Analysis Overview
SHA256
e59cbc05af015b2e6c083703a60f931b88e931f14cc9c97c401d4f72fc14e1ec
Threat Level: Known bad
The file forge-1.21-51.0.33-installer.jar was found to be: Known bad.
Malicious Activity Summary
Crimsonrat family
UAC bypass
Process spawned unexpected child process
CrimsonRAT main payload
CrimsonRat
Modifies WinLogon for persistence
Blocklisted process makes network request
Sets file to hidden
Modifies Windows Firewall
Executes dropped EXE
Uses the VBS compiler for execution
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Checks computer location settings
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Modifies registry class
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
NTFS ADS
Suspicious use of FindShellTrayWindow
Runs ping.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-12 14:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 14:43
Reported
2024-12-12 14:47
Platform
win7-20241023-en
Max time kernel
217s
Max time network
218s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.21-51.0.33-installer.jar
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7399758,0x7fef7399768,0x7fef7399778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fba7688,0x13fba7698,0x13fba76a8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3756 --field-trial-handle=1220,i,10629069375027233426,10089638318376632142,131072 /prefetch:1
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.0.830016440\802349626" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43ae23a-2cc4-423a-b811-3721e9a64486} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1296 121f5258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.1.363988398\1787794496" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d805c963-a589-421d-9401-0af17a895638} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1488 d6fb58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.2.251255850\1538703836" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb04e284-0bc2-4dea-a3fc-de8a2f64ca94} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2112 1a65a258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.3.2021710590\632949437" -childID 2 -isForBrowser -prefsHandle 1648 -prefMapHandle 1644 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb486da1-f80a-4420-8f67-0d735be1962f} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 636 d71c58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.4.78318728\194308279" -childID 3 -isForBrowser -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {161dfe25-8b0e-4aba-8291-d9885b7fd453} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 2556 14d04158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.5.1079334723\1080219797" -childID 4 -isForBrowser -prefsHandle 2996 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a878a5c-e3ed-4e7c-841f-aba9ac482f79} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3820 1ec8ff58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.6.1980064115\1469742586" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a274d8a1-41ed-460b-a73a-5fcf4221437b} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 3920 1ecfc558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.7.1899973586\755597628" -childID 6 -isForBrowser -prefsHandle 4136 -prefMapHandle 4140 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {652964f5-584c-4867-851e-a445675e6fa7} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 4128 1f87ee58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.8.1272568319\400070812" -childID 7 -isForBrowser -prefsHandle 4408 -prefMapHandle 4412 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {488fc3cc-9bed-47cb-8231-a705615b3672} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 4404 1e882b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2628.9.286875023\882231530" -childID 8 -isForBrowser -prefsHandle 1112 -prefMapHandle 3020 -prefsLen 27487 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5313cbcc-3c68-4e87-b403-1ba2dcfe6989} 2628 "\\.\pipe\gecko-crash-server-pipe.2628" 1124 1fd78758 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe"
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /watchdog
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ-virus-main.zip\MEMZ-virus-main\MEMZ.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| FR | 142.250.179.106:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| N/A | 127.0.0.1:49419 | tcp | |
| N/A | 127.0.0.1:49426 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| FR | 216.58.215.49:443 | csp.withgoogle.com | tcp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | csp.withgoogle.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| FR | 216.58.215.49:443 | csp.withgoogle.com | udp |
| FR | 172.217.20.202:443 | ogads-pa.googleapis.com | tcp |
| FR | 172.217.20.202:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| FR | 172.217.20.202:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.214.174:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.214.174:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| FR | 142.250.75.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| FR | 142.250.75.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| BE | 108.177.15.138:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| BE | 108.177.15.138:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 140.82.112.21:443 | glb-db52c2cf8be544.github.com | tcp |
