0000000000553000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

MD5 8cf94b5356be60247d331660005941ec
SHA1 fdedb361f40f22cb6a086c808fc0056d4e421131
SHA256 52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512 b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

memory/376-817-0x000000001C4C0000-0x000000001C98E000-memory.dmp

memory/376-818-0x000000001CA40000-0x000000001CAE6000-memory.dmp

memory/376-819-0x000000001D100000-0x000000001D162000-memory.dmp

memory/116-821-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2184-822-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

MD5 94ff9db8fb134d994a08e71579547083
SHA1 ac9a6dbc380bf41e454fecf30eef0ddf7280a9ec
SHA256 f3bddac056ae9c288838f37be8480f08a19fe5a86abb27898fa9d0d06c60d911
SHA512 6ca082b7d44bbd78070d917f48fe91cacb92b24a43793e52f5bee44daa5bea1bf7adb75d8df9ad8742a6dd33950231501c5b8fc1e85042542de2f25fb721c3b0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

MD5 50dec1858e13f033e6dca3cbfad5e8de
SHA1 79ae1e9131b0faf215b499d2f7b4c595aa120925
SHA256 14a557e226e3ba8620bb3a70035e1e316f1e9fb5c9e8f74c07110ee90b8d8ae4
SHA512 1bd73338df685a5b57b0546e102ecfdee65800410d6f77845e50456ac70de72929088af19b59647f01cba7a5acfb399c52d9ef2402a9451366586862ef88e7bf

memory/3536-839-0x0000029F6B110000-0x0000029F6B12E000-memory.dmp

C:\ProgramData\Hdlharas\mdkhm.zip

MD5 b635f6f767e485c7e17833411d567712
SHA1 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA256 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 64261d5f3b07671f15b7f10f2f78da3f
SHA1 d4f978177394024bb4d0e5b6b972a5f72f830181
SHA256 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA512 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

memory/1320-870-0x00000272C3810000-0x00000272C4124000-memory.dmp

memory/3028-873-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

C:\Windows\SysWOW64\Windupdt\winupdate.exe

MD5 c7dcd585b7e8b046f209052bcd6dd84b
SHA1 604dcfae9eed4f65c80a4a39454db409291e08fa
SHA256 0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512 c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

memory/5052-903-0x0000000000460000-0x0000000000461000-memory.dmp

memory/4768-905-0x0000000013140000-0x000000001320F000-memory.dmp

memory/3276-909-0x0000000013140000-0x000000001320F000-memory.dmp

memory/3960-914-0x0000000013140000-0x000000001320F000-memory.dmp

memory/3772-919-0x0000000013140000-0x000000001320F000-memory.dmp

memory/4988-923-0x0000000013140000-0x000000001320F000-memory.dmp

memory/4784-927-0x0000000013140000-0x000000001320F000-memory.dmp

memory/1572-931-0x0000000013140000-0x000000001320F000-memory.dmp

memory/3004-934-0x0000000013140000-0x000000001320F000-memory.dmp

memory/3032-941-0x0000000013140000-0x000000001320F000-memory.dmp

memory/1648-942-0x0000000013140000-0x000000001320F000-memory.dmp

memory/1804-947-0x0000000013140000-0x000000001320F000-memory.dmp

memory/1572-951-0x0000000013140000-0x000000001320F000-memory.dmp

memory/5168-955-0x0000000013140000-0x000000001320F000-memory.dmp

memory/5304-959-0x0000000013140000-0x000000001320F000-memory.dmp

memory/5600-962-0x0000000013140000-0x000000001320F000-memory.dmp

memory/5796-971-0x0000000013140000-0x000000001320F000-memory.dmp

memory/6028-979-0x0000000013140000-0x000000001320F000-memory.dmp

C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 da2736cd08fb510aa290a3b297ada28f
SHA1 5414f252e482e1cb14e9a0069a67829ebe43e680
SHA256 577c112c1e57f0b9b5eabcb73dcb9dc29fbc0d3be7b947aeb75c0517e0babecb
SHA512 99879cff07e193f259d3f643f8d7486bc394f77978e8409a7c3ca127e1785475bba34236f23964dde9a8d0bd071ac2827e7f1276a748deba4edc44a2b432ae00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