| US | 8.8.8.8:53 | glb-db52c2cf8be544.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
Files
memory/2596-2-0x00000000027D0000-0x0000000002A40000-memory.dmp
memory/2596-11-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2596-12-0x00000000027D0000-0x0000000002A40000-memory.dmp
\??\pipe\crashpad_2904_SXBBCCYHBESAYFVH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7ff0d928dd876d8813d89e80318b99eb |
| SHA1 | 8c1c054847f240a08d2125d9404ff5e1fc4ecd4c |
| SHA256 | ee10262ef4b468c245942650c4fb5f6331917f1c81892c88d7c615698e3ba329 |
| SHA512 | f74b61b436850470180b687e63e77db1b7b142e752ef15d850051d9148f2d6df15a2f8f4a2e0510dab15d03de36a0020965f581bbe063d41893cc9323212a9b3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a1dc9b7b27ff73d63bb415e5ea6bb97a |
| SHA1 | 37111551539b4d6e218af9b9aab4b69b05ae455d |
| SHA256 | 729ca034ddd29f1ffc246ede277d0970d2f714820eb4c8a5397d0359509dc82f |
| SHA512 | 1a5c5c3b1473d84da396644926517844712ad1fd51ce240305a80618d280f92fd41f26b8731acbf19c641bff2c0a018ecc0e43164129075d73f5fa699402d5c6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5641235b-0a37-41a3-bc5c-f13cf3322d51.tmp
| MD5 | 62ccb898797bc440d212e132c0167415 |
| SHA1 | 4f32ce1551897cc698cabc4247de6fba68514390 |
| SHA256 | f746202a093f231e3c98df9b0cea975014aa4bc2f86a63801a1cc01b2e169a3e |
| SHA512 | 6b9732fb34cdf699e6e2fad08d4479e092920ce212db5bdc200aba7f269f78ba79864baf616b9897f906f34758bdc6ecca1479902df3afbe1fed07c272f9fd01 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 2f3e7bf45958d565ba38ae5df6204dd3 |
| SHA1 | 23484958204678930d7e9ff46d75510cadf86056 |
| SHA256 | c123097ed629721d3208f4e13512c7b23b03a8180a1a9ec7fb65c5c8bcf5b93f |
| SHA512 | 316c59254258ec20aeb20d225d4b3606ea90412b193cde64b76df6783bd856f080945c45dd41f67394c2eba0b3af8e1425bd17b9697fa03a6a093384667b8a18 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\983a93d5-472e-46ec-b537-e13c46953d80
| MD5 | 3cdcb9f4f7a2a754307a14329ca06f72 |
| SHA1 | 464798f566a7c459e5df15012a54718ce371cfb3 |
| SHA256 | 00b9ecdd2d85259b4080fabb70bfd9d9705b9d4bd17c40f0b9bcabea9849ee62 |
| SHA512 | 9b5d239c92a291854c34c5730e45f2d778ea6bc7d6891b5812fd9af7a86c058deef9ca75f632d301429afe820f2c4d77c00184e535208073e20f0ebfead3dc37 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\859234ce-8819-4940-898c-a035eb917ab7
| MD5 | 4d96e145211c16efd5f61764d7148de1 |
| SHA1 | 203658aa65bb00ccbdf9c1ffafedd7c4dd22f8b2 |
| SHA256 | 8d99b6455b117e5a38b2ef941912187feb050adcf1a83b51ccf7d0a2dea5af36 |
| SHA512 | 852cf81cdb222e48b9dbdd9364c6631a78e742471ef87b05ea85de413877e91b05d3ae2d4b8d8de8e1d7c7fa2b34102b95c712b6d95d5701c80acbc5305822a7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | d86ab13d18e0b465f58631ade1c2981d |
| SHA1 | 2e0226a50ba3580d52dd6eeca7e6dff17cfe7a6d |
| SHA256 | f07aa26f8801d6a723ca009a159fccda32fa6e6fda2d9c60ca75262c4adc377b |
| SHA512 | b2dccc803f62354a616b76b1dce886ea3754fa2d20b81b163999005366aca0750cbe433f842fbf15dcba2b26f5e04d5af505ec1ec7e18f755e1ef229ee819bde |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js
| MD5 | 003d94946f6b4e279c433119ffc43395 |
| SHA1 | 824a62a43f5954d8f2cca0fddffa627775596953 |
| SHA256 | 596d0be910ec181c1f4413dc9b1aa2e33719535336ed75dd16ff3376a7b090d9 |
| SHA512 | 3c64d5a4c605ae2e70a555474f3f1fc55300e0626dbf4db5bb91808db369521ef241dedc734c49ba1fb7493ee6c549c6d3712512c9f1255b11cf108ff04f5eec |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\entries\DF88F41E5DAC45B039B785901EE8352DCC6CDA96
| MD5 | 11d7b3b27fcbb3cdb63685f776d21ccf |
| SHA1 | a02b1301d2ae80dea47892a0f9a6816cedae0077 |
| SHA256 | c8cce39b616d9730de7b74fadee6e9cb07420856741114bd9d013ae9ecd08a59 |
| SHA512 | 69c06809c45967cbef2adfecb59fa63e7a3f072a0e1fa9721a9b1aebafbf07ee956a597c19367ae35982f5fb15dc4394fa23ad9470aa640df9fa9ee9ff57940a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs.js
| MD5 | 552fcbfcf7a079bfe85f3f52c311d633 |
| SHA1 | 0ee5f432282eeadc4c3c8175772ad8e2628087d4 |
| SHA256 | 2179295c197e0edfe2e5f0f4ac676464dd2b27b4a6e479146c6882dacbc61b84 |
| SHA512 | ce6b25515be747d68fbcd6fa5d73ed009abb0f785257c698cbac757602387d8b48117de1c633a98624d5edc01f0fdde98913827fc7e8b713ee58bdc25d4d7aaf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fe5b384e5182ab4a80b071fe77703fe3 |
| SHA1 | c10763e7f5f0794cff5f9e280ee2372804018fc6 |
| SHA256 | 887ce604b9ee65afaf499b2af63a762070b03f94c4011759cfd47befd3fae1e7 |
| SHA512 | 2419bdfd45f9f87af7d31b286e54fc2c449f7d93a81497ae749403cf0ecfc037869d6831a14f6f6b6c09a9a1113ca162387bd0ee53e09874715ac18f86cb2c14 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | d6d9e7de41d19d2cf91dc2d04c19fbd1 |
| SHA1 | 6ee6216a0684a3ce32ef3ed8945ff3eff8ca48e2 |
| SHA256 | a08f55997a45d3b23ffb755bca47fd45cd31097d102acbd9b36689cdb6a79a66 |
| SHA512 | 3c22cce481b978a581c1cd2fc085542f252885a3c8b6ed7fdd7b3dbce7cda51198be24e0e53a6c0a8631616ff8709b76595cc3497b73abab09c05167f890d800 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js
| MD5 | e0e7ec5787c2c15038eadc2f78855974 |
| SHA1 | 6b2badcfe5dffd51193a5ecd1c0f26071c37fc7c |
| SHA256 | 809c0466664a7abedcdd8cd86415e2e949cbf054e4a7449fa8db28f98053b747 |
| SHA512 | 95f3a65f87ce24f03737f962cd70535729d2d1094edb3b521c70b44c642a0e7da788533770766bb015709a0d0477720187a235381ad5c7565d6ee289dcc2394a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 0548b6763918240aed0d8bda26d3f8fc |
| SHA1 | 7c9e10f8771049774f4b6f87a9240f7710c188b6 |
| SHA256 | 7137a1672a3ad9528da0d7522641c69278b47564d06081ac911fdd0236a4be03 |
| SHA512 | c0c9d3f48232cbd8c5318fa3ccad23f9fa2782392f32373625fc86c14bdac43a88e4d54eee5d566bb2d9f047ac09a936c7b926f731f59f6da215cdf2fb380b70 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\entries\8E62FE1C4AC561DFBA4AC7F80730418E5CFDF8B2
| MD5 | 7610f4a4b3eb01be050fc4faadb2fde7 |
| SHA1 | 69f2ffb73ddcaf783ed6ae9f1db733d80e5ea442 |
| SHA256 | 39c78880e4ec237850bf1bee1a909b947a4fff1b07f3ba5d6bc3e78e043da4bc |
| SHA512 | 7f132a72159fae1d428b979fb9e4030608dae230e67c24580ac172e5ec7133da09c0bfbffa5cc37049c14d9e7a332354249e7111802b431d8cdc6a6a83a9b252 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 53e7ddd2c0f7fcf56eca3be9dc92deb0 |
| SHA1 | e99dbfce744ba47c09e1382ac1fbf9af7bb44256 |
| SHA256 | 6d2e1b3243bd2345d884f03f84f51f2623170f5f7178ed21a7bf60854f2a7006 |
| SHA512 | 6568d0fa3e76ade939f4b4d7e3089972f86db03ea35973cbd53dde4e617fb4af2bb99201d016406aae85e2607e1bfaf53353c99a71cb6e88296f8f7d4e084d25 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\cache2\doomed\15787
| MD5 | a8e632170000e528c40f21bf10a99652 |
| SHA1 | dd084b62206e51daa3d5713d2e7cb921371c26d2 |
| SHA256 | 3f7798b72805606c0d2e8c18fbfe0ae4d4d4cc7523e60cc1270547780719e32e |
| SHA512 | acca28db0cc46910ed3ae87b4b62cfbf67a789ee34601cb033ca7024e766517e913068217007cc27fd780bd6b0af5bd566455d949b8daebb337d28f29e7ca04f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a18b615f6ee979ebc63a2241710f4b9a |
| SHA1 | 84549f2632d6753fe10fa114d57fe3f6a2d40f67 |
| SHA256 | 434f49fd0eb8c0900fb668239f230bd9b5dbe83f6876d2207578ce6ca62a8c87 |
| SHA512 | 55bea9bbd6de79e10fc47cb676292dc4bc7350ea34938e3db4423a52c2eebe5fa7f9c20c5e32bcc617031f5fd2b3c3eae592799ed21583d05ca3a56ddd43e332 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 70d1b0a3f876433924796b5fe7170399 |
| SHA1 | 687c96b75e45e4656c6c5c04838e3ee33a5a52bd |
| SHA256 | bf40877c616075fcb053d87cb05a12a7c9f4002d54510afc45748ee3899103e5 |
| SHA512 | 04443117f9f68bd53f026db14dc2b566e48914d47065f6fa6d24891ec3df5c2964467be3598d2f7d77f0d58d2301750af188bf500d901006039876b90d437cc2 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\prefs-1.js
| MD5 | e9175adfd7189845d9082e14f3a28c2f |
| SHA1 | 27f23324ede8bd83c23fee614787e59f830b9c05 |
| SHA256 | f47f608809cc2b2a97b9fc9818213fb2c2a0831128285bbd4b4a6dda43e5c53f |
| SHA512 | 254374e06d31a4d84ba89364deb2ff39c0b69bbb08ebc7bb7e1e0a4443f19328c9ad111d2ab841a108388f77d93662519147e512bf52ee36607996092cdeea0e |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5314400485836bc757f3eeda40b15fad |
| SHA1 | 6737ce39007c86b14741099e2a696e707c0f7034 |
| SHA256 | 2c628de1fa0bbb15344a1dc1f9b5c96688e01622de3fabf3f225efbdd7a0a9f2 |
| SHA512 | c1a6a748fcf6c5e395e91f77aa77f0f2d204684a36bb178be43749cdd340f81041beaa3e267a2518dc4420875bb10687c341f084b55a33c9ab6da1431338a8cd |
C:\Users\Admin\Downloads\MEMZ-virus-main.zip
| MD5 | a043dc5c624d091f7c2600dd18b300b7 |
| SHA1 | 4682f79dabfc6da05441e2b6d820382ff02b4c58 |
| SHA256 | 0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a |
| SHA512 | ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cb0fc4374b620e56f18a273d569854dd |
| SHA1 | a4fe5d31a67cf48ae8a9bf82b68b4c141f48c8ab |
| SHA256 | 510498adb9750a673ebaa75e25eab3f55362be7c08f29fe0e08f0f70ebd95fe8 |
| SHA512 | c258a1f834e36b3fb097c10637d19abe1ba867190a9a6162c2e996e0879b67323bfe1d6ea0fe78673b50d5c44e134fb8327482040fe28adf6c3aea346f0d2f43 |
C:\note.txt
| MD5 | afa6955439b8d516721231029fb9ca1b |
| SHA1 | 087a043cc123c0c0df2ffadcf8e71e3ac86bbae9 |
| SHA256 | 8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270 |
| SHA512 | 5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf |
memory/3344-821-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/3344-822-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/3344-824-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/3344-825-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 14:43
Reported
2024-12-12 14:53
Platform
win10v2004-20241007-en
Max time kernel
471s
Max time network
595s
Command Line
Signatures
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat" | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\notepad.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Userdata\Userdata.exe | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File created | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\notepad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windupdt\winupdate.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 8032 set thread context of 8308 | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
| PID 8308 set thread context of 6628 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\notepad.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\Windupdt\winupdate.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\forge-1.21-51.0.33-installer.jar