MD5 1d9045870dbd31e2e399a4e8ecd9302f
SHA1 7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256 9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512 9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

C:\Users\Admin\AppData\Local\Temp\vbcD1D6A0B9DD354182AFA7B0D979E35712.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbc5041423CF0944A79CD6AF565A2BEC20.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbc6D2FBF8E163C4275AF297B98133A893C.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b17a3c504050ac56cec82aa665645dd8
SHA1 883a073131c55ec18de18d772cad5f5a04daf436
SHA256 6e89eafe70bb1f57fa41b987dd34ded2435ef3c980fde4b0cf5b8d15dc21f7e4
SHA512 85025c561b6a842104e0d79becc73e1dbd332c4ce60971ce44a938ce98a4fbe636e8e2dfca9b42d0d83592fc2f47d6d1d89ced43978b0e7e03129c4b5227456b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fe74c56de32e6d8a0a53f2cc024aedfa
SHA1 682470a77277ecade6589ac53ad1c7b77d33e0b9
SHA256 ed0536d3f33163c86a8081d545d29df01bb99700fabe53400834c963b29f0260
SHA512 e05abd0bcf770127b7acdcf01c7208b2e70afe67728cd5c28c8d55c55e40cae7f44844e54e4eebf6da118e5062e80e996b005175ba829d2b5fb774b465195ccb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c108a86b7ac76c683e6938cc9aa7bc41
SHA1 cd96d4774f5a74247764f604435f25e82a80e47c
SHA256 861556018725e0501f6dd108ad1c5987fb2b6eec2dcb7f32caffc6f10c52347f
SHA512 25b53b36a04cd16b4552ccd6f4b01d0a301f648069775476ad12c00b322076ceaf6eb5a56abffe2feba5eaf80d5a132e44511fa1c257fccd13bf340e4b017eb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8ac7669616186fd1b5a27166fe981716
SHA1 31ac9c5e18c9805af766d59eef831346cf8bb427
SHA256 7117ae9b978a4f53cf3c696599a73ea6bcf9bce32162d3be0667e24a61c3a51a
SHA512 db403470a556c020d7030c224361ab8a32dda0391c039bb37c7a25f391dd1f2637f05e69ca7bcddc57169d41e83b1eaf8e3837784d88cebbf680493a3569a916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4062611c0fd01c3827cde0ee4dffda5a
SHA1 f35c0c0310a099ce3edcd7ae57492a437bb7cbae
SHA256 ab01c049b4122646673b3133b5373997b14d176214be886eead20fb55e721754
SHA512 ed4f2de9b1cfc2380a8bb4457d0240b2ffc7f3748ced202aa0dc7fac9a3e778d6479439cb3f86ac8f9b5563a65dd8443094b08564b3615b6d8a96136ed947d3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6f03ebd860b029ea7598384f6ddd8ad3
SHA1 713057171bd99326458c4095dadee467c55d1211
SHA256 8e5a923665ea3fd267c33061427779e8d9c3adad6aa4c09d783878e7b9339a5b
SHA512 09f60aabaebb905a4bad87a823ec95e69acb5afbf5bf5c2570e42a70bac087c2165b14fe717c4bcbe763667d40190b61bf8c16f4f77c7b5d45dbe34e2d1a25fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000d

MD5 8feb503d057a1dfc7121b0aa2c7cc10f
SHA1 0d25b47e8482de37b7f615205b8a45162e1049d4
SHA256 e816b1086f600fa2096189c847f34de90dabd33b899de28ce199682eaf17c713
SHA512 a193f820d8719a47d6f52ff9ff2bf76c27ea3611e87a582543c8a55595af25cb3d1bb00913f8c2a4f2ed027ea2749717faf84d75e887f32610dce4d6ce105595

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000009

MD5 fc97b88a7ce0b008366cd0260b0321dc
SHA1 4eae02aecb04fa15f0bb62036151fa016e64f7a9
SHA256 6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e
SHA512 889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000b