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb920746f8,0x7ffb92074708,0x7ffb92074718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6020 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,9972979228206140134,15746891276980870447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CobaltStrike.doc" /o ""
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.doc" /o ""
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NetWire.exe"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x418
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\Remcos.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA0D2.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\Userdata\Userdata.exe
"C:\Windows\SysWOW64\Userdata\Userdata.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hwrq-pzp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF366.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc112A9205737C4589B18DD4CABA681DE1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tzegwxqr.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF76E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25D092DD15EF4AD78234B53D7FFFA6F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dluvkr--.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF962.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3148BE35A6574A64BBD2D47773AB38B2.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v0dye5e4.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB958B36D62784BBCBD511E5F068D7D8.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hz2juq3u.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEFF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA22F0FA67B7B4E0A835FD4796C59DBB.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yes2sl1p.cmdline"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CE329F22B874550BAA887F65879A95.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2dksz1n.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCE1CB60DA9A43DAB63D4973DD10DC81.TMP"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agqmdnwk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0986313E04B4D3CAE80873D75F1C33.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rssmufhw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E0B3F0B4FA84FFFA5D4C972B3C7A62D.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtuxmcza.cmdline"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48493F024E9442B5BF559CA4052DEE9.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v4scleom.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D17DC2139B44AA380F72780CFA6F2FD.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7k42j_og.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1229.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E3A134B9DF4AAD8A871F50BCD563C1.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kokupz2j.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9FDEB1914D8403BA6AFA8FFE572765C.TMP"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sjbwpxhc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc491571CD1C747CE85EC49C65A5375B.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uli8g3z_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B70.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc81DD5E394A644757B7198E25524B1F.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-gcexdih.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BD25BA752E84CD09D8BEEFE6281E83.TMP"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ih_kx1zg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F97.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFBC724754AA4683BEB0FDFFFBEE5AD.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igzoe0s2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20FE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD70CC559CCA144D99E62D869E5F7BF1A.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rhsrg5nm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc37C30C95821D422BA58616F1A89B19C5.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wuxp2wok.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2525.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EC1C46F6AD74FDA9CB1879A447F4630.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jtcxqntb.cmdline"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2738.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73A9159A87734932BFD1D4D482BF954.TMP"
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 536 -ip 536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 188
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.minecraftforge.net | udp |
| US | 8.8.8.8:53 | maven.minecraftforge.net | udp |
| US | 8.8.8.8:53 | libraries.minecraft.net | udp |
| US | 8.8.8.8:53 | launchermeta.mojang.com | udp |
| US | 8.8.8.8:53 | piston-meta.mojang.com | udp |
| US | 8.8.8.8:53 | sessionserver.mojang.com | udp |
| US | 8.8.8.8:53 | authserver.mojang.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.67.161.211:443 | maven.minecraftforge.net | tcp |
| US | 13.107.246.64:443 | sessionserver.mojang.com | tcp |
| US | 8.8.8.8:53 | 211.161.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 172.67.161.211:443 | maven.minecraftforge.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
| US | 95.100.195.149:443 | www.bing.com | tcp |
| US | 95.100.195.149:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.195.100.95.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 95.100.195.163:443 | th.bing.com | tcp |
| GB | 88.221.135.17:443 | r.bing.com | tcp |
| GB | 88.221.135.17:443 | r.bing.com | tcp |
| US | 95.100.195.163:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 163.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.18.190.145:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.68:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 145.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testfamilysafety.bing.com | udp |
| US | 204.79.197.201:443 | testfamilysafety.bing.com | tcp |
| US | 8.8.8.8:53 | 201.197.79.204.in-addr.arpa | udp |
| US | 95.100.195.163:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| FR | 23.206.66.121:443 | cxcs.microsoft.net | tcp |
| GB | 2.18.66.49:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 49.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.66.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.19.252.146:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 146.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| HK | 149.129.72.37:23456 | tcp | |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| DE | 193.161.193.99:22603 | tcp | |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| DE | 193.161.193.99:22603 | tcp | |
| US | 168.61.222.215:5400 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| FR | 185.136.161.124:6128 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| DE | 193.161.193.99:22603 | tcp | |
| US | 168.61.222.215:5400 | tcp | |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| DE | 193.161.193.99:22603 | tcp | |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.135.250.11:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | startitit2-23969.portmap.host | udp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 168.61.222.215:5400 | tcp | |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 168.61.222.215:5400 | tcp | |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.146.103.81:19521 | 0.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.12.245.36:19521 | 0.tcp.ngrok.io | tcp |
| US | 168.61.222.215:5400 | tcp | |
| US | 3.12.245.36:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.12.245.36:19521 | 0.tcp.ngrok.io | tcp |
| US | 3.12.245.36:19521 | 0.tcp.ngrok.io | tcp |
Files
memory/736-2-0x000001902A940000-0x000001902ABB0000-memory.dmp
memory/736-11-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-13-0x000001902ABB0000-0x000001902ABC0000-memory.dmp
memory/736-16-0x000001902ABC0000-0x000001902ABD0000-memory.dmp
memory/736-18-0x000001902ABD0000-0x000001902ABE0000-memory.dmp
memory/736-21-0x000001902ABE0000-0x000001902ABF0000-memory.dmp
memory/736-22-0x000001902ABF0000-0x000001902AC00000-memory.dmp
memory/736-24-0x000001902AC00000-0x000001902AC10000-memory.dmp
memory/736-26-0x000001902AC10000-0x000001902AC20000-memory.dmp
memory/736-28-0x000001902AC20000-0x000001902AC30000-memory.dmp
memory/736-30-0x000001902A940000-0x000001902ABB0000-memory.dmp
memory/736-31-0x000001902AC30000-0x000001902AC40000-memory.dmp
memory/736-33-0x000001902AC40000-0x000001902AC50000-memory.dmp
memory/736-37-0x000001902AC50000-0x000001902AC60000-memory.dmp
memory/736-36-0x000001902ABB0000-0x000001902ABC0000-memory.dmp
memory/736-39-0x000001902AC60000-0x000001902AC70000-memory.dmp
memory/736-38-0x000001902ABC0000-0x000001902ABD0000-memory.dmp
memory/736-43-0x000001902AC70000-0x000001902AC80000-memory.dmp
memory/736-42-0x000001902ABD0000-0x000001902ABE0000-memory.dmp
memory/736-47-0x000001902AC80000-0x000001902AC90000-memory.dmp
memory/736-46-0x000001902ABE0000-0x000001902ABF0000-memory.dmp
memory/736-52-0x000001902ABF0000-0x000001902AC00000-memory.dmp
memory/736-53-0x000001902AC90000-0x000001902ACA0000-memory.dmp
memory/736-56-0x000001902ACA0000-0x000001902ACB0000-memory.dmp
memory/736-55-0x000001902AC00000-0x000001902AC10000-memory.dmp
memory/736-59-0x000001902ACB0000-0x000001902ACC0000-memory.dmp
memory/736-58-0x000001902AC10000-0x000001902AC20000-memory.dmp
memory/736-62-0x000001902ACC0000-0x000001902ACD0000-memory.dmp
memory/736-61-0x000001902AC20000-0x000001902AC30000-memory.dmp
memory/736-64-0x000001902AC30000-0x000001902AC40000-memory.dmp
memory/736-65-0x000001902ACD0000-0x000001902ACE0000-memory.dmp
memory/736-67-0x000001902AC40000-0x000001902AC50000-memory.dmp
memory/736-68-0x000001902ACE0000-0x000001902ACF0000-memory.dmp
memory/736-71-0x000001902ACF0000-0x000001902AD00000-memory.dmp
memory/736-70-0x000001902AC50000-0x000001902AC60000-memory.dmp
memory/736-75-0x000001902AC60000-0x000001902AC70000-memory.dmp
memory/736-76-0x000001902AD00000-0x000001902AD10000-memory.dmp
memory/736-78-0x000001902AD10000-0x000001902AD20000-memory.dmp
memory/736-77-0x000001902AC70000-0x000001902AC80000-memory.dmp
memory/736-81-0x000001902AD20000-0x000001902AD30000-memory.dmp