MD5 913728da90cf90d8e78af59c60b47c3d
SHA1 f42f2a545d4fcaf4f76d0f060f52e33a47df7f1e
SHA256 b0b478f9aa6aaf8d5811e296047ae1f8ee07f4c4998fe9d7b960755ea1fafb82
SHA512 3af86e053dd56aef03e6f967a49b1a0d492616a71e2e49090e0c8e5cbe58ff37ccc55e91f06bf34096059a49f3de84b0bca587f3f17c366f97c0f7a0fd17c974

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 dc1f5f6f4dc970ae75caa1be095ab183
SHA1 57c5c76390c895249ba946bcde952dd36589df2d
SHA256 afe4e889efcdc65a79371cca23510d8e1ba86dc13c6329b902a34059689c9772
SHA512 b5e1ad79c9d5f84107f871e85b5798242a140fc9f818d242e49e02620c29e4f40c71f553e1dc2dbf0e9eb9294076c9852ffcba7f9d3255e69a8a51f54ec6fda8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

MD5 1ac9e744574f723e217fb139ef1e86a9
SHA1 4194dce485bd10f2a030d2499da5c796dd12630f
SHA256 4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e
SHA512 b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

MD5 d22cb8682c6c279a568ed39bdc634f0f
SHA1 677360e899085b1fe7af0098575842261a6d854a
SHA256 78b575d52c9342adcc7b89ee8545e0577169b0d520a9924c7d53bc3587b240e0
SHA512 2ad0f705556abae3edb620d4370c1e72c749935d6ec079a10272ba2cbfe42d06a67f6fa1c3d80755aef9419391f701e98d479e946708e26980497f438b154ce8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

MD5 a33b3a3fdf5161be5bd861804961f557
SHA1 68a57897f1686a3e62ce9808165e18f31661d077
SHA256 ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560
SHA512 c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

MD5 cee822f498eedd3a752cb16a76e4ed99
SHA1 bec6f9c9325134c983a82a16f5bafdd33a9ad84f
SHA256 dae2b9c7bddd3688303dc6a3a9cac80e444c71074bc0986f90f8356ec6a5463c
SHA512 2f55348944aa090fc754d4cf3e66fdc4816b493fdabdd909b3ecab98ade9b00711dd4ed1005d1229ac813f15abdc622fe6bdee948e8c2e846efbe7e3d2e92df4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

MD5 8df8b77bcc513cad9526df782b4cf1d2
SHA1 09b1c7901125158acaaff9e69a7e7ed2c8ec03c7
SHA256 8ec948470cf86e5ed8d1870ef050b7a32c23c994e7f32cffe646a23d3ce1d0ea
SHA512 d551927c245e22022fd23a419e2e238f6723066ed0d6eabcb8574a6f171c328da50be8cadb716b63ea4e798909d311ad993f11e2b012302c17a360e10c01be1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006

MD5 c97f596ec81f8f81efa6a914b735fc55
SHA1 ad0fa14d4a6610a0883c05f3b4cb737d7ede3cda
SHA256 c8aef0e56b54fafcca28e5fa4af3c4e993c1d62bf47c28998c80d017e16996c8
SHA512 36cc7063bce9f2cde27430ac473752528ae0a7d1b4dfa2a3de2247f05882edad8a8928066f21b15bb27cf1a21592a71b9764133981621ba41bf12129cf285f45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

MD5 009624665e45fdcc351a1a85bed095f5
SHA1 174fda5a4f87ad3a2c981565d1790129e6e5824b
SHA256 e2df64eef859783975a2028474d42e7c57f6b6e0936fd1261a15de513b37ff34
SHA512 fd0e47ccf8c8905b50ca94f9fd027a25f5fd65e6eb47f6d6c650dd86b1c238181b40e5f6aab66ba9f313e828d302a559012e8818a7aa20cb2afa67fe13d742d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 329707077ac708cd5c94cab754b3d446
SHA1 e9ba3c6687f66b50a67d44b584f6e94e35958d72
SHA256 3742789eee807084fec872c94d3f7154bf85fe4de5e41a8b212491d129aaf2a2
SHA512 a2dd3a52a43d761ed2da062147e83e81a79c15cc4d2cd52e0f015e1085ebb56419086c80142802812b4d8f68b23a492c9fbd08872f3ec981787e33412291f8d5