memory/736-80-0x000001902AC80000-0x000001902AC90000-memory.dmp
memory/736-84-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-89-0x000001902AD30000-0x000001902AD40000-memory.dmp
memory/736-88-0x000001902AC90000-0x000001902ACA0000-memory.dmp
memory/736-91-0x000001902ACA0000-0x000001902ACB0000-memory.dmp
memory/736-92-0x000001902AD40000-0x000001902AD50000-memory.dmp
memory/736-94-0x000001902ACB0000-0x000001902ACC0000-memory.dmp
memory/736-95-0x000001902AD50000-0x000001902AD60000-memory.dmp
memory/736-96-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-99-0x000001902AD60000-0x000001902AD70000-memory.dmp
memory/736-98-0x000001902ACC0000-0x000001902ACD0000-memory.dmp
memory/736-103-0x000001902AD80000-0x000001902AD90000-memory.dmp
memory/736-102-0x000001902ACD0000-0x000001902ACE0000-memory.dmp
memory/736-105-0x000001902ACE0000-0x000001902ACF0000-memory.dmp
memory/736-108-0x000001902ACF0000-0x000001902AD00000-memory.dmp
memory/736-107-0x000001902AD70000-0x000001902AD80000-memory.dmp
memory/736-106-0x000001902AD90000-0x000001902ADA0000-memory.dmp
memory/736-111-0x000001902ADA0000-0x000001902ADB0000-memory.dmp
memory/736-110-0x000001902AD00000-0x000001902AD10000-memory.dmp
memory/736-115-0x000001902ADB0000-0x000001902ADC0000-memory.dmp
memory/736-114-0x000001902AD10000-0x000001902AD20000-memory.dmp
memory/736-116-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-118-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-120-0x000001902AD20000-0x000001902AD30000-memory.dmp
memory/736-121-0x000001902ADC0000-0x000001902ADD0000-memory.dmp
memory/736-127-0x000001902AD30000-0x000001902AD40000-memory.dmp
memory/736-128-0x000001902ADD0000-0x000001902ADE0000-memory.dmp
memory/736-132-0x000001902ADE0000-0x000001902ADF0000-memory.dmp
memory/736-131-0x000001902AD40000-0x000001902AD50000-memory.dmp
memory/736-135-0x000001902ADF0000-0x000001902AE00000-memory.dmp
memory/736-134-0x000001902AD50000-0x000001902AD60000-memory.dmp
memory/736-138-0x000001902AE00000-0x000001902AE10000-memory.dmp
memory/736-137-0x000001902AD60000-0x000001902AD70000-memory.dmp
memory/736-140-0x000001902AD80000-0x000001902AD90000-memory.dmp
memory/736-141-0x000001902AE10000-0x000001902AE20000-memory.dmp
memory/736-145-0x000001902AE20000-0x000001902AE30000-memory.dmp
memory/736-144-0x000001902AD70000-0x000001902AD80000-memory.dmp
memory/736-143-0x000001902AD90000-0x000001902ADA0000-memory.dmp
memory/736-147-0x000001902AE30000-0x000001902AE40000-memory.dmp
memory/736-149-0x000001902ADA0000-0x000001902ADB0000-memory.dmp
memory/736-150-0x000001902AE40000-0x000001902AE50000-memory.dmp
memory/736-153-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-155-0x000001902ADB0000-0x000001902ADC0000-memory.dmp
memory/736-156-0x000001902AE50000-0x000001902AE60000-memory.dmp
memory/736-159-0x000001902ADC0000-0x000001902ADD0000-memory.dmp
memory/736-161-0x000001902AE60000-0x000001902AE70000-memory.dmp
memory/736-163-0x000001902AE70000-0x000001902AE80000-memory.dmp
memory/736-162-0x000001902ADD0000-0x000001902ADE0000-memory.dmp
memory/736-165-0x000001902ADE0000-0x000001902ADF0000-memory.dmp
memory/736-166-0x000001902AE80000-0x000001902AE90000-memory.dmp
memory/736-167-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-170-0x000001902AE90000-0x000001902AEA0000-memory.dmp
memory/736-169-0x000001902ADF0000-0x000001902AE00000-memory.dmp
memory/736-171-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-174-0x000001902AEA0000-0x000001902AEB0000-memory.dmp
memory/736-173-0x000001902AE00000-0x000001902AE10000-memory.dmp
memory/736-177-0x000001902AE10000-0x000001902AE20000-memory.dmp
memory/736-178-0x000001902AEB0000-0x000001902AEC0000-memory.dmp
memory/736-181-0x000001902AEC0000-0x000001902AED0000-memory.dmp
memory/736-180-0x000001902AE20000-0x000001902AE30000-memory.dmp
memory/736-184-0x000001902AE30000-0x000001902AE40000-memory.dmp
memory/736-185-0x000001902AED0000-0x000001902AEE0000-memory.dmp
memory/736-187-0x000001902AE40000-0x000001902AE50000-memory.dmp
memory/736-188-0x000001902AEE0000-0x000001902AEF0000-memory.dmp
memory/736-224-0x000001902A920000-0x000001902A921000-memory.dmp
memory/736-343-0x000001902A920000-0x000001902A921000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
\??\pipe\LOCAL\crashpad_5052_NRBQJWFKXEVPDXRD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d84971bbcd03f90dd0958124ec067602 |
| SHA1 | dd70fae587db839e01d17daa0e15a4e68b4cc2ed |
| SHA256 | 0a7dba0aac1a9a148e9a099ca9f7dd8e81d751b597185b8141f2b51fb87740e1 |
| SHA512 | 9926cacd7c22e7d9984d3a471f91b6259e860853a7bee07919b5f4bc6e470917e398efc5d662dddc21a0327289a482544a18828fce605298b579ff5cf6003545 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 969596a502b8a787400e8728152528e6 |
| SHA1 | d5feba74668fcd0a3b45e7100a29340f7df7324a |
| SHA256 | 0cadb1e90f3dcc7972e6abac932bd1b83d0d0f4559250d5dbd2b858da7427c29 |
| SHA512 | b289c30575cbcb9763c4a850748b44ac4de9d29348778d767ec5106fa0c7f3da9ced58f3de4817b7152628d2c012ea7c08b7f17d3ec2781d7206a2cb5ac1a276 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | abe9bfa546df82dc3921c8b6c74c6668 |
| SHA1 | de9d655ee949da4f6e9f2c96da888aa258263004 |
| SHA256 | 0bb6b8e8e75dec48438feb8b5708727745c7bc2f519c014a4f6787466a75b764 |
| SHA512 | e4898daf39ae625f771233a71c8ba6256289c578588148a29b1f3d6972d92473c4d9be7fa9c1ecade89d7fb04f30c6b6ad7f1a4db8444bdf8fabd9d77f5fd97e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | d4db8e09c45049ff25b0c75170df6102 |
| SHA1 | 6d1f07d1556a132a4a794e29df8455cc271f05a3 |
| SHA256 | 381473cd4e59e55dbacd388d552dcf27ebb82e7c8ddf315262a558fb25b3f742 |
| SHA512 | f78a68b51982e6f2cf25b12b3e24195a003f9c2d8ea84f7b5ab0ed3a70a5f2c7ed97932bcf5b30be57db7f6133c9b8f1744f801ee2bf4351b6fba5527cc1b51f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | c813a1b87f1651d642cdcad5fca7a7d8 |
| SHA1 | 0e6628997674a7dfbeb321b59a6e829d0c2f4478 |
| SHA256 | df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3 |
| SHA512 | af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | b275fa8d2d2d768231289d114f48e35f |
| SHA1 | bb96003ff86bd9dedbd2976b1916d87ac6402073 |
| SHA256 | 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1 |
| SHA512 | d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 2e86a72f4e82614cd4842950d2e0a716 |
| SHA1 | d7b4ee0c9af735d098bff474632fc2c0113e0b9c |
| SHA256 | c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f |
| SHA512 | 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5fff922aa8f07e4e5372ef94135d92ed |
| SHA1 | 9ca50dd066a73064cd497d4db9d81cce3c48dfc1 |
| SHA256 | 3101fc3a172dd3ea480689b849ba178260007f78f4ded990902b1d4a3d5c12a1 |
| SHA512 | 55f389ad911204feaa21b177ffd8b7622d300b6d1512dd184af21403514a62c178b10155389daaa8c85d14c93e3b27daa2e2f2afe85e85b86296734f599f33a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 23c881bd9ff24ec1e1c1388e1967d94d |
| SHA1 | cf340b91392671812c5d68f70a32b8b0768f4c75 |
| SHA256 | 60eb6975421a62b21622524ea781e64e7892294e65056ad6ca7766e1362b7156 |
| SHA512 | 5694ab40278f68cd46d12a39fd7c7883cb1268b9896f3f09a8283db4a4070147f7970f18902885b119848f532d04f662fb44ab8ad5a7cd47a473578a692da7f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 9f96d459817e54de2e5c9733a9bbb010 |
| SHA1 | afbadc759b65670865c10b31b34ca3c3e000cd31 |
| SHA256 | 51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609 |
| SHA512 | aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
| MD5 | 5dea626a3a08cc0f2676427e427eb467 |
| SHA1 | ad21ac31d0bbdee76eb909484277421630ea2dbd |
| SHA256 | b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6 |
| SHA512 | 118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3a643ac132cf0be034a2ebb800028562 |
| SHA1 | 816a9031c94961a34f13ab79947df27dd217b022 |
| SHA256 | e3ddaac42a5a01c5a5cdb6f174d798c208e7271bde623c5668ab84571100997a |
| SHA512 | 4b46518dd73811240168c16eeb8624d0e27dbfc8bcfccb1ff3ce11fa210cd019f10daa094f714fe485975fe466ae2ca26835e78d1034b7561f4fa50112d0d93c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b60f9.TMP
| MD5 | a63651c09913f3aec561ab76d2fd2a59 |
| SHA1 | caa08cb65b6153e9dd4d034ef68c9a7fbee4a8bf |
| SHA256 | 155fa0b2fc1608808ba0a81ba9cd5e70de6fc4786892d92d291b16bebb645eba |
| SHA512 | 3b0e3989db28d7fce84d7d3afc94bfcc2b313ea7493e32d0e93a8e7fe632b5a9d0716cfc597d381bc061c38e6b41b064b23a58e3b56d4b0bc31b6612f25d679d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6d9592346498d441b599dfcce6d5ec22 |
| SHA1 | 811e563a0ec428a087e8a28bee35817c01a8a25a |
| SHA256 | 280cc7bea5a25178e1dc792c0835bc0615868edb5e5547d57e919f7ae0f8eb8d |
| SHA512 | 7001002362370867828cca9b4c2927b35addeea83b6c45095e2b0e92b1d2ba5aba583c6b6cdde04db8907cfbfb88004dcb5bf4e02595b49e92d9a68afc2ec480 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 9a15506313b05892742dc6a8d9f72e26 |
| SHA1 | 6a629cb273435afaebe53259662671dc7f9a2ff8 |
| SHA256 | 669d8986e0aec1a060795c44dbca6afc9db0d6431cc074e454d74be0004b8622 |
| SHA512 | d22c40300419eb67ba6415e4768865898f2991a915ab3ac733042eff4a1206ef02d635d491b8a3d750893d188c8a4f78ab1c3278abefe99e6a370761b7e34706 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ade0dc3eb676c30661bd988b99ac7118 |
| SHA1 | 6ec947ce9daacc8fb1a570f40f42f1fb817e9e5d |
| SHA256 | d87a8218cb82f510a219f2e541cf58d837b48d43db02a1bed2a6a83f7745ba06 |
| SHA512 | 28eaf26ed8ce0a6a8d8a7777c8fd262cb88d9eea861ff7961620203fc393338b5c24c128927ae99118bacf9186c0380bca64c3ab78edaed88e94960a75ee8c62 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6f1818a3181f115e175091ea9dcca653 |
| SHA1 | d6feda8f650311d24a743370c2482fe59aa37648 |
| SHA256 | 48f47906ab4319680b1a41e9aa6010831d4dea904ef8703f50399c2e448f7f9d |
| SHA512 | 87c26c12346b900d5aa04ee157ace65d3e1befcbe81076bc1e0cc74d6093f3c3d7732380420ac27d65206ad6f34ba35a6ca4a86662eb6e69492d876c382b7282 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 13481c6df2d562a225e56422d7eed33e |
| SHA1 | 39b7f27caa54d6ff2ac19446ba78a81b94f1845f |
| SHA256 | 9d220e5dc7f4d882812daf56c490c9d9528f1a2428e2671303955cb0173013ad |
| SHA512 | 7e0fe17fcb28121e120faa9d2e1fbfd9068813ae2f4d610258f31b8053fffc73aefaf86fd65404242b4df64ac3531dc969947c79f9d9152503dd203ad9b2297d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e0a71984ae9596979b03f156d3aee35c |
| SHA1 | 6621bbe7031bc82624bca0624dba19c8966cf05a |
| SHA256 | 4dad2bccbfbc163a2a91efc1903d9821112b698221355011d32429094d1ecb76 |
| SHA512 | b61d29201b958570906cd268f96d35f7a877414e09d78dc1480768188b585f0481b2106575cb8bbb644fc119a4dc3741cf62298bc66ab36ff58fddb5dbffb318 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 48924616a118175c86f50af9653c9286 |
| SHA1 | 556c25190a99f766cf6ad743a0f75ad8af8f30fd |
| SHA256 | a0dd512d3c646be65469a279138b4934b5363c3f6d7c4d44fe56677d8116d6aa |
| SHA512 | 6e2aa5b3c25502615e1a9e1308b1f5da610123a819143bef9674a73d1c11d1fe08243ca0b7168567e73aab946e38516aa576cd58f3e0f713d19d391d1f52a163 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8ad0cab0ab3156ab2d48745169c3ecf8 |
| SHA1 | bbc63599ca578fda9c39bbd2eff8f6fb6adecfb8 |
| SHA256 | ef256b5f8fcb85539bec648acfb0ed416349bbbb536ac76918c8b6b918b9414c |
| SHA512 | df4682db3c5294d633522dfceb31744c976629d14f83c155a96ffedf508ea4e71a837573807ca61e65d8d4137e4432b5a3a0a9a676bbee84b46dee3cd9ddb4a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 64329473bfe572363db3447b6cf44291 |
| SHA1 | 3b6edb584f97e7dde15f8c87c9d79febb0a3d6f6 |
| SHA256 | bb7ba17b75de15a54b0c8665f460473012f7f639e6647d76b4230962b39bffec |
| SHA512 | 77cb88a79f3fbfb7a6c854c93c884b9e32bed0236f878047606aa969c863607f34bbaa3fced525489a6c7cee1d63a15f067661d13398a6887051619629cbe17f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bd1933e9572c3345d33da3e01adb6464 |
| SHA1 | 167aaadecd5fc93fa96639454d373520073fc5b1 |
| SHA256 | 08477a3caa67cff8369f096286518a09dba66aaadd6009c96018bc6ce4bb36b2 |
| SHA512 | 9ff4f4facbe03841514aa204fda1e070c2d3e4377ecdbd69f036d2b60f48a03b36bd84efbc805fd77b6977b1c3decf809c530e5c47b289c823bda662dab43ed4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9eb8fc73ef0dc9758024e5e596be4ebe |
| SHA1 | 2519fc51ae91150a7add5fa18e8190340c7f7e84 |
| SHA256 | ee84e2a8ca13ac84fc310c34cf0c635b14f6132822564d4b95c8a590fe444bf6 |
| SHA512 | 94bafbd7b5bfe014a233d84e9ba2ec7043ef33f85e76437e5227ad1bee7d812bbd047ddd8ab898a305c8daebde775806971a1b3d40dbd1c7302ee35e8fe967d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 67ea01536a616f8b0275ab2703c8cf9e |
| SHA1 | 41abb01ef3d1163eed12cb5f8aaf0b5cba3c83d1 |
| SHA256 | 7f817ac73b3fbf3e0b61437b5f53a91d1610639b31bd1338bcdef3293f7d600f |
| SHA512 | 63eb57e0cceea08af6db4ae265fbb186955e06f27ebb214ce8978e46a46ad016382f5d59d460f5fce192241973485d4a0f62816f4df751a020707bc9d15a1f06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 21d3225e952302764f27d017aeacd1b5 |
| SHA1 | 5aced602e2d638f9247175d02e8e06244f2756b5 |
| SHA256 | 1ea1b1c1372606de8f80b11a7ea99ff672ba7ecd486b7a0ae1321f63accc24c1 |
| SHA512 | a5130493be47ae82294dac676b8838bcbb2b82146d4304e00326595b338c7700ab3b0f19839136cba4e2e542a240629794c51386735b30adb0fb2fba0934b6ab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6bb0f6e372777f2ad60a231b0e05cf8b |
| SHA1 | 84b914d8e6222b23a4fd08cc0d25e146a3920359 |
| SHA256 | cb22876595975c40abcf58bf47f1b32350d67e94286c97ddfa2135cce01c000a |
| SHA512 | 2fcf2b2d0d6381956562048b4619fd2c702e48e5aa3eb591171838b1986766ef2c3b2073f21600448849753faa5b021ffa068bce0210b8bc291f203795a90029 |
memory/1856-1321-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Windows\SysWOW64\Windupdt\winupdate.exe
| MD5 | c7dcd585b7e8b046f209052bcd6dd84b |
| SHA1 | 604dcfae9eed4f65c80a4a39454db409291e08fa |
| SHA256 | 0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48 |
| SHA512 | c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
| MD5 | dd45df40b1d29fd248a9dd8a656dd1f7 |
| SHA1 | 3d1210cbe92b9b74668377913625c19ff7b92d47 |
| SHA256 | c46485b5e46586ef1b2ccd697bd56f7fa0c210ab14ca33c5107c5f780478ce6e |
| SHA512 | f586f4d88741e89027dde91164bddac749a3aad5966d9f693b33beda87d5926d23bc822d87519e7a41d40e26c4f839d1e9ac6327c8a1c18079405f64236bf260 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\15F761EE-C5B9-4A78-81C3-316D51C349CC
| MD5 | 33de8dc21fe446db4d7acd3d165996e4 |
| SHA1 | 25937ef28a927ac3e75f20f4a8b6af8a5e603c7e |
| SHA256 | c24adf0956c40eea1cb2a489ddfd5f0c00521a56abeaeaa40dd10331f049b985 |
| SHA512 | 325b18ac55cfefb031c32e5b13be1336df94703c406f824ee6ec87916a0140c16db330d0692fe8972a575cc292f411d10a9062147f3549759bb1541222c91c3a |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
| MD5 | 3d4e3f149f3d0cdfe76bf8b235742c97 |
| SHA1 | 0e0e34b5fd8c15547ca98027e49b1dcf37146d95 |
| SHA256 | b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a |
| SHA512 | 8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2d9f412e0b29d69d5dbe69074df02506 |
| SHA1 | 12462d49ce6eda3e6227389be6ae6bb4721747e7 |
| SHA256 | 1b39e91544b31e853da76125c406960b144b8360a82b990bfff9f9a0ed9ca0a1 |
| SHA512 | 0eae13fd9f4856c5c1d1b1d8b67a25438ebae4acd5ceccaf16cef2fe2d2921b2c2626cc8862434a38911ecf3aadbeffd6191154b36e4667d7dd5beb41242b2be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cdfd1ceb0afbbde4067d31e14b358d26 |
| SHA1 | 140b0fda08440ba8c8f70e088029bed33afc261c |
| SHA256 | bb988df5626976ceed7a525acc37c5ca32af1d856fae653491e18e296229a350 |
| SHA512 | 6afcaff5cd4d75cfb37f1322b36ec6e11bd3099b25ae4902e760dfea18f96dfa975561984ee6f7c677907fb7ade4a21e2559100893939f35d01af4ff2f651e4f |
C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
| MD5 | fde1b01ca49aa70922404cdfcf32a643 |
| SHA1 | b0a2002c39a37a0ccaf219d42f1075471fd8b481 |
| SHA256 | 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5 |
| SHA512 | b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25 |